Linux Journal – Dot Compost and the Danger to Your Privacy.
Buyers are getting more than they imagined as auction sites sell off the machines, but overlook the information that's still inside.
[ … ]
I pulled out my Linuxcare Bootable Business Card, a disk I helped develop that I often use when doing forensics of unknown systems. It's a utility that allows me to quickly and easily bypass the operating system and retrieve data, a task critical for performing data recovery of corrupted systems or for performing forensic analysis of systems that have been compromised by intruders. Within 45 seconds I was looking at the data on the computer's hard drive, and what I saw shocked me. It turns out that the first computer I bought used to be the main e-mail server for a highly visible startup. I won't mention the company's name because it is irrelevant, and I see no need to subject their former employees and customers to potential humiliation, liability, data loss and privacy loss. This company was not a minor player, however. Its investors included Intel, and one of the firm's premier customers was, ironically, eBay.
Because the computer was used as an e-mail server, it also contained a company employee directory that included names, phone numbers and, in some cases, home addresses. I only looked at six e-mail messages on the server, but six were enough. One message was addressed to a senior executive at the firm and sent from (presumably) his new employer. It discussed business plans and his requests for stock in the new firm. Another message sent shivers down my spine; it was from Wells Fargo Bank to someone at the firm, and it contained private banking information. In its e-mail, the bank tried to provide a layer of privacy protection to its client, but enough was revealed that I could theoretically impersonate that person to the bank.
[ … ]
On a larger scale, my experience raises the question, “How much of your personal information has been sold as part of liquidation sales?” This is not an issue limited to a single company, but one that should concern all former employees of the dot-com failures, as well as their investors, lenders, partners and customers. A study released in July by the Denver, Colorado-based Privacy Foundation found that over one-third of US employees doing business on-line, some 14 million people, have their internet and e-mail usage monitored on a continuous basis. In addition, practically all of the web sites that require registration collect personal information. All that information is stored on computers like the ones I bought on eBay.
Fortunately, there are some simple solutions for these problems. First, all computers should be wiped clean before being part of a liquidation sale. It is in everyone's best interest to run a big magnet over the hard drives of computers before putting them up for auction. In addition, there should be clear legal consequences for organizations that do not follow these procedures and end up breaching the privacy of innocent third parties. Individual consumers have little protection here before-the-fact, and because most companies who go out of business do not advertise the fact, individuals also may have little protection after the fact. In addition, everyone should take a few common-sense precautions: never give out your social security number; limit the sharing of private information on the web sites that you frequent; and sign up for the privacy protection services offered by the major credit card companies. [Privacy Digest]