Given the mushrooming of data recovery businesses and the lack of documentation in transactions involving hard disk drives, the breach of hard disk data security is a disaster waiting to happen in India. There is little public awareness about the data security implications of the transactions in grey market.

Pratap Ravindran

Pune, Aug. 21

RECENT instances of breach of data security in the BPO sector have triggered a demand for more stringent cyber laws and a more rigorous implementation of the existing ones. But, oddly enough for a country in which hard drives are often swapped, bought and sold in the grey market without a paper trail, individual and institutional computer users remain oblivious to threats to security of sensitive data stored on hard drives.

This indifference to the need for standardised procedures to ensure that drives are wiped clean before they change hands may be attributable to the fact that most computer users in India believe that reformatting a drive erases data.

It does not: reformatting merely overwrites partitions or sectors of data.

A range of off-the-shelf wiping software written to help users in concealing data stored in their computers are readily available, but most of them use variations of a basic method involving overwriting information on storage devices with a random series of numerals.

And then again, most people, including a disconcertingly large number of computer professionals, do not know how to or care to use wiping software correctly.

The software works only with multiple overwrites with different character sets.

A de facto standard of sorts, established by the US Department of Defense, which specifies a minimum of four passes with wiping tools if a drive is not to be destroyed physically for whatever reason is usually ignored.

Experts say that the only way of ensuring drive security is to use wiping software ... and then destroy the drive.

A few weeks ago, the National Association for Information Destruction (NAID), the international trade association for companies providing information destruction services which promotes the information destruction industry and vets the standards and ethics of its member companies, had announced that it was not in a position to endorse the use of wiping applications alone for deleting data from hard drives.

Mr Bob Johnson, Executive Director at NAID, had said that the data-destruction industry group wished that it was able to recommend tools but tests had caused doubts about the efficacy of wiping products.

He had added: "Our position, ultimately, is that we will only give our approval to physical destruction of the hard drive. We know that unless that is done in a certain way even that can be an ineffective approach."

Given the NAID position on the subject, it is not surprising that businesses in the West sensitive to disk security take no chances and either degauss their magnetic storage devices or crush them. The former method is used when a large number of disks are involved.

The issue of hard disk drive security has been around ever since two Massachusetts Institute of Technology (MIT) students, Mr Simson Garfinkel and Mr Abhi Shelat, published a study a couple of years ago in which they said they had bought 158 used hard drives at second-hand computer stores and on eBay.

Of the 129 drives that functioned, 69 had recoverable files on them and 49 contained "significant personal information," including 5,000 credit card numbers.

Their finding, in conjunction with research firm Gartner Dataquest's research which suggests that about 150,000 hard drives were "retired" in the US alone last year, highlights the nature and sweep of the problem.

According to Mr Garfinkel, whose doctoral thesis is on computer security, companies which make operating system software are primarily to blame in that they don't provide adequate tools to help clear all data from their products' memories.

Ironically, software vendors have so far tended to make it difficult for customers to delete all data because they say that's the way customers want it.

Most computer users quite simply do not want to wipe out all data in case they make a mistake.

Given the mushrooming of data recovery businesses and the lack of documentation in transactions involving hard disk drives, the breach of hard disk data security is a disaster waiting to happen in India.

As and when such a disaster does occur, a large part of the responsibility will lie with the government which has neglected the domestic hardware sector and has, thereby encouraged the development of a thriving grey market in hardware products, including magnetic storage devices.

It may be recalled that the former Prime Minister, Mr Atal Behari Vajpayee, had caused the establishment of a high powered National Task Force on IT and Software Development on May 22, 1998, under the Chairmanship of the then Deputy Chairman of the Planning Commission, Mr Jaswant Singh.

The Prime Minister's Task Force for Information Technology and Software Development had subsequently set up a "hardware panel" which had listed over 700 ancillary units, which could potentially take up small volume manufacturing of hardware. However, not a single recommendation of the hardware taskforce had been implemented.

At that time, the domestic hardware sector had been severely handicapped by a contorted tax structure, which made trading more lucrative than manufacturing.

The excise duty on manufacturing was so high that it was substantially cheaper to import and trade in hardware, resulting in the burgeoning of a vast grey market.

In 2003-04, the government had finally addressed the anomaly and had reworked levies to optimise the price parity between assembled and branded hardware.

However, even though the Indian hardware sector has gradually been gaining traction since then, the grey market in which used hard drives change hands freely and without documentation, continues to flourish with no public awareness about the data security implications of these transactions.

(This article was published in the Business Line print edition dated August 22, 2005)
XThese are links to The Hindu Business Line suggested by Outbrain, which may or may not be relevant to the other content on this page. You can read Outbrain's privacy and cookie policy here.