Select your localized edition:

Close ×

More Ways to Connect

Discover one of our 28 local entrepreneurial communities »

Be the first to know as we launch in new countries and markets around the globe.

Interested in bringing MIT Technology Review to your local market?

MIT Technology ReviewMIT Technology Review - logo


Unsupported browser: Your browser does not meet modern web standards. See how it scores »

{ action.text }

I have spent much of the past eight years of my professional existence working with information that has been inadvertently left behind on disk drives by their previous owners. In 1998, I started purchasing used hard drives sold on eBay; approximately a third of these drives contain significant amounts of confidential information.

In 2003, I published my first significant research paper on the topic, “Remembrance of Data Passed,” coauthored with Dr. Abhi Shelat (although at the time, we were just two MIT graduate students). That article discussed our findings resulting from the purchase of 150 hard drives. Since then, Abhi has gone on to other projects, but I’ve kept at it. Recently, I purchased and imaged drive #1236 (it was filled with personal e-mail).

One of my goals in all of this has been to effect some kind of large-scale social change. A few months after our 2003 paper was published, the U.S. Congress passed the Fair and Accurate Credit Transactions Act (FACT ACT) of 2003. Partly as a result of my research, language was added to the FACT ACT to force organizations to destroy consumer reports on paper or magnetic media before that media is discarded.

Unfortunately, passing the law wasn’t enough. First, it has a big hole in it: the implementing regulations specifically exempt companies that collect and resell used equipment. By not making these companies directly responsible for the damage they do, the regulatory bodies basically threw away what could have been one of the most important opportunities for enforcement.

The second problem is that today’s computers don’t have built-in “self-destruct buttons” for automatically wiping confidential data.

Despite a considerable amount of effort by me and others, we’re still seeing large amounts of sensitive information from businesses and governments leak out on discarded machines.

Recently, Wade-Hahn Chan of Federal Computer Week wrote that the Lawrence Livermore National Laboratory, in California, may not be properly wiping information from hard drives before they are discarded.

But in my work, it has become increasingly clear to me that the problem is that programmers and computer designers simply do not think that data deletion is a high enough priority that they should devote serious resources to solving the data-leaking problem.

For example, an Associated Press article by May Wong that ran last week says that many of the new digital photocopiers don’t wipe their hard drives after a scanned document is printed.

I use a Macintosh computer, and I’ve been very pleased with a Mac feature called Secure Empty Trash. However, Apple has added a new feature to its 10.5 operating system called Time Machine. With Time Machine, you can take your computer back in time to before the files that you have securely deleted were deleted, allowing them to be recovered. Does this make sense? It’s a problem, and I don’t think that Apple is addressing it properly. You can read about this in my recent article , “Complete Delete vs. Time Machine Computing,” published in the January issue of Operating System Review .

2 comments. Share your thoughts »

Tagged: data storage

Reprints and Permissions | Send feedback to the editor

From the Archives


Introducing MIT Technology Review Insider.

Already a Magazine subscriber?

You're automatically an Insider. It's easy to activate or upgrade your account.

Activate Your Account

Become an Insider

It's the new way to subscribe. Get even more of the tech news, research, and discoveries you crave.

Sign Up

Learn More

Find out why MIT Technology Review Insider is for you and explore your options.

Show Me