Clean out Old Computers Before Selling/Donating

 A 1997 article in the New York Times ("Patient Files Turn Up in Used Computer," 4/4/97, John Markoff) describes how C.J. Prime, of San Franciscio, booted up the used IBM computer she purchased at an auction and found 2,000 patient records from Smitty's Supermarkets pharmacy in Tempe, Arizona. Included were "prescriptions for AZT for AIDS patients, Antabuse for alchoholics as well as numerous antidepressants." Prime speculates that with the software left installed on the computer, she might have been able to connect to the pharmacy's main office and change coverage or create new prescriptions.

When selling or donating old computers, be sure to remove any sensitive data, and make sure that by leaving any commercial software on the machine you are not violating the terms of any software license agreements. Note that files deleted through ordinary means (e.g. dragging to the trash on Windows or Macintosh) can usually be recovered. Use a secure file deletion utility which ensures that the data can not be recovered by successively writing binary ones and zeros over files to be deleted (See Note below).  Pretty Good Privacy (PGP) includes a secure delete function and Norton Utilities' Wipe Info feature will also securely delete files.

In recent years it has become a popular practice to sell used (but still functional) hard drives via online "auction" sites like eBay. Before disposing of hard drives in this or any other manner in which one or more subsequent owners of the drive will have access to any data remaining on the drives, it is essential that the drive(s) be wiped clean of data as mentioned above. There are many, many reported and confirmed instances of sensitive data found on drives purchased through eBay. .

Under existing law, the purchaser of a second-hand drive owns not only the drive itself, but also any data on the drive. If you improperly dispose of a drive in a way that permits sensitive data to fall into the hands of someone who exploits it for their own purposes, you will likely have little or no legal recourse.

DO NOT SIMPLY THROW AWAY "DEAD" DRIVES. The platters can be removed from non-functional drives and all data retrieved. Before disposing of drives that no longer work, DESTROY THE PLATTERS. A large hammer comes in handy for this, though some find more satisfaction in drilling completely through the drive casing with a large (1/2 inch or larger) bit.

The same advice applies to storage media like computer tapes, disks, diskettes, etc. Be sure to completely remove any sensitive information before disposing of electronic storage media. University Archives and Records offers a standard service for secure destruction of confidential electronic records.  For further details, see http://www.archives.upenn.edu/urc/urc.html
If you need further help finding tools or services to do this, contact security@isc.upenn.edu.

 Before transferring computers containing any software, first make sure that Penn is properly licensed to transfer it, that it was not obtained illegally or in violation of license terms, and that the software was never copied illegally or in violation of license terms. Also, make sure that the transfer conforms with terms of the software license. For instance, the license for Microsoft Office Version 4.21 include this clause:

 "Software Transfer: You may permanently transfer all of your rights under this EULA, provided you retain no copies, you transfer all of the SOFTWARE PRODUCT (including all component parts, the media and printed materials, any upgrades, this EULA, and, if applicable, the Certificate of Authenticity), and the recipient agrees to the terms of this EULA. If the SOFTWARE PRODUCT is an upgrade, any transfer must include all prior versions of the SOFTWARE PRODUCT"

The only way to be sure the transfer complies with all licenses is to read them all. For software licenses with "transfer" clauses like above, have the recipient(s) acknowledge in writing their acceptance of the terms of the license, and their receipt of all materials required by the license. It's important to consider licensing issues not only for application software like Word and Excel, but also for operating system software like MacOS and Windows.

Note: There are, however, problems with the conventional secure deletion method of overwriting binary ones and zeros.  Someone with technical knowledge and access to specialized equipment may be able to recover data from files deleted with this method.  Use of magnets (degaussing) or physical destruction may be required for especially sensitive data, but be sure that such procedures conform to published standards for secure data destruction.  For further details, see Peter Guttman's paper "Secure Deletion of Data from Magnetic and Solid-State Memory"
http://www.cs.auckland.ac.nz/~pgut001/pubs/secure_del.html

Last updated: Wednesday, January 3, 2007