Bulletproof privacy in one click
Discover the world's #1 privacy solution
Coming soon
Coming soon
Coming soon
One of the oldest and most effective methods of social engineering is used by just about every ‘brand’ of hacker, and that includes law enforcement and government operatives. It’s called ‘dumpster diving’. And though the concept is simple, the scope has broadened greatly over the last thirty years.
Garbage Day is celebrated by anyone looking to gather evidence against an individual. It provides an opportunity for a non-technical hack that is so simple that just about anyone can do it. But it yields results that can range from fingerprints to buying patterns, to friend networks, to sexual habits, to DNA evidence.
After you read this chapter, you will never look at what you throw away in the same way again.
Dumpster diving is a garbage day activity that consists of going through the things that someone discarded, looking for the target’s security details, private information that can be used against them, evidence of specific acts, or other patterns that can be analyzed.
This isn’t to be confused with the ‘fun’ version of dumpster diving, which is looking for valuable or useful things thrown away by stores. Nor should it be confused by the survival activities practiced by the homeless or disenfranchised.
Although the activity is called ‘dumpster’ diving, it applies to any container: Trash cans, recycling bins, leaf bags, and the like. The concept of ‘trash day’ evidence applies equally to recycling day, yard waste day, or any other waste collection process. Such schedules are generally public information and are easily planned around.
The social engineering version of dumpster diving has been enshrined into the legal system of most countries, with the results favoring the government or law enforcement side of the equation. France has muddled the picture a bit by outlawing what certain stores (mostly supermarkets) can throw out and by forcing them to find donation and recycling options. But for private residences, the rules are largely the same.
Often, legal systems have rulings similar to the U.S.’s California v. Greenwood, which says that there’s no expectation of privacy once something is put outside to be disposed of. Broadly, this covers all processes of eliminating waste, from trash to recycling to fluid disposal. Outside of specific county and city ordinances, CA vs Greenwood covers most states… but not Iowa. A 2021 state Supreme Court ruling made the practice illegal without a warrant, a decision that is likely to be argued for some time to come. Even in late 2023, it’s still being debated.
While most of these laws might be considered a boon for those who dive for things they need to survive, it is also a security and privacy nightmare.
Dumpster Diving For Legal Evidence
How common is dumpster diving for legal evidence? Incredibly. In fact, the 2011 FBI field operations manual specifically points the tactic out in section 11.4:
"A reasonable expectation of privacy may be terminated by an individual abandoning property, setting trash at the edge of the curtilage or beyond for collection, or when a private party reveals the contents of a package."
Individual police departments often refer to the process as a ‘trash pull’ or ‘trash rip’. Trash pulls are common, but they have to be done correctly to maintain the chain of custody. The procedure will vary from state to state. A ‘clean’ trash pull does not prevent more from being conducted in the future. In any given big city, narcotics officers will conduct several trash pulls per day. It’s considered quite a common tactic.
Just about any evidence is fair game, particularly if it’s to build probable cause for other warrants and searches. Some serious charges have been brought against people because of trash pull evidence. Even DNA results that applied to a manslaughter charge levied for abandoning a baby.
What about non-U.S. police departments? In the U.K., law enforcement officers frequently search rubbish bins, recycling bins, and garbage left in alleys without a police warrant. Front yards and gardens in plain sight are considered fair game, as well as any abandoned trash or recycling. Every once in a while, they even find a suspect in the trash.
And in Russia… you’re kidding, right? The cops in Russia can now search actual homes without warrants. They’ll do whatever they damn well please with your trash.
India’s relaxed search laws allow a full home search with just suspicion, as long as witnesses are present and the property owner is available. And this just requires witnesses if the residence is a shared multi-tenancy. No consent is required, and no warrant is needed. And all trash outside the home is fair game.
Australia has very similar rules to the United States, and there are even firms that assist in ‘trash intelligence’ analysis.
Needless to say, such a common and international practice should be so predictable that it’s almost completely ineffective, right? Wrong. For some reason, people have a blind spot for their trash and recycling. They’ll leave all sorts of information about their whereabouts, what they’ve ordered, and even honest-to-goodness directly incriminating evidence in a trash bag or recycling bin. Complete with fingerprints and sometimes DNA, as a bonus.
We’ll talk about some of the ways to protect yourself at the end of the chapter, but for now, let’s discuss how government hackers can use dumpster diving to infiltrate your devices and online accounts.
Dumpster Diving For Security Details
Most of the techniques we’re about to discuss go back to the 1970’s, at the very least. Dumpster diving can get everything from lock combinations to passwords, to internal phone numbers and extensions, to trade secrets. The term started to appear in the Oxford English Dictionary in about 1983 when the concept hit the mainstream.
Whether you’re reading a Turkish Air Force security bulletin or page 27 of an old FBI law journal, it should be clear that dumping any kind of operationally sensitive information in the trash is a bad idea. Every intelligence agency in the world knows that one of the least expensive, and yet most effective, ways to research a target is to go through their trash. and look for key details that they can use to figure out account names, passwords, and used applications that might have weaknesses to exploit.
