Datawiping works (true)

Analysis The sedate world of PC disposal has been rocked by a study which suggest deficiencies in many commercial datawiping products. But were the tests fair? John Leyden reports.

Tests on a string commercial datawiping products - which suggested that only one worked properly - have provoked a backlash from vendors: they question the study's methodology.

Last month we reported an eTesting Labs study which found that only Redemtech Data Erasure, a product from the firm which contracted eTesting to run the trials, worked properly across six variously configured PCs.

As we noted at the time, the results should be treated with caution as Redemtech paid eTesting to run the tests.

Since running this article we've been in touch with the other vendors of the other test products, who weren't contacted about the study prior to its publication by eTesting Labs. The common thread in the criticisms is that their software was not designed for the configurations of the test PCs. Vendors argue that the tests weren't as fair as they ought to have been, and potentially misleading.

During the tests Ontrack DataEraser failed to overwrite all the sectors on two PCs, but Ontrack spokeswoman Nicolle Martin said these results are questionable because "it appears they looked at non-standard computer systems, and didn't follow requirements set by the data erasing program they were using".

For example, the tested IBM ValuePoint 425 SX/Si only had 4MB of RAM - half the 8MB minimum memory requirement of Ontrack DataEraser.

Blancco Oy, whose Blancco - Data Cleaner product encountered the same type of reported failures as Ontrack DataEraser during the eTesting study, said that the tests had "serious defects".

The latest version of Blancco - Data Cleaner require minimum 16 Mb RAM, system requirements were not fulfilled in the case of IBM Value Point 425 and Compaq Prolinea 4/33 computer used as part of the tests. PCs used in the tests were two-five years old but Blancco's latest release is only designed the work on the latest PCs, it points out.

"The tested Blancco v3.0r10 did not perform erasure to IBM Value Point 425 SX/Si because hardware could not open graphical user interface," Blancco said in a statement. "Our tested software will not run at all in a PC that does not meet the system requirements. Therefore the user cannot get an impression that erasure would be made."

Credability gap?
During the tests, InfraWorks Sanitizer failed to overwrite all of the disk sectors on five PCs while NTI Diskscrub and Wipe Clean (freeware in wide circulation, according to Redemtech) failed to overwrite all the sectors on all six PCs.

Rick Sutton, vice president of development at InfraWorks, is scathing in his criticisms of the test.

"Sanitizer has been tested in the labs of Defense Security Services (DSS) and by the Air Force Information Warfare Center (AFWIC) . It has also been listed as an effective product by the Assistant Secretary of Defense," Sutton said.

"At no time did these labs or our internal testing reveal any of these problems," he added.

InfraWorks believes that tests "performed by completely disinterested agencies, without any financial interest in the outcome of the test, have greater credibility" than eTesting Labs study.

Craig Kaplan, a sales manager at eTesting Labs, said that it stood by the results of its tests saying that they were its "final say" on the subject.

He defended eTesting Labs methodology in the study. However he confirmed that it didn't get in touch with vendors to find out why their products might have failed, because it was bound by a non-disclosure agreement to its clients Redemtech.

Jon Godfrey, a consultant for Technical Asset Management, the Welwyn Garden City, Herts PC disposal company, said he took the results of the eTesting Labs study with a "pinch of salt".

Godfrey who recommends InfraWorks Sanitizer to his clients, and has a licence to use the military version of the product, said the biggest problems in data destruction come from human error, not product deficiencies.

Why it matters?
Datawiping is a boring but important subject for end of life kit.

Corporates pay recycling firms to dispose of their equipment - the residual value of the kit rarely covers the cost of collection, datawiping - important for security and for data protection - and reselling. By far the cheapest option is smashing and dumping - but that's dirty and in many rich countries, illegal.

But what if the broker is not datawiping the kit, or is using the wrong datawiping software? Then there's a headache. The most famous case in recent years was Morgan Grenfell, now part of Deutsche Bank, which let loose an end-of-life PC containing the bank details of Sir Paul McCartney into the secondhand market.

But there has been a series of incidents, including details of children at risk found on a PC dumped on a skip by Lincolnshire Council, and a register of sex offenders contained on a PC used by students studying statistics furnished them by Bristol police. The machine was later sold, with the register. ®

External Links

The eTesting Labs report, complete with methodology

Related Stories

Datawiping doesn't work
Windows wipe utilities fail to shift stubborn data stains
Paul McCartney account details linked on second user PC