@
NHK
RADIO JAPAN
@
New
Risks of resold Computers
@
by
Takato NATSU
@
Q1-Q5
: Questions from NHK RADIO JAPAN
TN
: Takato Natsui (Professor at Meiji University)
On
the air : April 5th 2001
in
NHK RADIO JAPAN : Japan and World 44Minutes
Q1) It has now
become clear that many used PCs are being resold in Japan and overseas with
personal information remaining on the computer's hard disk. How has this come
to be ?
TN
: Generally speaking all computers have internal storage devices. Personal
computers (PC) also have such storage devices. Perhaps, hard disks are the
most popular storage device used to retrieve or store data on computers. And,
hard disks are usually installed inside of each computer. Data of computer
users may be stored on any storage device. It is common for confidential
information to be included on such stored device.
By
the way, when computers are resold to another person, any internal hard disks
will also be usually given to the buyer at the same time. If any data or
information were completely removed from the hard disks, then this data or
information would not remain in the computer. But, in many cases, by
carelessness or ignorance, data or information is not completely removed from
hard disks, and remains on the hard disk at the time of the sale. On the other
hand, there are very careful people out there, who know the importance of the
data on their hard disks, and these people may try to remove all of the data
on their disks by a process called, "disk formatting". However,
recently, very powerful software tools have been developed for recovering
erased data from computer storage devices. Although we like to think that any
deleted data should not remain on the disk at all, such tools have the ability
to restore some erased data. Thus, in these cases, purchasers of resold
computers may get not only the computer hardware, but also the confidential
information of the original owner of the computer. And, this data may be
distributed to many people unlawfully.
Q2) What are its
potential risks? Could you give
specific examples ?
TN
: Yes, I believe that there are many types of potential risks. For example,
infringement of trade secrets or intellectual properties or invasion of
privacy may occur. Information thieves may try to obtain such data from resold
computers. If the original owner of specific data were a government and if
such data were very important and confidential to the government, then any
unauthorized discovery of such data could be very embarrassing and would cause
huge confusion. Invasion of privacy, especially, has the potential to be very
dangerous.
I
know of some actual examples of such cases. Many of these computers were sold
on the open market, and all of them were notebook-type computers. In some
cases, all of the data of the original owner remained in its original
condition on the hard disk. For example, E-mail, Microsoft Word documents,
Microsoft Excel spread sheets and so on. The most important thing is that
these files may include very confidential data. For example, confidential
member lists such as customer lists, documents relating any accounts, Tax
relating documents, love letters by E-mail and so on. I know these in actual
cases.
In
fact, many used computers are being sold at some street of Akihabara in Tokyo.
Perhaps, confidential data still remain in such computers, and privacy or
trade secrets of the original owners are just now distributing through these
reselling on the street.
Similar
cases can be found with leased computers. There are many leased computers not
only in offices of companies, but also in universities. Ordinary university
students may be not so careful. Same invasion of privacy may occur by leased
computers.
General
speaking, users may take some obligations to erase private data on leased
computers by computer-lease agreements. In such cases, users must erase
private data by themselves. But, many users usually forget the importance and
meaning of this obligation to erase their private data.
Q3) Record number of personal computers are being shipped across
Japan, leading also to a sharp rise in scrapped and recycled PCs.
The law to promote the effective use of resources comes into effect in
April, requiring PC makers to recycle PCs used by businesses.
The law will also be applied to PCs used at home one year later. What
measures should be taken to prevent possible misuse of private information in
used PCs ?
Also, what are the difficulties of erasing data so it cannot be retrieved ?
TN
: To maintain a healthy environment, the law to promote the effective use of
resources is an effective start. But, with regard to privacy matters,
thoughtless recycling may bring unhappy results. It is important to try to
reach a good balance between these two goals. So, first, we need to know what
problems are occurring relative to resold computers. Then, we must develop and
use better measures to resolve these problems. Fortunately, some good software
tools have been developed lately to attack the privacy problem. For example,
one of these tools can completely overwrite all of the sectors or blocks on a
disk with another single code. In such case, the original data will be forever
changed to meaningless code. I would like to encourage use of such privacy
protection tools.
However,
even if you use such tools, some problems may still remain. For example, one
such problem arises because some computers contain secret partitions of the
hard disk. Such secret partitions are set for the purpose of special
functions, such as data caching. But, ordinary users may not recognize or even
know about such secret partitions. So, ordinary users may forget to erase the
data on such secret partitions. Additionally, there is another problem with
the new privacy tools. I have found that some of the better tools are not
always easy to use.
Thus,
in the case of recycling of used computers by a recycling company, I believe
that it would be good to require these companies to erase all of the data on
these used computers by using one of these better tools. But, when private
parties resell their used computers, the seller ought to be personally
responsible for erasing all of their data or removing and destroying their
hard disk prior to transferring possession of their computer to the buyer. I
also believe that in order to make more effective use of these new privacy
software tools and preserve the privacy of our data, it is necessary that we
spread the knowledge about the privacy of data that is stored on hard disks.
Q4) Lastly, experts
point to the need to establish a legal framework to ensure safety of private
information. What are your
thoughts on this ?
TN
: In Japan, a bill concerning a new privacy protection law was proposed in the
Diet in March of this year. According to this bill, any company, which has any
confidential information of any of its customers, must protect such
confidential information of these customers. In order to protect the privacy
of such confidential information, such companies must establish privacy
policies and compliance programs. I hope these companies will introduce
effective measures into their compliance programs. I believe that such
compliance programs should include measures to control access to and disposal
of data storage devices, to manage the resale of used computers, and to verify
that all confidential data is properly and completely erased.
Q5) Additional
Questions relating the World trends.
TN
: Council of Europe published draft convention on cyber-crime in February of
this year (proposed on December 2000). This cyber-crime convention aims to
attack against several types of computer crimes. These computer crimes include
illegal access, illegal intervention, and fraud by using of computer systems,
crime relating child pornography and so on. Member States of G8 meeting will
discuss about High-Tech crimes on May of this year.
In
Japan, unauthorized access shall be punishable by criminal laws. But, This is
a law for crimes that may come from outside of networked computer systems.
Problems relating computer data on the hard disks may occur inside of computer
or by computer system itself. Protection by laws is not still enough. And,
most of legislator of the world donft recognize importance of this problem.
I
believe that it is necessary to research the actual condition of data leakage
of confidential data from resold computer as soon as possible, and also it is
effective to inform adequate cautions and knowledge about this problem to
customer through several channels, for example, by broadcasting such as this
NHK Radio, by any news paper, or by explanatory documents attached with
computer systems.
Thank
you.
Copyright (C) 2001 Takato
Natsui, All Rights Reserved.
Published on the Web :
Apr/09/2001
TOP