How to Destroy Data
When you no longer need to keep data,
you have to get rid of it.
The problem is, how can you destroy data in a
Encryption is a defensive tool for confidentiality. Do it carefully —choose your cipher and use it appropriately, including key management, the most likely source of error. Then hope that it works, you have no warning that your adversary is decrypting your data.
A cryptographic hash function is a detective tool for integrity. It can tell you that sensitive data has been modified. If the hash value is what you expect, then you have very high, but not perfect, confidence that it has not been modified.
However, we have no cryptographic tool, thus no math and no numbers, for availability, or destruction.
All you can offer is strong support for your claim of having followed best practice — choosing an effective destruction method, and carefully following a process for carrying it out.
Logical Destruction by Overwriting
There are U.S. federal standards on how to overwrite magnetic media in a way that is considered secure. The short version is:
- Overwrite all locations with some character,
- Then with its logical complement,
- Then with a random character,
- And finally verify the last write
Something like all zeros, then all ones, then pseudo-random bits, and finally verify that you can read the same pseudo-random sequence back out. For more details on just how to do this on various types of media see the nice summary at zdelete.com or, for the full details, see the original DOD documents.
However, while NSA definitely is aware of DOD 5220.22-M and recommends its use, there is no such thing as "the NSA standard" or "the NSA method" above and beyond this. Just 3 overwrites (and then carefully destroy the media for maximum safety). Note that DOD services may have their own nomenclature for "DOD 5220.22-M".
If you really want to pursue this (because you think that your advisary is likely to apply atomic-force microscopy on your media to recover data after you overwrote it), read this 1996 paper. Also be aware that physical disk geometry is automatically (and silently!) remapped by drive electronics during the media service life, meaning that sensitive data may have been written to spare sectors or entire cylinders. It can be difficult to verify that you are writing the patterns to all addressible locations. If you really care, physically destroy it.
Data Remanence through Bad Sectors and Wear Leveling
THe firmware inside the storage unit misleads the operating system. The disk firmware detects bad sectors, remapping its logical sector to a different physical sector. The original physical sector is no longer used, and its contents will not be over-written.
Solid-state drives make this worse through wear leveling. All disks are somewhat over-provisioned, with more actual storage than the operating system sees. SSDs are a more extreme version of this.
If you try to overwrite the contents of an SSD, you will be able to write the advertised volume of data into the disk. But because of overprovisioning, you have only overwritten some of the total storage. And because of wear leveling, if you do what seems to be a complete overwrite several times in a row, you only know that you don't really know if you have actually overwritten all the storage blocks.
Again, physical destruction is the only way to be certain.
Destroying Optical Media
If you want to quickly and easily destroy a CD or DVD, place it in a microwave for just a second or two.
Below you see the result of putting a commercial CD into a microwave oven for just one second. The oven was a General Electric E640J 002 nearly twenty years old, and it probably doesn't generate its original 970 watts of power at 2.45 GHz. However, just one second rendered this disk unreadable by most if not all adversaries.
Yes, some heavy-duty office shredders can also eat CDs and DVDs, but they can make a huge mess of metal foil slivers and plastic chips, and the resulting mix of paper, plastic and metal is not recycleable.
You can prove beyond a reasonable doubt that you do possess a specific piece of data — a database record, a file, an entire file system. Calculate the HMAC (or Hashed Message Authentication Code) using, instead of a shared secret key, a unique challenge value or nonce. Someone else with a trusted copy of the data can verify that you must have used an identical copy to calculate that. Something like this:
- Alice wants Bob to prove that he holds a copy of a specific data file.
Alice generates a nonce, a unique randomly
generated bit string.
- The nonce must be long enough for the result to be convincing enough, "beyond a reasonable doubt".
- It should really be a nonce, unique to this event.
- So, Alice needs a good source of entropy and a record of used nonces.
Bob appends the challenge to the content of the
data file and calculates the hash of that:
SHA_2_512([content][nonce]) → Result
- Bob then transmits the result to Alice.
- Alice repeats the calculation with a trusted copy of the data file and verifies that her result is identical to Bob's.
However, you cannot really prove that you do not have a given piece of data.
All you can do is offer support for the claim that if you did once hold the data, you very carefully followed a good process for data destruction. The two issues here are selecting an appropriate method, and showing that you carefully and consistently follow a process for applying that method.
Proving this would be an attempt to prove a negative.
Burden of proof Evidence of absence Modus tollens
There has been some work on provable destruction of data, typically small data sets such as cryptographic keys, sometimes with special-purpose hardware or firmware.
- Jiang, H., Li, C., Zhang, R. et al. A provable key destruction scheme based on memristive crossbar arrays. Nat Electron 1, 548–554 (2018). https://doi.org/10.1038/s41928-018-0146-5
- Klonowski M., Przykucki M., Strumiński T. (2009) Data Deletion with Provable Security. In: Chung KI., Sohn K., Yung M. (eds) Information Security Applications. WISA 2008. Lecture Notes in Computer Science, vol 5379. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-00306-6_18
An important lesson, which I can make concrete with a physical example, is that:
You should not collect any data that is not
You should carefully destroy any collected data that is no longer needed.
Destroying Mixed Media Records
I got stuck with three cabinets filled with sensitive physical records. My father practiced dentistry for 51 years. He kept meticulous records, and then became increasingly obsessive as he began a neurological decline after his retirement, leading to Alzheimer's disease or a similar dementia. He had been in the nursing home for about two and a half years when my mother died, partially over being brokenhearted over his condition. And so I was stuck with cleaning out the house by myself.
