A View from Simson Garfinkel
All Your Data Belongs to Us
Data servicing is another problem for data privacy.
The April 5 issue of the blog the Consumerist has an interesting article about a significant data-privacy issue that has long been ignored. In the article, reader Chris wrote to the Consumerist about a problem she (or he?) was having with an Apple laptop. Apple wants to replace the hard drive, and Chris wants the hard drive back because the old, broken drive has confidential information on it. The problem is that Apple’s policy (and most other companies’) is not to return the dead hard drives of computers being serviced. So Chris needs to trust that Apple will properly destroy the drive, or at least its data, and Chris isn’t so sure.
Chris isn’t the first person to experience this problem, of course; it’s quite common. A few years ago, my company had a laptop that was filled with confidential information. The hard drive died. We called up Dell for a replacement, but Dell wouldn’t ship a new one unless we promised to send back the old one. And, obviously, with all the confidential information on the hard drive, we wouldn’t send it back, either broken or intentionally damaged. So we ended up buying a new hard drive, even though the drive was still under warranty.
What’s to be nervous about? Well, there are many documented cases in which a reputable service center nevertheless allowed the data from a customer’s machine to leak back into the datasphere. Last year there were reports in the media about a hard drive that had been taken to a major electronics store for warranty repair, and it ended up being sold (with most of its data intact) at a swap fest.
When I was working on my PhD thesis, I spoke with a system administrator for a major electronics firm. The firm had a RAID array with a bad power supply. It sent the RAID array back to the manufacturer and was shipped a replacement. A few months later the firm got a phone call from a university: “Hey, we got your data!” Apparently, the university had also sent back a RAID array for service, and it had been sent the first array, refurbished with a new power supply, but with the original data still intact.
Also while working on my PhD thesis, I found a firm in California that did service for major computer manufacturers. Originally, the firm had a policy of wiping the “broken” drives before selling them on the secondary market. I bought a bunch of drives from the firm via eBay and was pleased to discover that they had all been blanked. But a year later, I bought another drive from the firm and discovered that it was filled with the original customer’s data. A bit of Web searching revealed that the service firm had run into financial troubles between the first and second sales.
There is no good way to ensure that hard drives returned for service aren’t going to have their data leak out. Because of this, individuals and businesses returning their drives for service must take precautions to make sure they don’t have confidential data on them to start with. One way to do this is by using cryptographic file systems like Apple’s File Vault. These systems assure that all of the confidential data on the drive is encrypted: even if the service center gets your data, it won’t be able to make sense of it.
What’s the other alternative? To make hard drives so cheap and easy to replace that there is no incentive to fix them. Although it’s difficult to get the hard drive out of my MacBook, replacing the drive in that Dell was downright easy–it just slid out. And these days, you can get a really nice laptop drive for about $70–not much more than it costs to send a laptop twice across the country by next-day delivery. Make it easy to replace the drive and rebuild the operating system, and it’s going to be cheaper for companies like Apple to just sell warranty customers a new hard drive at a discount than to worry about getting back the old drive to verify that the “warranty repair” was really justified.