I recently cleaned out my father-in-law’s safe deposit box. There wasn’t much in it: just a diamond ring that hadn’t been worn in more than 30 years, and two birth certificates-one for him, and one for my recently deceased mother-in-law.
Years ago, a family’s safe deposit box might hold a treasure trove of goods and documents. Opening a box, you might expect to find jewels, stock certificates, or the deed for some long-forgotten property. But that time is long past. These days, we use bits inside a computer’s memory bank, not tokens of irreplaceable paper, to keep track of our life’s records and our net worth. Few people hold stock certificates; information about stock ownership is kept in brokerage accounts. Few officials insist on seeing an original birth certificate; a fax or a photocopy will suffice. Even interest in gold and jewels seems to be faltering: in the 1960s, my father-in-law told me, his father gave him a gold watch-as something to sell if he were ever out of cash and needed to eat. Such was the mind-set of people who lived through the Great Depression. But these days, few people buy jewels for their investment potential. Instead, jewelry and gold is mostly bought for enjoyment and show.
Today it is data, more than money, that is the lifeblood of our society. And yet more than three decades into the “Information Age,” data is something that we still don’t quite understand how to steward. Data is not physical, not something that you can lock away today and hope you’ll be able to access in 10 or 20 years. Large collections of data are almost impossible to safely maintain-especially over long periods. At the same time, data is just as difficult to dispose of properly. Indeed, individuals and businesses now have so much data in so many different formats on so many different computers that we are all heading for our own individual data catastrophes.
I once bought 10 used computers from a store that was going out of business. The machines were old and slow, but I didn’t care-I wanted them for parts and software tinkering. I took them home, and just before I wiped their hard drives I decided to see what was on them.
I couldn’t believe what I had stumbled upon. One computer had been a file server for a medium-sized law firm; with a few keystrokes I retrieved from its hard drive letters to clients, court filings and employee records. Another machine had been used by an organization that was delivering mental health services, and a third by a stockbroker: it had records of trades and account numbers, and more. Were I less scrupulous, I suppose that I could have had a lot of fun-and perhaps caused a lot of mischief-with the information that I had unwittingly purchased.
It’s easy to chide the now-defunct store for failing to protect its customers, but the sad truth is that removing sensitive information from modern computer systems is hard to do. As Oliver North learned during the Iran-Contra hearings, hitting “delete” is not enough. Instead, to properly clean, or “sanitize,” a hard disk, it is necessary to overwrite every single block of storage. This can take hours, and even then it doesn’t guarantee true erasure; readily available software tools can recover information after a disk has been “formatted.” Most people don’t bother sanitizing their computers before they throw them away: they just toss and pray.
My story isn’t unique. Over the years there have been news reports of used computers turning up with records from the federal witness-protection program, pharmacies and police departments. And it’s likely to be a growing problem: according to a 1997 study by researchers at Carnegie Mellon University, some 325 million computers will be obsolete by the year 2005. And that means a lot of potentially damaging information on the loose.
But at the same time that we are doing a poor job disposing of our data, we are doing an equally poor job of holding onto it.