Destroying Data

I’d like to update my thinking on the following question:

What is the responsible way to get rid of electronic information that one does not want, or that one has a legal duty to get rid of (like irrelevant personal information)?

Some of the alternatives:

  • delete the information from one’s drive. (unlikely to be satisfactory, since ‘undelete’ programs are readily available)
  • reformat the drive
  • apply a specialized ‘wiping’ program (one or more times)
  • destroy the drive physically
  • encrypt the data on the drive then destroy the keys

Ontario’s Information and Privacy Commissioner takes the view that the best way properly to get rid of (third party) personal information that one no longer wants to hold or that one is required by law not to hold, is to destroy the medium on which it is found — wiping disks “may not … irreversibly erase every bit of data on a drive.” [See the IPC Fact Sheet on secure destruction of personal information, Dec 06 PDF]

I am not aware of any instances in Ontario, or elsewhere in Canada, in which PI was improperly recovered from a wiped disk, though; so the Commissioner may be giving a counsel of perfection.

Likewise I know of no instance before any Canadian privacy commission where someone was sanctioned for inadequate destruction of electronically-stored PI. Do you?

Is there any circumstance in which it might be considered professionally negligent for counsel to recommend ‘only’ running it through a wiping program a few times to protect the information from inappropriate eyes?

Is there any circumstance in which a regulatory authority might find someone in breach of a duty of confidentiality for having ‘only’ run it through a wiping program a few times?

What do you recommend to your clients? Do you know of anyone (client or otherwise) who has ever had any problems with data thought to be destroyed by any method turning up again, either in the wrong hands or in their own (besides finding another source of its storage…)?

Retweet information »

Comments

  1. Restoring supposedly-destroyed data is merely a symptom of the more fundamental problem; and it does happen more often than is reported. Two of many examples:

    In 2003 Alberta’s Privacy Commissioner released Investigation Report # H0252 which addressed the inadequate destruction of medical information from a computer that was ultimately resold. The information was readily available to be accessed by the next owner.

    Also in 2003, the Bank of Montreal’s asset disposal contractor was contractually responsible for
    ensuring the hard drives were properly erased. Two Bank servers were to have been scrubbed but, thanks to an “operational error” they were offered for sale, and were sold, without having been wiped clean. The purchaser quickly discovered account information, names, SINs, and other sensitive personal information on the servers. The event was reported in the media; whether the IPC waded in or not is moot.

    To claim that the low numbers of reported incidents is because there’s been few incidents would be folly. From my 25+ years of experience in the field, it’s clear that (a) people are reluctant to report and/or ignorant of what/where to report a suspected breach; and (b) many people simply do not recognize when a breach has occurred.

    Contributing to the problem is the frequent lack of coordination between operational network and local systems and back-up systems, and with hot/cold backup sites. Users might think they’ve deleted all information — without knowing that it’s just been backed up to an offsite storage facility.
    At least there’s a modicum of data containment in those circumstances.

    Far less controlled is data on obsolete systems.”E-cycling” roundups routinely receive computers that have not been wiped in any way. I’ve interviewed many of the donors, each of whom assured me that “there’s nothing important” on the system, “just family stuff, like old tax returns.” And these donors are many of the same people who work in our governments and industries and are responsible for safeguarding sensitive information. Has any of them ever reported that information from the system they donated was used inappropriately? Would they even know? And without that knowledge, how would they be able to file a complaint to be investigated?

    Unfortunately, in government and private sector organizations across North America the level of ignorance about these issues continues to be extremely high — and therefore the risk to sensitive personal and corporate information continues to be high. And when the decision-makers in industry and government don’t understand the fundamental issues, they don’t take it seriously or give proper funding or support to Access and Privacy Professionals, document management programs, or training and awareness programs to increase knowledge and reduce the risk.

  2. I suspect the privacy commissioner takes the view the media should be destroyed because that is most likely the safest method to ensure the data can not be recovered — I don’t know if they have done any technical research into this, but it is available if one searches.

