Some thoughts on data destruction and security when disposing of your PC.
I’ve been meaning to write this article for quite some time and recent research into bulk drive erasure and recertification has finally led to the impetus to actually produce it. I’ve known for quite a while that batch (automated) erasure/formatting of multiple SCSI (commonly found in servers manufactured through 2007) drives was far more complicated than it ought to be. Further research has led me to that same conclusion. . .and I’m going to save my thoughts on that for a later article.
The thrust of this article is that there are far too many people who are either careful to a level of paranoia or totally careless with their sensitive data and that there is, in fact, a happy medium.
It seems only appropriate that I bore you by first explaining our policies on data security, lest there be any ambiguity. We encourage, endorse, and practice DOD level software wiping of all drives and support any client who seeks more stringent methods to meet legal or internal obligations. All hardware handled by Green Penguin, Inc. is managed in a secure facility with surveillance cameras throughout the building.
Where it is the requirement of the customer that their drives are physically destroyed, we aggressively comply with this standard providing certificates of destruction and chain of command documents for all data-bearing articles entering our possession. All other hard drives we receive (both inside and removed from computers) follow a lock-step procedure that makes it impossible for a drive (or any of its sensitive data) to leave our office tested as working with a shred of recoverable data remaining — all working drives that come into our hands are DoD wiped, no matter what. In cases where drive malfunction prevents software wiping, the drives are drilled and degaussed. We encourage anyone, be they corporate decision-maker or private individual to be very careful of how their hardware is handled once it leaves their possession, especially if they have not, themselves, been able to secure their private data as described a little later in this article.
On hardware disposal and data security:
There is a lot of mythology, mis/dis-information, and fear about data theft and data destruction that has led to some pretty screwy corporate policies and laws regulating the handling of hard drives at the time of decommissioning. For example, a lot of people and companies feel the need to go to great lengths to ensure that their hardware is physically destroyed with a powerful mechanical shredder, usually after degaussing, which, while providing a measured certainty of data destruction, is far from necessary. A far clearer explanation of this phenomenon than I could possibly provide can be found here on WikiPedia
I’m not saying that the aforementioned fears aren’t reasonable, but they ought have nothing to do with actual danger of erased data being recovered. Distrust of external handlers and fears of incompetence (either internal or external) are far more reasonable concerns.
I recently did an audit of drives in computers we were acquiring from a prominent and reputable New England recycler. The computers that we didn’t purchase were sold by the pound to someone who was no doubt sending them overseas to be dismantled in an even less secure environment. This audit confirmed further what I already knew from my time as a refurbisher purchasing machines from many recyclers, asset recovery specialists and computer repair shops — people are far too trusting in the handling of their sensitive data — in many cases important parts of your life are on that computer, ripe for the picking.
The data on most of the computers we acquired was not in any way secured, the hard drives were still in them and in most cases, the computers booted straight into Windows just as their previous owners had left them. In one case, an HP Pavilion a712n Desktop PC came fully loaded with all of the stock-trading software, passwords and, though I didn’t press further, no doubt, bank account information as well (yes, I wiped that hard drive immediately using software listed later in this article). In other cases, it would have been very easy for even a novice hacker with some very basic tools to exploit the data left behind on people’s machines.
Your computer’s hard drive may have any or all of the following on it at any given time (including when you get rid of it if you don’t take the appropriate measures) — your web browsing history, passwords, personal photos, name, bank account information, home movies, website logins and who knows what else. . .everything you keep or enter into your computer. With that in mind, let me assure you that taking it to a recycling facility or municipal waste facility is not a guarantee that your data is secure. Fear not, for it is not doomspeak, but hope that I bring you and it’s easy.
I have in the past and will continue to advocate for the proper use of software based data destruction which comes down simply to knowing which tools to use and using them. Tools such as DBAN (Darik’s Boot and Nuke and Active Kill Disk are fully available, easy to use and allow the user to easily produce something (floppy, USB stick or CD) which will securely and completely erase all data from all functional hard drives inside of the machine, simply by placing it into the machine, and turning it on and pressing a couple keys.
This all begs the question of why I care. Aside from the simple fact that shredding drives directly increases e-waste by putting into the waste stream fully usable hardware, there are more personal matters afoot. Initially, the sentiment was a self-centered one. When I was running a laptop refurbishing company, hard drives were consistently the most expensive part we needed to complete the systems we were selling. Almost none of the machines we were acquiring came with them! Drives do often fail so, naturally, there should be some measure of demand for them. That said they fail no more often than the other parts of a laptop in aggregate, so, in theory, given that they are generally considered a ‘stock component’ they should be widely available at a reasonable price and they’re just not. This drove up our costs considerably which, of course, was irritating. Fast forward to a time when I no longer generally sell whole laptops. . .why should I care? Well, quite simply, hard drives are necessary for a computer to run. If there aren’t enough hard drives to refurbish the reusable computers out there, the costs of making them reusable go up and it becomes less worthwhile to facilitate that reusing. The end result is, a measurable increase in the volume and rate of the e-waste stream. While it’s good for us in that it gives us something to strive for, we’d rather the problem not exist it the first place.
If you’ve got questions or comments, I’d / we’d love to hear from you. We’re always looking for active partners and ideas in our unending quest for sustainable management of all waste.