School technology leaders, beware: A new report from two graduate students at the Massachusetts Institute of Technology (MIT) suggest that unless you take very specific steps to erase the hard drives of old computers you donate or recycle, they can still retain personal files with access to sensitive information such as students’ addresses or academic records.

Over two years, MIT students Simson Garfinkel and Abhi Shelat bought 158 used hard drives at secondhand computer stores and on eBay. Of the 129 drives that functioned, they say, 69 still had recoverable files on them and 49 contained “significant personal information”—medical correspondence, love letters, pornography, and 5,000 credit card numbers. One even reportedly had a year’s worth of transactions with account numbers from a cash machine in Illinois.

About 150,000 hard drives were “retired” last year, according to the research firm Gartner Dataquest. Many end up in the trash, but many also find their way back onto the market.

Over the years, stories have surfaced about personal information turning up on used hard drives, raising concerns about privacy and the danger of identity theft.

Last spring, Pennsylvania sold used computers that contained information about state employees. In 1997, a Nevada woman bought a used computer and discovered it contained prescription records on 2,000 customers of an Arizona pharmacy.

Garfinkel and Shelat, who reported their findings in an article published Jan. 17 in the journal IEEE Security & Privacy, said they believe they are the first to take a more comprehensive—though not exactly scientific—look at the problem.

On common operating systems such as Microsoft’s Windows, simply deleting a file—or even following that up by emptying the “trash” folder—does not necessarily make the information irretrievable. Those commands generally delete a file’s name from the directory. But the information itself can live on until it is overwritten by new files.

Even reformatting a drive, or preparing the hard drive all over again to store files, might not do it. Fifty-one of the 129 working drives in the MIT study had been reformatted, and 19 of them still contained recoverable data.

The hard-to-erase quality of hard drives is seen as a good thing by some. Many users like believing that, in a pinch, an expert could recover their deleted files. Law enforcement officers can examine a computer and lift incriminating eMails or pornography images from the hard drive.

The only sure way to erase a hard drive is to “squeeze” it by writing over the old information with new data—all zeros, for instance—at least once, but preferably several times. A one-line command will do that for Unix users, and for others, inexpensive software from companies such as AccessData works well. But few people go to the trouble.

As it turned out, most of the hard drives acquired by the MIT students came from businesses that apparently had a misplaced confidence in their ability to “sanitize” old drives.

Tom Aleman, who heads the analytic and forensic technology group at the accounting firm Deloitte & Touche, often encounters companies that get burned by failing to fully sanitize, say, the laptop of an employee who leaves the company for a job with a competitor.

“People will think they have deleted the file, they can’t find the file themselves and that the file is gone when, in fact, forensically you may be able to retrieve it,” he said.

Garfinkel said he has learned his lesson. As an undergrad at MIT in the 1980s, he failed to sanitize his own hard drive before returning a computer to his father—and his father reportedly was able to read his personal journal.


IEEE Security & Privacy

“Remembrance of Data Passed” (Garfinkel’s and Shelat’s report; requires Adobe Acrobat Reader)

AccessData Corp.