This is called TRASHINT by some organizations. Old manuals, notebooks, diaries, printouts, business cards, and post-it notes are targets on the paper side of the equation… often nicely separated into their own clean, dry recycling bin. Media ranging from old hard drives, tapes from tape drives, supposedly broken thumb drives, malfunctioning solid state drives, CDs, DVDs, or other burned disks are all ripe for the picking if not properly destroyed before trashed. Discarded hardware such as Internet of Things devices, broken IP cameras, input devices, card readers, and smart docking stations can all be analyzed for configuration information that might lead to network topology or password data.
Even seemingly harmless trash can provide a wealth of information for a future break-in: What’s the household or business’ go-to fast food joint? What’s their most common delivery service? Who are the utility providers? Who is the property’s ISP? What kind of entertainment is consumed? Anything from packing slips to old pizza boxes to used napkins might provide this kind of information. Then it’s just a matter of creating the right fake ID, producing the right uniform, or creating a well-timed ‘emergency’, and then physical infiltration is a breeze.
A person’s trash is their recent history. And the higher the technology used to analyze that history, the more frightening the results: DNA from drink containers, travel patterns from dirt or pollen trapped in mucus found in tissue, buying habits from half an Amazon receipt.
Even relationships can be determined from dumpster diving: Who you know, who you love, who you hate, who you work for, and who you obey.
Whether it’s authentication information for computer security, premises information for physical security, or psychological information for social engineering, dumpster diving for security details has one of the most favorable cost-to-benefit ratios in Spycraft.
But what if the attacker isn’t looking for access? What if, instead, they’re looking for obedience?
Dumpster Diving For Blackmail Fodder
Blackmail is a tool as old as time, and every intelligence organization worth its salt knows the value of having dirt on somebody. Dumpster diving is a great way to determine if a target is doing something that may or may not be perfectly legal, but is likely to be socially unacceptable in their situation.
For example: Evidence of extra-marital affairs, sexuality that is different from public appearance, fetishes that would ruin a career, or even diseases that are being concealed can be found on a dumpster dive. Most of the above can be determined from a single discarded condom if it is analyzed by a decent laboratory.
Even just looking at the paper, one can find an absolute wealth of information: Proof of money that the target shouldn’t have, love letters from the wrong person, trade secrets that were recently leaked to a competitor, receipts from hotels that rent by the hour, ridiculously expensive concert tickets received in exchange for a ‘favor’, notes on jobs that don’t appear on any tax return, or even an angrily sketched out plan for violence that was thrown away once reason returned.
It can even be something as minor as what the target is putting into their body: A vegetarian YouTube influencer’s half-eaten cheeseburger. A supposedly clean star athlete’s discarded EPO kit. A single beer can or needle would completely negate a multi-year probation arrangement.
Any of the above can be used to turn a potential informant. With the right leverage gained from dumpster diving, or with enough follow-up on TRASHINT leads to yield corroborating evidence, blackmail is easy enough.
Given how devastating the results of dumpster diving can be, is there any reasonable defense against it? Yes. Let’s go into detail.
Defenses Against Dumpster Diving
Use a cross shredder: If it’s paper, it needs to be cross shredded. This includes shipping labels torn off of boxes. Invest in a cross shredder if you think you’re likely to be the target of an investigation. Everyone else should have, at minimum, a normal shredder. Yes, the results can still be pieced together, but it will at least detract the casual peeper. Anyone living off the grid: Be prepared to incinerate your documents. It’s always useful to have fire starters anyway.
Scrub all metals, plastics, and rubbers: If you’re concerned about DNA and fingerprint lifting, abrasively wash the surfaces that can produce such results before putting them into the recycling.
If it’s sexual, burn it: Things specifically designed to contain DNA (condoms, dams, etc.) should be incinerated, never thrown out. Old pornography, dirty correspondence, or drawings that you don’t plan to keep should also end up in the fire rather than the recycling bin or shredder.
If it stores information, magnetize and shred it: Neodymium magnets can be used on hard drive platters, firmware storage, thumb drives, credit cards, and magnetic storage tapes to scramble the bits. There are professional services that will use industrial shredders to destroy other electronics. If you can’t afford that, it’s back to the magnets, but use a hammer to smash anything that looks like a chip as well, before recycling.
When in doubt, clean it with bleach: For everything else, a splash of bleach and a quick scrub is better than no precaution at all.
And of course, use your common sense. Never donate or throw out unwashed clothes, even if it seems easier. Always check the pockets and compartments of anything you’re getting rid of. Envision ways that you would look for dirt on someone else, and try not to fall victim to those tactics. All it takes is a little bit of caution, and the effectiveness of dumpster diving is reduced drastically.
Garbage day is supposed to be the day when you can start fresh, not the day when your burdens and worries pile up and get used against you. Be aware of what you throw out, how it is treated beforehand, and the people who only seem to show up and hang around on garbage or recycling days.
Will is a former Silicon Valley sysadmin and award-winning non-functional tester. After 20+ years in tech, he decided to share his experience with the world as a writer. His recent work involves documenting government hacking methods while probing the current state of privacy and security on the Internet.
Chapter 14: IoT Hacks
Dive into the unsettling world of government-controlled GPS tracking!
Trash Talk: How your garbage can be exploited by hackers, law enforcement, and government agencies
It’s time to uncover how government surveillance gets personal.
Discover the world's #1 privacy solution
Coming soon
Coming soon
Coming soon