Data Security: What does it mean to “wipe” data and how secure is it?

Over the past several years, it seems we hear about data security breaches more and more often. When financial institutions get hacked, this is especially alarming.  Our SSN, bank account information, home address, etc. are out there in the hands of individuals that have bad intentions. But as consumers, we give out our information multiple times a day, usually in ways we can’t even imagine. The truth is, most of our information is already out there.  How many passwords do you have saved on your phone and computer? If someone got your phone, could they open a banking app, social media app, Nest thermostat app, and be “in” without entering a password? By the way, you should not have your password saved on a banking app on your phone for this very reason.  Take the two extra minutes to enter your password.

What ACE Recycling Does

The industry ACE Recycling is in is called IT Asset Disposition (ITAD). This industry is created around removing data securely, which makes sense considering all the data out there that would rock the world if it got out (think CIA).  More recently, it has become central to the idea of a circular economy and the purpose of disposing of electronic equipment in an environmentally responsible way.  Ensuring toxic materials are disposed of properly, materials are recycled for reuse to reduce the need to extract more is all part of ITAD. 

Environmental Impact

Like most things, electronic disposal and creation is a multi-faceted issue with enough information to write a book on.  Electronics contain many toxic materials, such as arsenic, mercury, and lead. They also contain elements that are in themselves not harmful, but the environmental and human cost of the extraction of those materials is steep.  Three of particular importance are cobalt, neodymium, and dysprosium. The latter are rare earth minerals. These are minerals found sporadically within the Earth, as opposed to being found in large seams like coal or copper. Therefore, they not economically exploitable and are rare in any given area.  With the pace of mining these materials accelerating as demand for electronics increases, they are becoming rarer and rarer.

The Human Impact

Cobalt is of particular concern because of the widespread exploitation of the people and the environment surrounding the mines. Cobalt is used for various electronics and is a conflict mineral (or conflict resource).  A conflict mineral is a natural resource extracted in a conflict zone that is mined and sold to perpetuate the fighting. The Democratic Republic of the Congo (DRC) harbors ⅔ of the world’s cobalt. Many mines in the DRC are small and unregulated, where child labor is widespread. What’s more, the political and ethnic dynamics of the region have resulted in violent armed conflict. This conflict is mostly financially supported by the mining and sale of cobalt.  For every new electronic device we buy, we are, in some way supporting militant groups and child labor.

In addition to this human cost, there is an environmental cost in creating new electronics.  Ten tons of carbon dioxide is emitted into the atmosphere to produce 1 ton of laptops.  By 2040, carbon emission from the production of electronics will reach 14% of total worldwide emissions. There is 100 times more gold in a ton of mobile devices than in a ton of gold ore.  Extending the life of electronics or harvesting the resources from them is far more sustainable than the current system. Not to mention has a more significant economic benefit then throwing them away.

Laws and Standards

Several data protection laws are in place at the Federal level.  The Health Information Portability and Accountability Act (HIPAA) protects your health information, while The Family Educational Rights and Privacy Act (FERPA) protects student education records. The Wiretap Act and the Electronic Communication Privacy Act (ECPA) protects your communications (electronic or on “landlines”).  Each state has laws in place to protect data at the individual and business level as well. In addition to statutes, The Department of Defense, National Security Agency, the U.S. National Institute of Standards and Technology (NIST), and various other institutions directly concerned with data security, have data destruction standards and policies. However, the go-to industry standard for data erasure is the NIST report Guidelines for Media Sanitization.

Techniques for Data Sanitization/Wiping

Media sanitization/data erasure/data wiping are all the same name for the process of making data on a device unable to be retrieved. The NIST report defines three categories of sanitization: Clear, Purge, and Destroy.  Clearing data is “logical techniques applied to sanitize data in all user-addressable storage locations for protection against simple non-invasive data recovery techniques.” Simply put, restoring your device to factory settings or using on-device standard Read and Write commands would constitute clearing your data.  These techniques can be applied by the average consumer, perhaps with a little help. Purging is “physical or logical techniques that render the Target Data recovery infeasible using state of the art laboratory techniques.” Purging data is what ACE Recycling does through a process explained below. Destroy “renders the Target Data recovery infeasible using state of the art laboratory techniques and results in the subsequent inability to use the media for the storage of data.”  Physical destruction is the result here, removing the device from circulation.

