Remember Good Data Hygiene: An Official Advisory from the US Government
Our government is telling us that bringing home that new holiday iPhone® should be a more complicated process than most of us realize. New US Department of Homeland Security (DHS) guidance is appropriately timed to coincide with the holiday shopping season during which many trade up to a new device. It also comes as resales or other transfers of used devices lead to increasing instances of identity theft and scams based on remnant data on the devices.
The US Computer Emergency Readiness Team (US-CERT), part of DHS, has published an official advisory regarding properly deleting data from electronic devices.* The guidance applies to most any device with data memory (e.g., computers, tablets, smartphones, external storage devices, gaming consoles, cameras and printers). Extensive technology experience is not needed to understand the relatively short guidance.
Under the advisory, good data hygiene involves (1) backing up data, (2) deleting data, (3) overwriting old data, and (4) destroying data when you are ready to part with the device. Steps (2), (3) and (4) are the key steps for sanitizing a device, and may not be intuitive. The last step (destruction) could probably compensate for not previously deleting or overwriting data.
A key message of the advisory is that deleting the data may not be enough to "make it go away." Leftover information can linger, for example, in unallocated storage space. To prevent misuse of old files, US-CERT recommends that users overwrite storage devices and not merely delete data. PCs running Windows and Macs often have built-in features to do this – but don’t forget to do it. Don’t forget to sanitize USB thumb drives, memory cards, and other storage systems as well. The gold standard to prevent access to data when you are done with a device, according to US-CERT, is physical destruction of a device. US-CERT tells us you can use a professional service in this regard or have your own demo day by drilling holes or hammering nails into a device. US-CERT fails to tell us to exercise caution in electing the do it yourself route, but please do so!
Following US-CERT’s advisory is akin to the preventive care of an annual medical exam – it’s not always fun, but can be valuable – so don’t forget to do it.
*See the complete advisory "Security Tip (ST18-005): Proper Disposal of Electronic Devices" available at https://www.us-cert.gov/ncas/tips/ST18-005, current as of October 31, 2018.