Privacy and Security TidBits

Destruction of Private Data: Pushing the “Delete” Button is Not Enough

by Monique Altheim on February 22, 2014

url

 

A study commissioned in Australia by the National Association for Information Destruction (NAID), published on Feb.19, has found significant amounts of sensitive personal information left on recycled computers. The researchers purchased  52 computers randomly  on sites such as eBay, and hired a reputable forensic investigator to find out whether any personal information was left on the drives. Out of the 52 devices, 15 still contained highly confidential personal information, including health and financial information, as well as personal photos and videos. Those devices had been “recycled” by individuals, law firms and government agencies and the forensic evidence showed that all the files in question had been subjected to attempted deletion.

Clearly, many still believe that pressing the “delete” button will permanently delete a file and/or have never heard of forensic retrieval of digital data. Whether one operates in a jurisdiction that mandates secure disposal of personal data or not, improper removal of personal data on computers, smartphones or tablets is certainly bad practice. It is not only bad practice in the case of recycling of a device, as was the case in this study, but also when disposing of a device. Even when simply deleting personal files that have reached the end of their lifecycle, one needs to ensure their professional and final disappearance. Otherwise, these files may easily come back to life through a simple forensic examination of the computer in question, as was the case with the famous incriminating documents in the Enron case. The incriminating files, the needles in the haystack, had all been “deleted” by Enron employees and later retrieved by forensic experts during the investigation of the Enron scandal.

At the 34th International Conference of Data Protection and Privacy Professionals  in Punta del Este, Uruguay (2012), a panel I moderated dealt in depth with the issue of deletion of digital data and forensic retrieval of personal information. You can watch the entire panel here: (Some of the presentations are in Spanish).

My panel consisted of, from left to right,  Oscar Puccinelli, an attorney and professor of Constitutional Law at the National University of Rosario in Argentina, Jeimy Cano, CIS at Ecopetrol and professor at the Univesidad de Los Andes in Bogota, Colombia, Gustavo Betarte, CTO at Tilsor and researcher and professor at the Engineering School of the Univesidad de la Republica in Montevideo, Uruguay, Yoram Hacohen, at the time, head of the Israeli Law, Information and Technology Authority (ILITA), and William C. Barker, associate director and chief cyber security advisor at the National Institute of Standards and Technology (NIST).

 

 

William Barker’s Slides:

Gustavo Betarte’s Slides: