Note - This article was originally published in The Mercury News in January 2003.

Hard Drives Dumped; Your Information Isn’t

By Larry Magid
Special to the Mercury News

Whether you recycle your old computer, sell it, give it away or take it to the dump, you may also be giving away personal information, even if you think you erased everything on your hard drive and emptied the recycle bin.

Two MIT graduate students bought 158 used disk drives on the secondary market and found many “had not been properly sanitized.” They found personal information, even when the previous owner had attempted to erase the data and empty the recycle bin, or even reformat the entire drive.

The pair, Simson Garfinkel and Abhi Shelat, found medical records, love letters, pornography and thousands of credit card numbers.

The researchers aren’t the first to discover a treasure trove of personal information on used machines. In 2002, a journalist purchased a used computer at a thrift store that had once belonged to the U.S. Veterans Administration. The drive contained medical information including the names of patients with AIDS and mental health problems.

While some people make no effort to delete sensitive data, others are lulled into a false sense of security by using standard file deletion methods. Most are temporary at best.

The most common way to delete files in Windows and Macintosh is to drag the file into the Mac “trash can” or the Windows “recycle bin.” While that removes it from the desktop it does not remove it from the computer. In fact, you can restore the file by simply opening the trash or recycle bin and dragging it back to the desktop.

Both Mac and Windows allow you to go one step further by emptying the recycle bin which appears to delete the file completely. The Mac, for example, asks you if you are sure “you want to remove the item in the trash permanently.” Windows asks if you’re “sure you want to delete all of the items in the recycle bin.”

But neither method is permanent. Erasing a file doesn’t actually delete the data; it just removes the file name from the directory. The data is still there, even though you can’t see it in the recycle bin.

Deleting a file the standard way by emptying the recycle bin is a bit like crumpling up a piece of paper and throwing it in the trash can rather than running it through a shredder.

The MS-DOS delete command doesn’t have an obvious “undo” feature but it too can easily be reversed. This can be good news if you’ve accidentally deleted something. But it’s bad news if you want it permanently gone.