An investigation by BIRN has revealed that many mobile shops in Kosovo buy and sell used phones without clear procedures for erasing personal data, leaving citizens’ private information at risk of being recovered and misused.
An investigation by BIRN has revealed that the buying and selling of used phones in Kosovo often takes place on the black market, where no strict rules exist to ensure that personal data are permanently deleted. As a result, citizens’ private information is at serious risk of being misused.
Across the country, second-hand phones and laptops are frequently traded without contracts, confidentiality agreements, or any formal documentation. This unregulated environment creates a high potential for abuse, as personal data stored on devices can easily be recovered and exploited.
BIRN visited at least ten locations where such transactions take place and found that none of the sellers or shop owners had any written procedures informing customers about their responsibility to delete personal information before resale. Instead, the entire process relies on verbal assurances that a device has been formatted and data erased at the time of handover.
Privacy experts warn of serious risks
Logos of some messaging and social media applications. Photo: EPA/RITCHIE B. TONGO
Experts in data protection urge citizens to use only licensed and certified businesses when servicing or exchanging their phones. They warn that informal street vendors and unauthorised repair shops offer no guarantees that sensitive information will be properly destroyed.
Officials from Kosovo’s Information and Privacy Agency, AIP, have advised citizens to destroy their old devices themselves rather than hand them over to unknown individuals who may be able to recover deleted data using specialised tools.
When asked by Kallxo.com whether they had received complaints related to data breaches resulting from the sale of used phones, AIP officials said that no such cases have been formally reported. However, they emphasised that both citizens and businesses have an obligation to protect personal information.
According to the AIP, citizens should always erase all data from their devices before discarding or selling them. Businesses that buy used phones are also required to delete any data found on these devices. Once the data are destroyed, the process should be recorded in writing, and the seller should be informed about what information has been removed.
AIP official Arbian Arifi explained that even when data are deleted, they can sometimes be restored with specialised software.
“There are specialised applications that can recover deleted data, so it’s often safer to keep or even discard an old phone rather than trade it for a new one, where its data could end up in the hands of third parties. Some specialised companies can restore data from technological devices. When repairing a phone, users should always give their consent for any access to their data.”
Arifi added that the agency has not found any mobile shops that maintain databases of personal information. Still, if such databases existed, they would need a clear legal basis and justification for data collection and retention.
“So far, we have not come across any mobile shop that has a written procedure for destroying personal data, its destruction is a regulated process—all mobile shops should have written policies in place when they receive such information from customers. They must ensure that any processing and destruction of personal data is carried out in full compliance with the law,” he added.
High-Profile individuals especially vulnerable
Illustration: Pixabay
Privacy experts warn that public figures—such as singers, members of parliament, judges, prosecutors, and online influencers—are at particular risk. If their devices fall into the wrong hands, access to their personal or professional communications could lead to targeted exploitation or blackmail.
Technology expert Kastriot Fetahaj advised that citizens should avoid selling their old phones to shops altogether and instead give them to trusted relatives or friends. Before doing so, he recommends performing a full reformat of the device—ideally repeating the reset process several times to increase security.
“Even after you delete your data, there’s always a chance that someone with the right expertise could recover it,” Fetahaj said. “The safest option is to reset the device completely, remove all accounts, and, if possible, repeat the process more than once. If you can, it’s best not to sell your phone at all—unless you’re giving it to someone you personally trust,” he concluded.
Business owners involved in the trade of used phones told Kallxo.com that they have not encountered cases where a phone was sold containing personal data. They claim that customers typically delete their information before handing over a device, and that when this does not happen, the phone is formatted and all accounts are logged out in the seller’s presence.
“No one sells a phone that still has data on it,” said the owner of one mobile shop. “Before the customer leaves, we make sure everything is deleted. We perform a factory reset and confirm that all accounts, like iCloud or Google, are removed. Only then is the phone ready for sale.”