A growing debate about the security of data has grown to include the computer recycling industry, which is now being asked to verifiably destroy data along with physical components.
Merely donating old computers to schools, libraries or other nonprofit organizations may become a casualty of the information age. The need to conform to regulations including HIPAA (the Health Insurance Portability and Accountability Act) and the Gramm-Leach-Bliley Act requires financial and other health care institutions to ensure that no confidential data is exposed to public view, something that can occur if naked hard drives are resold to other organizations.
But the debate is also enfolding more traditional companies, who are just as worried about civil suits as their counterparts are about investigations from regulatory agencies.
A subset of the debate involves the best practices to destroy data, which can either include Department of Defense-compliant software that overwrites all data on a drive several times or an actual physical shredding of the disk platter itself. That debate may get resolved in November, when the board of NAID (the National Association for Information Destruction) will present its first recommendations.
More and more, industry sources say, enterprises are looking seriously at the problem. “Five or six years ago, our clients didnt have budgets allocated for this,” said Steve Forbes, a contracts administrator at recycler Gold Circuit Inc., based in Chandler, Ariz. “Now, there are entire budgets that have sprung up for asset disposition and electronic asset disposal.”
Even smaller nonprofit recycling firms are finding themselves swept up in the data-protection debate. Fortunately for them, the market for data-destruction products has become increasingly competitive, since the DOD does not offer any certification procedures for compliance with the 5220.22-M specification, published by the Defense Security Service, an agency of the U.S. Department of Defense.
Ron Norton, the owner of Carson City, Nev.-based ComputerCorps, said the nonprofit recycler has chosen a DOD-compliant software utility to wipe the drives before shipping them back into the community. “Data destruction has become much more important to us in the last few months,” he said. A number of the companies donating PCs allow the drives to be reused or resold, but theres “a lot of extreme caution,” he said.
At Gold Circuit, the enterprise-level recycler has 15 technicians who do nothing but wipe hard drives and upgrade systems, Forbes said. Gold Circuits custom-designed DOD-spec software utility can format a 40-Gbyte hard drive in two to four hours, depending upon the speed of the processor, he said. The drive writes to each sector of the drive, including the boot sector that normally is ignored by the OS.
“Data-destruction services first hit us in the financial sector; at that time, it was kind of a niche,” Forbes said, who said clients had been asking for data-destruction services as early as 1993 and 1994, when the company was founded. “Lately, weve been picking up [data destruction] contracts in the corporate sector.”
For many recyclers, data destruction has become another service that a recycler can turn around and sell to a client. “Its significantly different than our traditional business,” said Joe Harford, vice president of sales and marketing at Reclamere, based in Tyron, Penn., which also uses a custom DOD-spec software utility to wipe hard drives, while CD-ROMs and tapes are physically shredded. “We manage the equipment, we manage the data.”
In return, the recyclers provide their own certifications that the data has been destroyed. In addition to HIPAA and the Gramm-Leach-Bliley Act, companies have been asking for liability protection on homeland security issues. But contracts and certifications are negotiated between the recycler and client on an individual basis, with little oversight.
“I have to chuckle every time I see an ad for a DOD-approved facility,” Forbes said. “There is no such thing as a DOD approval certificate, no HIPAA cert. Even the EPA just puts out guidelines–youre in an EPA-approved facility; they have visited the facility, conducted an audit or tests, but theres no stamp of approval.”
In certain cases, the certifications are enough. With PCs that come from military clients, however, a representative will typically physically monitor the disk drives as they move through the facility, Forbes said.
The question is whether the sensitivity of certain data is worth overwriting with random files or physically shredding, or both. Phoenix-based NAID represents the companies involved in the destruction of data, the majority of which has traditionally been stored on paper and handled by document-shredding companies. But six to 10 companies have joined NAID as firms that handle the destruction of data stored on hard disks, according to Bob Johnson, NAIDs executive director.
The problem is that two of the most secure methods–erasing data via an electromagnetic field or physically shredding the drive–are unappealing because a recycler can not turn around and resell the drive, Johnson said. The other method, “erasing” data by overwriting it many times, may in fact ignore damaged sectors on a drive. These sectors can contain fragmented or partial files that may contain recoverable information but may be ignored by the host OS.
NAID held a teleconference with its members Thursday to try to resolve differences between those who favor physically destructive methods and those who favor software wiping. No accord was reached, Johnson said, although the industry organization will try to reach a consensus through an exchange of position papers and rebuttals before Nov. 29, when the NAID board will make a final recommendation.
“My sense is that were not going to say that there will be no role for software wiping,” Johnson said. Instead, perhaps each of the methods would be assigned a level of risk, he said.
Overwriting a hard disk a single time either with other files or with random bits of data is not good enough, as latent magnetism can reveal some or all of the information contained in the file, according to software vendors.
The 5220.22-M specification advocates writing every sector on the disk several times with nonrandom and pseudorandom data. Security expert Bruce Schneiers own algorithm writes the drive as many as seven times with the same pattern, using different values with each pass.
That means software vendors must in effect self-certify. George Pecherle, a spokesman for Oradea, Romania-based EAST Technologies and its Eraser products, explained it this way:
“Chapter 8 of the DOD 5220.22-M National Industrial Security Program Operating Manual (NISPOM) defines a method that is approved for sanitizing magnetic disks: Overwrite all addressable locations with a character, its complement, then another character and verify,” Pecherle wrote in an e-mail to eWEEK.com.
“Thats exactly what the DOD-compatible methods from our products do—actually one of them does it three times, so it is three times more powerful that the actual standard, and this method is approved by the U.S. NSA.
“Any wipe routine that implements the U.S. DOD specifications defined in the DOD 5220.22-M standard is called U.S. DOD-compliant. And because our Eraser products have such wipe methods, it means they are U.S. DOD-compliant.”
Redemtech Inc., based in Columbus, Ohio, charges $6.25 to $20 per base unit at its largest accounts, according to Bob Houghton, president and chief executive of the company. Like some of its competitors, Redemtech developed its own software utility to handle the DOD-spec overwrites.
“Based on our audits of conventional data destruction, one out of four hard drives still has data on it,” Houghton said.
Because data is overwritten bit by bit, software overwriting of data is more destructive than physical shredding, he said. Any drive that is nonfunctional, however, must be physically destroyed, Houghton said. Likewise, NAID believes that any drive with more than 10 defects on it also must be shredded, NAIDs Johnson said.
While the debate on data destruction will rage on, recyclers also have begun complaining of a chilling effect the practice has had on the traditional practice of recycling, which can either include reducing a PC to scrap or refurbishing it and reselling it to Third World countries, low-income families and others in need.
Recyclers complain that erasing the data completely off of a disk also erases with it the licenses to the software that was installed on the machine, meaning that there is no way to mine the discarded PC for software in the same way recyclers can strip out component parts and resell them for a profit.
Leonard Duke, a customer relations manager at ComputerCorps, said the recycler can easily source low-cost sound cards and modems from Internet vendors, but that software is another story. The problem is that many people still have a need for an old Pentium II PC, but the hardware wont run the latest operating systems, such as Windows XP.
“The licenses we had from Microsoft were mailed to us,” he said. “We were able to get beta licenses for a while with Windows 95, but you cant get those anymore. With [Windows] 98, we havent been able to get those for last four to six months. Its hard work trying to keep up. We feel that [Windows] 98 was one of the better OSes.”