    There are two main problems with the media of today with respect to the secure wiping of data. The first is the file system itself. Most file systems are ‘journalled file systems’ and these types of file systems are often installed by default. File systems such as Ext3, ReiserFS, JFS are some examples. In short, journalled have advantages for power failures and crashes while data is being written to disk to allow easier recovery. They also have the disadvantage of being difficult to securely wipe the data. As an example, one typical program called ‘shred’ contains this information right in the manual.

    “CAUTION: Note that shred relies on a very important assumption: that the file system overwrites data in place. This is the traditional way to do things, but many modern file system designs do not satisfy this assumption. The following are examples of file systems on which shred is not effective, or is not guaranteed to be effective in all file system modes …..”

    The other reason is the media itself. Most of the hard drives and media of today, abstract the actual address locations from the operating system. So for example when an operating system writes to cylinder 3, track 2, sector 1, the next time it writes to cylinder 3, track 2, sector 1, it is possible that the hardware uses a different area, and marks the old area as deleted. Doing things at the hardware level like this, does permit possible recovery using forensic techniques even if a program was used to securely wipe the data.

  3. Readers may be interested in a recent related piece, “Metadata – What Is It and What Are My Ethical Duties?” by Jim Calloway to be found over on LLRX.com.

  4. I don’t know about the Privacy Commission, but information wiping comes up in civil cases too. See my commentary from last year related to Pacific Northwest Herb Corp. v. Thompson (1999).

  5. Thanks John, I not so subtle friend of mine simple takes a powerful drill to the hard drive and gives it some ventilation. It may not be environmentally sensitive but this Calgary solution seems to do the trick.

  6. I don’t know of any decisions that talk to ‘finding’ wiped personal information, but this US decision illustrates that the electronic foot print for wiping things is forensiclly visable. Perhaps that evidence would assist someone who sold or recycled a wiped hard drive that was later misused.

  7. The fact that it is technically possible to retrieve data after a disk has been wiped, or even shattered, apparently, may or may not be relevant to what one should do with one’s own disk. How likely is it? Who is going to have the disk once it is discarded, and what are they going to want to do? What is on the disk anyway?

    In short, there is some proportionality test involved.

    Two other points:

    - one advantage of the ‘destroy the disk’ (rather than wiping it) policy is that it takes very little skill to tell if the policy has been carried out. Some of the cases that Sharon refers to involve failure to wipe the disk. It’s hard to tell by looking at a hard drive taken out of a computer whether it has been wiped, but not hard to tell if it’s been broken into pieces, or had Calgarian holes drilled in it. And no special programs are needed for the purpose.

    - if you’re worried that CSIS or the CIA or someone else with much time and money and interest in the data will manage to read useful things even off small pieces of the drive (and I have seen credible statements that this is possible, with enough resources), then the counsel of perfection is to melt down the disk….

    I suspect that a simple pass with a wiping tool would be entirely satisfactory well over 99% of the time, in the sense that any undead data would not come back to haunt their maker. But if one has that <1% valuable stuff, then more dramatic measures may be called for. (And that verifiability point I find compelling too.)

  8. I would suggest that assuming a disk is intact, extracting data from it does not cost lots of money these days — in some cases it requires minimal skill with the software smarts and GUIs of today.

    What I wonder is lets say a school board gets some new servers and decides to sell their previous ones. They run a some sort of data destroying program on all the drives. The filesystem is a ‘journalled filesystem’. The purchaser of the server before doing anything, uses a forensic software utility (encase, accessData, open source) and manages to extract some personal information about a parent. Say they use or publish this data in some way. Can I as the parent hold the school accountable legally?
    -mike

  9. Hi.
    I’m sorry if I’m in the wrong place, as I am not a lawyer and therefore cannot provide a legal point of view about this; but as a computer engineer I can ensure that there are ways to destroy data beyound recovery.

    Take http://www.terminatedata for example, their program can even prevent analysis onf a disk magnetization. And there are others.

    Anyways, I just thought someone would be interested. Again, sorry if it’s not my place.

    Pablo.

  10. I think, Pablo, that your kind of comment is entirely appropriate to the thread. Otherwise one finds us lawyers speculating based on inaccurate information. Now smart writers of legal opinions usually give some disclaimer about the accuracy of the facts on which they base their opinions, but for the sake of discussion, we might as well be right!