This is the fourth in a series revisiting Ball in Your Court columns and posts from the primordial past of e-discovery–updating and critiquing in places, and hopefully restarting a few conversations. As always, your comments are gratefully solicited.
Give Away Your Computer
[Originally published in Law Technology News, July 2005]
With the price of powerful computer systems at historic lows, who isn’t tempted to upgrade? But, what do you do with a system you’ve been using if it’s less than four or five-years old and still has some life left in it? Pass it on to a friend or family member or donate it to a school or civic organization and you’re ethically obliged to safeguard client data on the hard drive. Plus, you’ll want to protect your personal data from identity thieves and snoopers. Hopefully you already know that deleting confidential files and even formatting the drive does little to erase your private information—it’s like tearing out the table of contents but leaving the rest of the book. How do you be a Good Samaritan without jeopardizing client confidences and personal privacy?
One answer: replace the hard drive with a new one before you donate the old machine. Hard drives have never been cheaper, and adding the old hard drive as extra storage in your new machine ensures easy access to your legacy data. But, it also means going out-of-pocket and some surgery inside both machines—not everyone’s cup of tea.
Alternatively, you could remove or destroy the old hard drive, but those accepting older computers rarely have the budget to buy hard drives, let alone the technician time to get donated machines running. Donated systems need to be largely complete and ready to roll.
Probably the best compromise is to wipe the hard drive completely and donate the system recovery disk along with the system. Notwithstanding some largely theoretical notions, once you overwrite every sector of your hard drive with zeros or random characters, your data is gone forever. The Department of Defense recommends several passes of different characters, but just a single pass of zeros is enough to frustrate all computer forensic data recovery techniques in common use.
Free is Good
You can buy programs to overwrite your hard drive, but why do so? Effective erasure tools are available as free downloads from the major hard drive manufacturers, and most work on other manufacturers’ drives. Western Digital offers its Data Lifeguard Diagnostic Tool at http://support.wdc.com/download. Seagate’s DiscWizard Starter Edition is found at www.seagate.com/support/disc/drivers/discwiz.html and Maxtor’s PowerMax utilities is found by drilling down from http://www.maxtor.com/support. DBAN (for Darik’s Boot and Nuke), a free Linux program, will also obliterate all data on a Windows system and is available at http://dban.sourceforge.net/. Each application offers bells-and-whistles, but all you’re seeking is the ability to create a boot floppy that can write zeroes to the hard drive. If your system has no floppy drive, each site also offers a boot CD image download.
Boot FLOPPY? CD image? We were doing fine until it became clear just how thoroughly we’ve abandoned yesteryear’s data transfer formats. Who has a floppy drive anymore? How many modern machines even have optical drives? Today, we download virtually everything.
Why a boot floppy or CD? Because no wiping program running under Windows can erase all of the data on a Windows drive. Running under DOS (or, in the case of DBAN, Linux) insures that no file is locked out to the wiping utility while it does its job. To this end, check to be sure that whatever wiping application you select “sees” the entire hard drive. If it only recognizes, say, the first 32 GB of a 40 GB drive, check your settings or use a different utility. Fortunately, these utilities are user-friendly and report what they see and do.
Wiping every sector on a hard drive is a time consuming process. Allow hours of (largely) unattended operation to get the job done, and if it’s an option, be sure to select a full overwrite (or “low level format”) and not a quick version. There are no shortcuts to overwriting every sector to sterilize a drive. Check to be sure there is only one hard drive in the system. If multiple drives are present, wipe each of them. Above all, understand that there is no turning back from this kind of data erasure. No Recycle Bins. No Undo command. No clean room magic. Be absolutely certain you have another working copy of anything you mean to keep.
An Important Courtesy
When you sterilize a drive, your privileged data obliterated along with the operating system and all applications. A wiped drive can’t boot a computer, but can return to service if you remember to donate the system restore disk with the hardware. For computers lacking restore disks, supply the operating system installation disk and any application disks you wish to donate. As long as you’re not continuing to use the same applications loaded from the same disks (or copies) on your new machine, your end user license is likely to be freely transferable. If the donated system came without disks, you or your recipient will need to contact the manufacturer and request a restore disk. If, as is often the case in larger firms, the operating systems are site licensed, it may be a violation of that license to share them. Your recipient will then need to purchase their own license or seek out someone who’ll donate an operating system. School districts typically have their own site licenses.
The System Restore Disk is another vestige from a decade ago that’s fallen by the wayside. Today, restore data tends to reside on a dedicated drive partition. Accordingly, it’s trickier to wipe a drive and preserve its ability to return to service. You have to wipe only the boot and data partitions without obliterating the restore partition.
Moreover, emergence of solid state drives has wrecked havoc with our ability to overwrite physical drive sectors. SSDs have their own on-board data management systems beyond the reach of software or the operating system. Fortunately, that means that data one can recover from a conventional electromagnetic hard drive is practically unrecoverable from an SSD employing wear leveling and TRIM.
Dodging Blasts from The Past
Be sure to caution your recipient that it’s very important to promptly download critical security patches and service packs for the restored operating system and applications. A restored machine is like a step back in time to when many now-closed security holes were wide open, so the recipient needs to slam these vulnerabilities shut at the very first connection to the Internet.
Help for the Helper
Worries about data security needn’t keep you from helping others by donating your used computer. For additional guidance, contact TechSoup (www.techsoup.org) or the National Cristina Foundation (www.cristina.org), and seek out — or organize — the computer donation program in your community.
I was pleased to see that both of these worthwhile organizations are still going strong and have done impressive work in support of their communities over the last ten years.
Clearing your donated, sold or discarded hard drives of sensitive information isn’t just good practice, it’s now also required by law. Effective June 1, 2005, the Federal Trade Commission’s Disposal Rule 16 CFR Part 682, requires businesses—including lawyers and law firms—to take reasonable measures to dispose of sensitive information derived from credit reports and background checks so that the information cannot practicably be read or reconstructed. The Rule, which applies to both paper and digital media, requires implementing and monitoring compliance with disposal policies and procedures for this information. Comments to the rule suggest using disc wiping utilities, but also offer that electronic media may be economically disposed of by “simply smashing the material with a hammer.” Sounds like a great stress reliever, but don’t forget your safety goggles!
Though the FTC requirement may still be news to you, the computer user of 2015 is better aware of the risks of identity theft than the user of ten years ago, yet much more vulnerable to risks old and new. Modern operating systems retain significantly more information than their predecessors and the average size of hard drives has grown ten- to one hundredfold in the last decade. The $150.00 40GB hard drive of 2005 is the $150.00 4TB drive of 2015. Today, a 32GB thumb drive is deemed a disposable; it’s the modern floppy disc.
The prevalence of sophisticated mobile devices has significantly remapped the distribution of sensitive personal data over the last decade. Fortunately, most mobile devices make it simple to destroy content and restore to factory settings. As well, sensitive data may reside in places over over which you have no physical dominion, like Google, Dropbox or other Cloud service providers. When giving away computers, be sure the computer is not still capable of automatically connecting to your cloud resources. Remember, it’s common for our devices to retain passwords and cookies supporting “keep me logged in” capabilities.