Data Security: What does it mean to “wipe” data and how secure is it?

Over the past several years it seems we hear about data security breaches more and more often.  It is big news when millions of peoples’ personal information is stolen. When financial institutions get hacked this is especially alarming.  Our SSN, bank account information, home address, etc. is out there in the hands of individuals that have bad intentions. But as consumers we give out our information multiple times a day, usually in ways we can’t even imagine. The truth is, most of our information is already out there.  How many passwords do you have saved on your phone and computer? If someone got your phone could they open a banking app, social media app, Nest thermostat app and be “in” without entering a password? By the way, you should not have your password saved on a banking app on your phone for this very reason.  Take the two extra minutes to enter your password. It is for this very reason that the public is overly cautious about data held on a hard drive and companies are down right paranoid about it. It seems counter intuitive to hand over your laptop or computer to a company like ACE Recycling.     

Rest assured ACE Recycling has your privacy and data security at the top of our list of priorities.  We are consumers also. We also have hard drives at home and work and understand that sensitive data is on those devices.  When ACE Recycling takes your electronic device it is never booted up.  We never go into your operating system and quite frankly, we don’t want to.  We aren’t interested in your data, we are interested in the physical hard drive itself.  The industry ACE Recycling is in is called IT Asset Disposition (ITAD). This is an entire industry created around removing data securely, which makes sense considering all the data out there that would really rock the world if it got out (think CIA).  More recently it has become central to the idea of a circular economy and is increasingly built around the idea of disposing of electronic equipment in an environmentally responsible way.  This includes ensuring toxic materials are disposed of properly, materials are recycled for reuse to reduce the need to extract more. 

Environmental Impact

Like most things, electronic disposal and creation is a multi-faceted issue with enough information and discussion to write a book on.  Electronics contain many toxic materials, such as arsenic, mercury and lead, but they also contain elements that are in themselves not harmful, but the environmental and human cost of the extraction of those materials is steep.  Three of particular importance are cobalt, neodymium and dysprosium. The latter are rare earth minerals (or rare earth materials) which means they are not found in the large seams that coal or copper are found in, and are therefore, not economically exploitable and are rare in any given area.  With the pace of mining these materials accelerating as demand for electronics increases, they are becoming more and more rare. Cobalt is of particular concern because it adversely affects not only the environment, but also the people of the regions in which it is mined . Cobalt is used for various electronics and is a conflict mineral (or conflict resource).  A conflict mineral is a natural resource extracted in a conflict zone that is mined and sold to perpetuate the fighting. ⅔ of the world’s cobalt is found in the Democratic Republic of the Congo (DRC). Mining cobalt in the DRC is done in small, unregulated mines, where child labor is widespread. What’s more, political and ethnic dynamics of the region have resulted in violent armed conflict largely financially supported by the mining and sale of cobalt.  For every new electronic device we buy, we are in some way supporting militant groups and child labor. In addition to this human impact there is an environmental impact in creating new electronics.  To create 1 ton of laptops, 10 tons of carbon dioxide is emitted into the atmosphere.  By 2040, carbon emission from the production of electronics will reach 14% of total world-wide emission. There is 100 times more gold in a ton of mobile devices than in a ton of gold ore.  Extending the life of electronics and/or harvesting the resources from them, is far more sustainable than the current system of simply throwing it away, not to mention has a larger economic benefit.

Laws and Standards

Several data protection laws are in place at the Federal level.  The Health Information Portability and Accountability Act (HIPAA) protects your health information.  The Family Educational Rights and Privacy Act (FERPA) protects student education records. The Wiretap Act and the Electronic Communication Privacy Act (ECPA) protect your communications (electronic or on “landlines”).  Each state has laws in place to protect data at the individual and business level as well. In addition to laws The Department of Defense, National Security Agency, the U.S. National Institute of Standards and Technology (NIST), and various other institutions directly concerned with data security, have data destruction standards and policies. However the NIST report Guidelines for Media Sanitization is widely considered to be the go-to industry standard for data erasure.  

Techniques for Data Sanitization/Wiping

Media sanitization/data erasure/data wiping are all the same name for the process of making data on a device unable to be retrieved. The NIST report defines three categories of sanitization: Clear, Purge and Destroy.  Clear is defined as, “logical techniques applied to sanitize data in all user-addressable storage locations for protection against simple non-invasive data recovery techniques”. Simply put, restoring your device to factory settings or using on-device standard Read and Write commands would constitute clearing your data.  These techniques can be applied by the average consumer, perhaps with a little help. Purge is defined as, “physical or logical techniques that render the Target Data recovery infeasible using state of the art laboratory techniques.” This is what ACE Recycling does through a process explained below. Destroy “renders the Target Data recovery infeasible using state of the art laboratory techniques and results in the subsequent inability to use the media for the storage of data.”  The storage device is physically destroyed and cannot be reused.

How it Works

Imagine a book.  Now imagine erasing every word from the book and writing over the pages with random letters.  This is what is done to a hard drive. The hard drive is “overwritten” with random 1s and 0s (computer language). One overwriting pass “hinders recovery of data even if state of the art laboratory techniques are applied to attempt to retrieve the data”; however, most programs use multiple passes.  The number of passes has become unnecessary with the inclusion of a “verify pass”, that scans for verification of data removal by selecting random places on the device to “check” the data is overwritten. According to the National Security Agency data wiped using these standards is “permanently destroyed as to make any type of forensic data recovery impossible”.  Complete data erasure destroys all data, including operating systems. Thus, the data on the hard drive is never accessed during the wiping process. ACE Recycling adheres to Department of Defense and HIPAA specifications for data erasure the foundation of which is the NIST report. This is a three-pass overwrite with verification, completed by the software itself.  This verification comes in the form of a serialized print out of all devices that were subject to the sanitization process and acts to, well, verify that the devices were successfully wiped. According to the NIST report, “verifying the selected information sanitization and disposal process is an essential step in maintaining confidentiality.”   In addition to the software verifying the effective wipe of your data, we verify ourselves. This is done by taking a random sampling of the devices that have gone through the sanitization process and hooking them up to a computer to verify they are completely erased.

ACE Recycling Data Security

What is Best for your Organization?

The best way to answer this is to consider the level of confidentiality of the information on the device.  In general if the device is leaving the organization’s control, as it would be if you are having ACE Recycling disposition it for you, it should be purged and validated.  Both of which ACE Recycling does. Clear should only be used if the device is remaining within the organization and even then there are risks involved. Data wiping offers an alternative to physical destruction, allowing the hard drive to be reused, reducing electronic waste and carbon emissions. The NIST report clearly states that “organizations should consider environmental factors” when disposing of electronic waste. For most companies, purge “may be more appropriate than Destroy when factoring in environmental concerns…”  In general, the destroy option should be used if the drive is not functioning or cannot be wiped. According to the NIST report, “The application of Destructive techniques may be the only option when media fails…other clear or purge techniques cannot be effectively applied…or when verification of Clear or Purge methods fails”. This is what ACE Recycling adheres to. Purge and Destroy achieve the same outcome with regard to data protection. The main difference is the hard drive is taken out of the circular model when it is destroyed. In a true circular economy items would be reused, refurbished, repaired, or consumption reduced, prior to the last resort of destruction. 

In this way ACE Recycling is meeting our commitment to contribute to the circular economy for the future of our planet by reusing as many materials as possible, while keeping your data secure.

More Information:

On Conflict Minerals-

On Data Erasure-