What Wiping Data Means

Imagine a book.  Now imagine erasing every word from the book and writing over the pages with random letters.  If you think of the data stored on a hard drive like the pages of that book, you get an idea of data erasure. The hard drive is “overwritten” with random 1s and 0s (computer language). One overwriting pass “hinders recovery of data even if state-of-the-art laboratory techniques are applied to attempt to retrieve the data”; however, most programs use multiple passes.  The number of passes has become unnecessary with the inclusion of a “verify pass.” The verify pass scans for verification of data removal by selecting random places on the device to “check” for overwriting. According to the National Security Agency, data wiped using these standards is “permanently destroyed as to make any type of forensic data recovery impossible.”  Complete data erasure destroys all data, including operating systems. Your hard drive is never booted. Thus, there is no access to data during the wiping process.

ACE Recycling’s Data Security Procedure

ACE Recycling adheres to the Department of Defense and HIPAA specifications for data erasure, the foundation of which is the NIST report. We use a three-pass overwrite with verification, completed using software.  This verification comes in the form of a serialized print out of devices subject to the sanitization process. According to the NIST report, “verifying the selected information sanitization and disposal process is an essential step in maintaining confidentiality.”   In addition to the software verifying the sufficient wipe of your data, we check ourselves. ACE Recycling takes a random sampling of the devices that have gone through the sanitization process.

ACE Recycling Data Security

What is Best for your Organization?

The best way to answer this is to consider the level of confidentiality of the information on the device.  In general, if the device is leaving the organization’s control, as it would be if you have ACE Recycling disposition it for you, it should be purged and validated.  Both of which ACE Recycling does. Clear should only be an option if the device is remaining within the organization. Data wiping offers an alternative to physical destruction, allowing the hard drive to remain in circulation, reducing electronic waste and carbon emissions. The NIST report clearly states that “organizations should consider environmental factors” when disposing of electronic waste. For most companies, purge “may be more appropriate than Destroy when factoring in environmental concerns…” 

When to DESTROY

In general, destroy is an option only if the drive is not functioning or physically cannot go through the purge process. According to the NIST report, “The application of Destructive techniques may be the only option when media fails…other clear or purge techniques cannot be effectively applied…or when verification of Clear or Purge methods fails”. ACE Recycling adheres to this statement. Purge and Destroy achieve the same outcome concerning data protection. The main difference is the hard drive is taken out of the circular model when destroyed. In a genuine circular economy, items would be reused, refurbished, repaired, or consumption reduced, before the last resort of destruction. 

ACE Recycling is committed to the security of your data and a circular economy. The NIST Report outlines a path to achieve both. With a focus on reusing as many materials as possible, we are helping to lower technology costs, reduce environmental impacts, and make technology accessible to all.

More Information:

On Conflict Minerals-

http://conflictminerals.org/

https://enoughproject.org/special-topics/progress-and-challenges-conflict-minerals-facts-dodd-frank-1502

On Data Erasure-

https://www.esd.whs.mil/Portals/54/Documents/DD/issuances/dodm/522022M.pdf

https://web.archive.org/web/20160320074045/https://www.nsa.gov/ia/_files/government/MDG/NSA_CSS_Storage_Device_Declassification_Manual.pdf

Author: Shelby Maguire

Shelby earned a bachelor's degree at Lake Erie College in biology and a master's degree in education at Ursuline College, both in her home state of Ohio. She currently lives in Phoenix, AZ where she was a high school science teacher for 10 years. She left the classroom to run ACE Recycling with her husband, but is an advocate for education and a life-long learner. She is passionate about science and works to educate the general public about science, specifically environmental issues. She is a self-proclaimed science nerd who loves research. She and her husband John, have three small children.

What do you think?