FTC Investigating Privacy Risks of Digital Copiers

Each time you use a digital copier, you may be storing documents or photos into a hard drive that potentially can be accessed by identity thieves who can use the information for criminal financial gain.

A 2008 survey on copier security commissioned by copier manufacturer Sharp found 60 percent of Americans don't know that copiers store images on a hard drive, so this is indeed a serious and widespread problem.

Sen. Edward Markey (D-Mass.), who voiced concern about this issue in a letter to the Federal Trade Commission (PDF) last month, said May 18 that the FTC is now looking deeper into this problem and is working with industry manufacturers and service vendors to close off worrisome security gaps in this sector.

In a response released by Markey's office May 18, FTC Commissioner Jon Leibowitz said that his agency is well aware of this issue and has distributed "business education material instructing businesses to dispose of hard drives containing customer information securely."

However, now the FTC will be taking more direct action than simply sending educational material to businesses, Leibowitz said.

"The FTC is now reaching out to copier manufacturers, resellers and retail copy and office supply stores to ensure they are aware of the privacy laws associated with digital copiers ... and to determine whether they are providing options for secure copying," Leibowitz wrote.

It is certainly a problem that a great deal of personal information is being stored -- and not able to be erased by customers -- on both private and public machines every day. However, a larger issue is that when these often-leased copiers are resold, the data residing on them often isn't deleted and simply moves into the hands of a new owner.

Markey, in his letter to Leibowitz, cited a March 19 CBS News report that brought this issue into fine resolution.

"Nearly every copy machine manufactured since 2002 contains a digital hard drive that functions like a computer hard drive, storing an image of every document, scanned, copied or e-mailed by the copy machine," Markey said. "These machines often are leased and subsequently returned after the lease period for further usage by other individuals or companies.

'Many copier drives not wiped clean'

"Many copier hard drives are not wiped clean of the documents stored on them after they are returned or otherwise disposed of, allowing individuals -- including identity thieves and other criminals -- to access the sensitive and private information and use it to commit identity theft or other crimes."

The CBS News report by investigative reporter Armen Keteyian was eye-opening, to say the least. Keteyian visited a warehouse in New Jersey -- one of 25 across the country -- to see how hard it would be to buy a used copier loaded with documents. Keteyian found that it is "pretty easy."

On copiers that were reselling for as low as $300, documents still intact in hard drives included law enforcement information details about domestic violence complaints, a list of wanted sex offenders, and a list of targets in a major drug raid.

On another machine, recycled from a New York construction company, Keteyian found design plans for a building near Ground Zero in Manhattan; 95 pages of pay stubs with names, addresses and social security numbers; and $40,000 in copied checks.

On yet another machine, which had belonged to a New York-based insurance company, there were 300 pages of individual medical records -- including drug prescriptions, blood test results and a cancer diagnosis. This is a potentially serious breach of federal privacy law, CBS said.

Fedex Office has updated its retail copiers

FedEx Office, which has 1,800 locations in North America and is the nation's largest retailer of copy services, is aware of this and has specific policies to mitigate the problem.

"FedEx Office takes information security very seriously," FedEx Office Acting Manager of Marketplace and Interactive Communications Sonya Thorpe wrote in an e-mail to eWEEK.

"We have a dedicated team that regularly evaluates and implements security measures for our business, and we have a strict confidentiality policy in place and related training for our team members. Our digital copy machines have built-in security options to prevent subsequent retrieval of copies, so images (or scans) are erased from the hard drives of these devices.

"In addition, the equipment suppliers we work with have procedures and requirements that safeguard customer data, and our agreements with them contain language on confidentiality. With technology constantly evolving, we continuously follow the latest trends and work to improve all our safety and security measures."

Editor's note: This story has been updated to clarify FedEx Office's policy on handling data stored on its copier hard drives.