We toyed with old laptops and inadvertently destroyed any hope of privacy

May 30, 2026

At the 2026 DataHarvest conference, my friend Pierre and I ran what we imagined to be a playful session called FunForensics. A few weeks before, we bought four laptops costing exactly 30 euros on second-hand marketplaces in Germany, France, Spain and Poland. We presented the computers, still in their shipping boxes, to the session’s participants, about fifteen journalists of all ages with no specific skills in digital forensics. They had 50 minutes to recover as much information as information as possible from the machines. We had a stringent code of conduct stating that absolutely no private information was to leave the room.

(Our idea was not novel, a German journalist did something similar in 2008.)

We imagined that participants would have at least a bit of a hard time. Instead, the ease with which they could pore through the private documents of the laptops’ past owners was frightening.

Only the Spanish hard drive was inaccessible, likely because I was scammed and bought a defect piece of hardware. Data from the other three was recovered, even though their past owners took steps to prevent it.

The owner of the Polish laptop, for instance, thought of cleaning their C: drive. They forgot to do the same for the D: drive, which contained the archive of a major hospital.

The owner of the German laptop took care of removing the old Windows users and creating a new one. Plugging in a USB stick with the Tails operating system, participants could bypass any hurdle and access the files that remained on the drive, including gigabytes of web browsing history.

The French laptop offers the most tragic case. After I bought it, the seller had second thoughts and offered to ship it without a hard drive. I said I needed it, but that they could take time to wipe it clean before shipping. After a few days, during which I imagine they looked for solutions and sought advice, they sent the machine which, indeed, felt like new. Alas, it took just a screwdriver and a SATA adapter to plug the old hard-drive to a modern laptop. A piece of software and 20 minutes are all it took to recover all the data the seller painstakingly tried to keep private.

After one hour of tinkering, we took the laptop back and gave them to a local charity who plans to use them to show local kids how to install Linux.

Had they had a couple more hours, the participants said, they could easily have reconstructed the lives of the laptops’ owners and, at least in the case of the Polish hospital, probably the lives of many others, too.

What should have been a fun and difficult exercise turned out to show that people cannot keep their data safe. Not because they are incompetent. All had taken sensible steps to protect themselves. The French seller in particular went to especially great lengths to ensure that they sent a cleaned machine. This was useless.

There is no technical reason for this tragedy. Microsoft could encrypt hard drives by default. There are precedents. Most websites switched from HTTP to HTTPS in the late 2010s, dramatically increasing the safety of all users. Regulators could, and should step in to ensure that it happens.

At a time when AI companies are increasingly hungry for fresh data to train their next models, a market for private, offline documents is emerging. Old companies are already being bought just to sell their text archive to Big AI. It is likely that old hard drives will be next. Their market value will go up, just as the value of our privacy crashes to the ground.

Photo: Toshiyuki IMAI / Flickr CC-BY-SA