Used Tesla Components Contain Personal Information

Used Tesla components, sold on eBay, still contain personal information, even after a factory reset.

This is a decades-old problem. It’s a problem with used hard drives. It’s a problem with used photocopiers and printers. It will be a problem with IoT devices. It’ll be a problem with everything, until we decide that data deletion is a priority.

EDITED TO ADD (6/20): These computes were not factory reset. Apparently, he data was intentionally left on the computer so that the technicians could transfer it when upgrading the computer. It’s still bad, but a factory reset does work.

Posted on May 8, 2020 at 9:46 AM12 Comments


TimH May 8, 2020 10:30 AM

Leglislation has to catch up first, at least in US. Plaintiff has difficulty showing damage in most cases. Leglislation needs to pass with the presumption being damage, and the onus on the defendant to show that none occurred as result of defendant being breached or incompetent.

Doug May 8, 2020 2:00 PM

@TimH – I realize that “damage” vs. “no damage” isn’t exactly the same as “guilty” vs. “innocent”, but there are certainly strong parallels. So, how would you imagine legislation “with the presumption being damage” would co-exist with the concept of “innocent until proven guilty”?


Robert Russell May 8, 2020 2:14 PM

@Doug – The ease and rapidity of which leaked personal information can be used to financially damage someone would allow for data security to be a strictly liable issue. Similar to say the case of transporting explosives, you are still liable for fines and damages if a crash happens, no explosions required.

Doug May 8, 2020 2:25 PM

@Robert – Strict liability still requires the claimant to prove that the tort occurred and that the defendant was responsible. What it eliminates is the need to show negligence or intent. But it doesn’t go so far as to include the presumption of damage.

It seems that what TimH is suggesting is that we take it a step further and include a presumption of damage under some hypothetical future legislation. And I’m trying to wrap my head around how that meshes with “innocent until proven guilty”.


Sancho_P May 8, 2020 5:35 PM


Damage and guilt are different concepts:
Damage will have a cause, but doesn’t require guilt (e.g. damage by lightning).
Guilt does not need damage (e.g. speeding).
– A law can produce guilt without damage.

Doug May 8, 2020 5:52 PM

@Sancho_P – Yes, I agree that damage and guilt are separate. (Although often related.)

What I’m trying to understand is how TimH’s suggested legislation “with the presumption being damage” fits within typical legal systems, most of which have a concept similar to “innocent until proven guilty”.

Under a system of “the presumption being damage”, I could file a legal claim that asserts that “Bruce Schneier has damaged me”, with no further evidence, and now Mr. Schneier has to defend himself against that claim. Shouldn’t the burden instead be on the person claiming that damage occurred?


Kai Howells May 8, 2020 5:59 PM

This is relatively easy to fix – modern smartphones do it well.
Have the storage on the device encrypted with a randomly generated key – even if this key lives in the storage controller. Then, to completely erase all onboard storage, all that needs to be done is to generate a new crypto key and this instantly (effectively) erases the data that’s already on the device. No needing to write zeroes to every sector of storage, no worrying about remapped sectors that may contain un-erased data.

Anon May 8, 2020 8:20 PM

…until we decide that data deletion is a priority.

Only intense pressure will make the manufacturer recognize deletion as a priority. They would rather you be paranoid about reselling, so that you institute or continue a policy of destruction. If you do, the manufacturer gets more sales; consumers are rarely bothered, once something has reached the end of its life, with the distinction between destruction, donation, or re-selling for pennies on the dollar.

lurker May 9, 2020 2:25 AM

I’m getting on in years, my eyesight is failing, but I couldn’t see anything in the linked article about data remaining after a factory reset. Unless Tesla’s recommendation to their techs that “hitting it with a hammer = reset”. The article recommended users do a hard reset -before- taking their car in for service, which apparently does erase PII.


… until we decide that data deletion is a priority.

The savvy OEM vendors will have a clause in the fine print that nobody reads, saying something to the effect that your data is your problem. If you wrote it to disk, then it’s your job to unwrite it.

Lax Datasec May 10, 2020 12:01 AM

Except when the manager got a large salary for very poor security, despite the admin repeatedly banging their head against the management wall each year after another failed audit, and their recommendations that the manager should:

  1. make the admin password more than 4 letters long
  2. the manager should not have the admin password
  3. the manager should not disable AV/Firewall so staff can download dubious files from links at work and various personal activities like social media or email
  4. the manager should enact a least privelages necessary and data security policy

for example

“medical testing company’s chief executive, chief financial officer, chief information officer and its board of directors failed to address “persistently deficient” data protection measures”

Medical companies and hospitals have left files sitting in buildings slated for demolision, or old hardware laying in skips and unsecured sheds.
Old hardware frequently goes up for sale with personal data still intact. There was another case froma hospital just recently.

Data from vechiles can reveal much to an adversary, especially during targeted campaigns by persistent threats. Still governments are slow to act on improving security and very quick to undermine it, which is promising for all the scumbags out there selling off your data to crooks, bent cops, spies, data brokers, companies, the Murdoch Press and groups like HackingTeam.

There is a chance that developments in “predictive analytics” will lead to a discovery that the only responsible security is strong security, though that policy for now is still mostly confined to nuclear launch facilities.

Sancho_P May 10, 2020 5:39 PM

@ Doug
(sorry for the typo!)

Yes, ”with the presumption being damage” it doesn’t work.
But it can be independent of damage, similar to my speeding example:
– You must not lose customer data.
Minimum penalty is xxxx, plus yyy for each dataset.

Mark May 11, 2020 9:32 AM

I wonder if GDPR’s deletion mandate with its massive potential fines might help with this, if e.g. an EU-based Tesla customer had their data leaked. It also seems like Tesla failed on multiple fronts here (not deleting and not encrypting at rest).

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via

Sidebar photo of Bruce Schneier by Joe MacInnis.