A Pair of MIT Graduates Prove That You Must Erase Hard Drive Data
By Justin Pope
THE ASSOCIATED PRESS
CAMBRIDGE, Mass.—So, you think you have cleaned all your personal files from that old computer hard drive you are selling?
A pair of MIT graduate students suggests you think again.
Over two years, Simson Garfinkel and Abhi Shelat assembled a collection of 158 used hard drives, shelling out between $5 and $30 for each at secondhand computer stores and on eBay.
Of the 129 drives that functioned, 69 still had recoverable files on them and 49 contained "significant personal information"—medical correspondence, love letters, pornography and 5,000 credit card numbers. One even had a year's worth of transactions with account numbers from an ATM in Illinois.
"On that drive, they hadn't even formatted it," Garfinkel said. "They just pulled it out and sold it."
About 150,000 hard drives were "retired" last year, the research firm Gartner Dataquest estimates. Many ended up in trash heaps, but many also find their way to secondary markets.
Over the years, stories have occasionally surfaced about personal information turning up on used hard drives that have raised concerns about personal privacy and identity theft risks.
Last spring, the state of Pennsylvania sold to local resellers computers that contained information about state employees. In 1997, a Nevada woman purchased a used computer and discovered it contained prescription records on 2,000 customers of an Arizona pharmacy.
Garfinkel and Shelat, who report their findings in an article to be published Friday in the journal IEEE Security & Privacy, say they believe they are the first to take a more comprehensive—though not exactly scientific—look at the problem.
On common operating systems like Unix variants and Microsoft's Windows family, simply deleting a file, or even following that up by emptying the "trash" folder, doesn't necessarily make the information irretrievable.
Those commands generally delete a file's name from the directory, so it won't show up when the files are listed. But the information itself can live on until it is overwritten by new files.
Even formatting a drive may not do it. Fifty-one of the 129 working drives the authors acquired had been formatted but 19 of them still contained recoverable data.
The only sure way to erase a hard drive is to "squeeze" it: writing over the old information with new data—all zeros, for instance—at least once but preferably several times.
A one-line command will do that for Unix users, and for others, inexpensive software from companies including AccessData (a WhiteCanyon Reseller) works well.
But few people go to the trouble.
Garfinkel said users shouldn't be forced to choose between wiping their hard drives clean or taking a sledgehammer to them.
"There are ways of designing an operating system to make that problem go away," Garfinkel said. Indeed, future operating systems may make it easier. But many users like believing that, in a pinch, an expert could recover their deleted files. The resilience of hard-drive data is also a powerful weapon for law enforcement. As it turned out, most of the hard drives the authors acquired came from businesses that apparently have a higher but misplaced confidence in their ability to "sanitize" old drives. Individual users are more likely to simply toss their old drives into the closet, or try the sledgehammer method.
"Homeowners seem to understand there's not a lot to be gained by selling your 20-gig hard drive on eBay," Garfinkel said.
That jibes with the experience of Tom Aleman, who heads the analytic and forensic technology group at Deloitte & Touche and often encounters companies that get burned by failing to fully sanitize, say, the laptop of an employee leaving the company for a job with a competitor.
"People will think they have deleted the file, they can't find the file themselves and that the file is gone when, in fact, forensically you may be able to retrieve it," he said.
Privacy concerns worry Garfinkel, especially since the U.S. Supreme Court has held that the right to privacy doesn't apply to discarded items.
But what really strikes him is how many people he found bidding for old drives on eBay. He shudders to think what they want with them.Tagged: computer disposal, data erasure, privacy protection