By Sean McManus
Technology Reporter
Millions of storage devices are being shredded each year, even though they could be reused. “You don’t need an engineering degree to understand that’s a bad thing,” says Jonmichael Hands.
He is the secretary and treasurer of the Circular Drive Initiative (CDI), a partnership of technology companies promoting the secure reuse of storage hardware. He also works at Chia Network, which provides a blockchain technology.
Chia Network could easily reuse storage devices that large data centres have decided they no longer need. In 2021, the company approached IT Asset Disposition (ITAD) firms, who dispose of old technology for businesses that no longer need it. The answer came back: “Sorry, we have to shred old drives.”
“What do you mean, you destroy them?” says Mr Hands, relating the story. “Just erase the data, and then sell them! They said the customers wouldn’t let them do that. One ITAD provider said they were shredding five million drives for a single customer.”
Storage devices are typically sold with a five-year warranty, and large data centres retire them when the warranty expires. Drives that store less sensitive data are spared, but the CDI estimates that 90% of hard drives are destroyed when they are removed.
The reason? “The cloud service providers we spoke to said security, but what they actually meant was risk management,” says Mr Hands. “They have a zero-risk policy. It can’t be one in a million drives, one in 10 million drives, one in 100 million drives that leaks. It has to be zero.”
The irony is that shredding devices is relatively risky today. The latest drives have 500,000 tracks of data per square inch. A sophisticated data recovery person could take a piece as small as 3mm and read the data off it, Mr Hands says.
Last year, the IEEE Standards Association approved its Standard for Sanitizing Storage. It describes three methods for removing data from devices, a process known as sanitisation.
The least secure method is “clear”. All the data is deleted, but it could be recovered using specialist tools. It’s good enough if you want to reuse the drive within your company.
The most extreme method is to destroy the drives through melting or incineration. Data can never be recovered, and nor can the drive or its materials.
Between the two sits a secure option for re-use: purging. When the drive is purged, data recovery is unfeasible using state-of-the-art tools and techniques.
There are several ways a drive can be purged. Hard drives can be overwritten with new patterns of data, for example, which can then be checked to make sure the original data has gone. With today’s storage capacities, it can take a day or two.
By comparison a cryptographic erase takes just a couple of seconds. Many modern drives have built-in encryption, so that the data on them can only be read if you have the encryption key. If that key is deleted, all the data is scrambled. It’s still there, but it’s impossible to read. The drive is safe to resell.
Seagate is a leading provider of data storage solutions, and a founding member of the CDI. “If we can universally, among all of our customers, trust that that we have secure erase, then drives can be returned to use,” says Amy Zuckerman, sustainability and transformation director at Seagate. “That is happening, but on a very small scale.”
In its 2022 financial year, Seagate refurbished and resold 1.16 million hard drives and solid-state drives (SSDs), avoiding more than 540 tonnes of electronic waste (e-waste). That includes drives that were returned under their warranty and drives that were bought back from customers.
A pilot take-back programme in Taiwan recovered three tonnes of e-waste. The challenge now, Ms Zuckerman says, is to scale the programme up.
Refurbished drives are tested, recertified and sold with a five or seven-year warranty. “We are seeing small data centres and cryptocurrency mining operations pick them up,” she says. “Our successes have been on a smaller scale, and I think that’s probably true for others engaged in this work too.”
There are no projections for how many times each drive can be refurbished and reused. “Right now, we are just looking at that double use,” Ms Zuckerman says.
There is huge potential for such schemes. A large proportion of the 375 million hard drives sold by all companies in 2018 are now ending their warranty.
For drives that can’t be reused, Seagate looks first at parts extraction and then materials recycling. In the Taiwan pilot programme, 57% of the material was recycled, made up of magnets and aluminium. Innovation is needed across the industry to help recover more of the 61 chemical elements used in the drives, Ms Zuckerman says.
The principle of sanitising and reusing hardware also applies to other devices, including routers. “Just because a company has a policy of replacing something over three years, it doesn’t mean it’s defunct for the entire world,” says Tony Anscombe, the chief security evangelist at IT security company ESET.
“A large internet service provider (ISP) may well be decommissioning some enterprise grade routers that a smaller ISP would dream of having.”
It’s important to have a decommissioning process that secures the devices, though. ESET bought some second-hand core routers, the type used in corporate networks. Only five out of 18 routers had been wiped properly. The rest contained information about the network, applications or customers that could be valuable to hackers. All had enough data to identify the original owners.
One of the routers had been sent to an e-waste disposal company, who had apparently sold it on without removing the data. ESET contacted the original owner. “They were very shocked,” says Mr Anscombe. “Companies should sanitise devices themselves as best as they can, even if they’re using a sanitisation and e-waste company.”
Mr Anscombe recommends companies test the process of sanitising devices while they’re still under support. If anything is unclear, help is available from the manufacturer then. He also suggests saving all documentation needed for the process in case the manufacturer removes it from their website.
Before sanitisation, Mr Anscombe says companies should make and store a back-up of the device. If any data does leak, it’s easier to understand then what has been lost.
Finally, companies should make it easy for people to report security leaks. Mr Anscombe says it was hard to notify companies of what they had found on their old routers.
How can companies be sure the data has gone from a device? “Give it to a security researcher and ask them what they can find,” says Mr Anscombe. “A lot of cyber-security teams will have someone who understands how to take the lid off and see if the device was fully sanitised.”
By knowing how to clean the data from devices, companies can send them for reuse or recycling with confidence. “The days of the ‘take-make-waste’ linear economy need to be over,” says Seagate’s Ms Zuckerman.