A View from Simson Garfinkel
Gathering Data from Trash
Sensitive information is accessible on discarded machines because we have no means of securely deleting it.
I have spent much of the past eight years of my professional existence working with information that has been inadvertently left behind on disk drives by their previous owners. In 1998, I started purchasing used hard drives sold on eBay; approximately a third of these drives contain significant amounts of confidential information.
In 2003, I published my first significant research paper on the topic, “Remembrance of Data Passed,” coauthored with Dr. Abhi Shelat (although at the time, we were just two MIT graduate students). That article discussed our findings resulting from the purchase of 150 hard drives. Since then, Abhi has gone on to other projects, but I’ve kept at it. Recently, I purchased and imaged drive #1236 (it was filled with personal e-mail).
One of my goals in all of this has been to effect some kind of large-scale social change. A few months after our 2003 paper was published, the U.S. Congress passed the Fair and Accurate Credit Transactions Act (FACT ACT) of 2003. Partly as a result of my research, language was added to the FACT ACT to force organizations to destroy consumer reports on paper or magnetic media before that media is discarded.
Unfortunately, passing the law wasn’t enough. First, it has a big hole in it: the implementing regulations specifically exempt companies that collect and resell used equipment. By not making these companies directly responsible for the damage they do, the regulatory bodies basically threw away what could have been one of the most important opportunities for enforcement.
The second problem is that today’s computers don’t have built-in “self-destruct buttons” for automatically wiping confidential data.
Despite a considerable amount of effort by me and others, we’re still seeing large amounts of sensitive information from businesses and governments leak out on discarded machines.
Recently, Wade-Hahn Chan of Federal Computer Week wrote that the Lawrence Livermore National Laboratory, in California, may not be properly wiping information from hard drives before they are discarded.
But in my work, it has become increasingly clear to me that the problem is that programmers and computer designers simply do not think that data deletion is a high enough priority that they should devote serious resources to solving the data-leaking problem.
For example, an Associated Press article by May Wong that ran last week says that many of the new digital photocopiers don’t wipe their hard drives after a scanned document is printed.
I use a Macintosh computer, and I’ve been very pleased with a Mac feature called Secure Empty Trash. However, Apple has added a new feature to its 10.5 operating system called Time Machine. With Time Machine, you can take your computer back in time to before the files that you have securely deleted were deleted, allowing them to be recovered. Does this make sense? It’s a problem, and I don’t think that Apple is addressing it properly. You can read about this in my recent article , “Complete Delete vs. Time Machine Computing,” published in the January issue of Operating System Review .