New Risks of resold Computers


by Takato NATSU


Q1-Q5 : Questions from NHK RADIO JAPAN

TN : Takato Natsui (Professor at Meiji University)

On the air : April 5th 2001

in NHK RADIO JAPAN : Japan and World 44Minutes

Q1) It has now become clear that many used PCs are being resold in Japan and overseas with personal information remaining on the computer's hard disk. How has this come to be ?


TN : Generally speaking all computers have internal storage devices. Personal computers (PC) also have such storage devices. Perhaps, hard disks are the most popular storage device used to retrieve or store data on computers. And, hard disks are usually installed inside of each computer. Data of computer users may be stored on any storage device. It is common for confidential information to be included on such stored device.

By the way, when computers are resold to another person, any internal hard disks will also be usually given to the buyer at the same time. If any data or information were completely removed from the hard disks, then this data or information would not remain in the computer. But, in many cases, by carelessness or ignorance, data or information is not completely removed from hard disks, and remains on the hard disk at the time of the sale. On the other hand, there are very careful people out there, who know the importance of the data on their hard disks, and these people may try to remove all of the data on their disks by a process called, "disk formatting". However, recently, very powerful software tools have been developed for recovering erased data from computer storage devices. Although we like to think that any deleted data should not remain on the disk at all, such tools have the ability to restore some erased data. Thus, in these cases, purchasers of resold computers may get not only the computer hardware, but also the confidential information of the original owner of the computer. And, this data may be distributed to many people unlawfully.


Q2) What are its potential risks?  Could you give specific examples ?


TN : Yes, I believe that there are many types of potential risks. For example, infringement of trade secrets or intellectual properties or invasion of privacy may occur. Information thieves may try to obtain such data from resold computers. If the original owner of specific data were a government and if such data were very important and confidential to the government, then any unauthorized discovery of such data could be very embarrassing and would cause huge confusion. Invasion of privacy, especially, has the potential to be very dangerous.

I know of some actual examples of such cases. Many of these computers were sold on the open market, and all of them were notebook-type computers. In some cases, all of the data of the original owner remained in its original condition on the hard disk. For example, E-mail, Microsoft Word documents, Microsoft Excel spread sheets and so on. The most important thing is that these files may include very confidential data. For example, confidential member lists such as customer lists, documents relating any accounts, Tax relating documents, love letters by E-mail and so on. I know these in actual cases.

In fact, many used computers are being sold at some street of Akihabara in Tokyo. Perhaps, confidential data still remain in such computers, and privacy or trade secrets of the original owners are just now distributing through these reselling on the street.

Similar cases can be found with leased computers. There are many leased computers not only in offices of companies, but also in universities. Ordinary university students may be not so careful. Same invasion of privacy may occur by leased computers.

General speaking, users may take some obligations to erase private data on leased computers by computer-lease agreements. In such cases, users must erase private data by themselves. But, many users usually forget the importance and meaning of this obligation to erase their private data.


Q3)  Record number of personal computers are being shipped across Japan, leading also to a sharp rise in scrapped and recycled PCs.  The law to promote the effective use of resources comes into effect in April, requiring PC makers to recycle PCs used by businesses.  The law will also be applied to PCs used at home one year later. What measures should be taken to prevent possible misuse of private information in used PCs ?
Also, what are the difficulties of erasing data so it cannot be retrieved ?


TN : To maintain a healthy environment, the law to promote the effective use of resources is an effective start. But, with regard to privacy matters, thoughtless recycling may bring unhappy results. It is important to try to reach a good balance between these two goals. So, first, we need to know what problems are occurring relative to resold computers. Then, we must develop and use better measures to resolve these problems. Fortunately, some good software tools have been developed lately to attack the privacy problem. For example, one of these tools can completely overwrite all of the sectors or blocks on a disk with another single code. In such case, the original data will be forever changed to meaningless code. I would like to encourage use of such privacy protection tools.

However, even if you use such tools, some problems may still remain. For example, one such problem arises because some computers contain secret partitions of the hard disk. Such secret partitions are set for the purpose of special functions, such as data caching. But, ordinary users may not recognize or even know about such secret partitions. So, ordinary users may forget to erase the data on such secret partitions. Additionally, there is another problem with the new privacy tools. I have found that some of the better tools are not always easy to use.

Thus, in the case of recycling of used computers by a recycling company, I believe that it would be good to require these companies to erase all of the data on these used computers by using one of these better tools. But, when private parties resell their used computers, the seller ought to be personally responsible for erasing all of their data or removing and destroying their hard disk prior to transferring possession of their computer to the buyer. I also believe that in order to make more effective use of these new privacy software tools and preserve the privacy of our data, it is necessary that we spread the knowledge about the privacy of data that is stored on hard disks.


Q4) Lastly, experts point to the need to establish a legal framework to ensure safety of private information.  What are your thoughts on this ?


TN : In Japan, a bill concerning a new privacy protection law was proposed in the Diet in March of this year. According to this bill, any company, which has any confidential information of any of its customers, must protect such confidential information of these customers. In order to protect the privacy of such confidential information, such companies must establish privacy policies and compliance programs. I hope these companies will introduce effective measures into their compliance programs. I believe that such compliance programs should include measures to control access to and disposal of data storage devices, to manage the resale of used computers, and to verify that all confidential data is properly and completely erased.


Q5) Additional Questions relating the World trends.


TN : Council of Europe published draft convention on cyber-crime in February of this year (proposed on December 2000). This cyber-crime convention aims to attack against several types of computer crimes. These computer crimes include illegal access, illegal intervention, and fraud by using of computer systems, crime relating child pornography and so on. Member States of G8 meeting will discuss about High-Tech crimes on May of this year.

In Japan, unauthorized access shall be punishable by criminal laws. But, This is a law for crimes that may come from outside of networked computer systems. Problems relating computer data on the hard disks may occur inside of computer or by computer system itself. Protection by laws is not still enough. And, most of legislator of the world donft recognize importance of this problem.

I believe that it is necessary to research the actual condition of data leakage of confidential data from resold computer as soon as possible, and also it is effective to inform adequate cautions and knowledge about this problem to customer through several channels, for example, by broadcasting such as this NHK Radio, by any news paper, or by explanatory documents attached with computer systems.


Thank you.

Copyright (C) 2001 Takato Natsui, All Rights Reserved.

Published on the Web : Apr/09/2001