Each patient's main record was in a small folded bundle, one or more cardstock ledgers listing their personal information on one side, and one line per office visit down the opposite side. Some patients had seen him their entire life, from childhood through retirement and beyond. Every office visit was a line on a ledger card.
Folded inside the ledgers were letters to and from specialists they had been referred to, extended notes on observations at appointments, and small X-ray films.
Another drawer held Panorex films. These are 280×125 mm, showing the entire mandible and maxilla ("lower and upper jaw") from one temperomandibular joint through the other. All the teeth, the supporting structures, and more.
I contacted Iron Mountain, a major media destruction company that operated in the area. They will not come to homes, only to businesses. For residential shredding, they are partnered with United Parcel Service. You can take material to a UPS Store for shredding, which they will do for US$ 1 per pound.
However, unlike Iron Mountain's industrial shredding service, which accepts optical media and plastic cards, the UPS Store could not accept anything containing plastic sleeves holding film. On the positive side, you can sell old X-ray film for its silver content. You don't get very much, but it's something.
The small "bitewing" intraoral X-ray films were stored in various ways. Initially, cardboard holders were used.
The name "bitewing" comes from the Y-wing-shaped tab the patient bites to hold the film in place. Most of these films are 41×31 mm. There are smaller ones, 40×24 mm to fit directly behind the front teeth, or 35×22 mm for children.
Some dentists used similar plastic mounts into the 2000s. These are nice, it's easy to pop the films out.
Unfortunately, from around 1980 through the 1990s my dad switched to using soft transparent plastic sleeves.
The plastic sleeves deteriorated, getting a slightly greasy or sticky feel and adhering to the films.
The theory was that the plastic sleeves would remain a completely transparent, non-distorting holder, allowing you to clearly view a set of X-rays taken at a previous appointment.
The reality is that after 15 to 20 years the plastic started to deteriorate.
Around 2000 he switched to using small paper envelopes. They preserved the films much better than the transparent plastic sleeves.
The pulp channels through the roots of teeth gradually close in over time. An X-ray clearly showing the pulp channels can provide a pretty good estimate of the subject's age.
There isn't much dental use for X-rays over ten years old. A dentist will always want current radiographical images. However, in the U.S. with the high rate of lawsuits, a medical care provider will very likely want to keep records until well after the patient's death. The patient or their family might decide to sue for failing to do everything appropriate and more.
This strongly encourages data hoarding.
So, I ended up with three full cabinets. I know that he had destroyed some, but given some of the things that I did find, I can't imagine what he destroyed.
Here is the complete record for a patient who was in the office three times — in February, May, and October of 1964, early in his practice. In 2009 he had applied a small Post-It to the opposite side, the outside of the bundled record, saying "Save until 2016".
By the mid 2010s he was no longer really doing anything with his records, besides occasionally starting to look through some and adding further pointless annotations. I found records like the one with a Post-It reading "Save until 2014, then review", and then a second Post-It added reading "2014: Save". Even more pointlessly, I found annotations such as "Save until 2015, then keep", and "Save until 2016, then move to Save".
The bundles were fastened shut with transparent tape. Post-Its were also fastened to plastic film sleeves and to Panorex films with transparent tape. Then, the cabinets were stored in a non-air-conditioned garage. After about ten hot summers, the tape made for a sticky mess.
I emptied out half of one drawer, separating out the bitewing films in their various holders, and then pulling the film out of the holders. I timed that. It took between an hour and a half and two hours to clear out half of one drawer. So, I was looking at a little over 50 hours of work.
Much of the time went into pulling the films out of the plastic sleeves. It's possible, but difficult and slow. I found that if I only separated the film, putting the film in transparent sleeves into one pile, film in small paper envelopes into a second pile, and film in the cardboard and rigid plastic frames into a third, I could empty a drawer in an hour or slightly more.
Then, in about 15 minutes' time per drawer I could dump the films out of the small paper envelopes and pop them out of the rigid holders.
After about two and a half days of disassembling records, I ended up with many plastic storage tubs full of the paper and cardstock plus the paper film envelopes. Plus a medium sized box holding about forty pounds of X-ray film, to be sold, and a large box of plastic sleeves with film, destined for an industrial destruction service when I got home.
This was all in a small town. The nearest UPS Store was a half-hour's drive away. But, a local copy shop offered shredding for the same US$ 1 per pound rate. I took several tubs there each day, picking up the empty tubs from the day before.
The small shop offers what amounts to the same service as that provided by Iron Mountain and others. They promise that they are very careful to protect the material until it's shredded, following a well defined process, and verifying handover at each stage. They offer to take digital pictures of your material, before and after. I said "Yes, please" for pictures of one set. Above is what I got.
It was an interesting result — a 1650×1275 pixel JPEG image containing 500×557 and 790×390 pixel subimages on a white background. The above is 1450×600 pixel selection of the image. The image has no EXIF metadata, but that doesn't make it less believable. If it did have metadata, then I would need to know details of the shop's camera to decide whether it added any credibility. The copy shop could have digitally signed the attached image file, or the entire email messages. But I wouldn't have any way of verifying the digital signature, unless the local copy shop offered me a copy of their public key wrapped in a digital certificate created by a certificate authority that I recognize and trust.
Even in the unlikely situation where they could give me a useful digital signature, I wouldn't have reason to believe that the digitally signed images and messages meant anything. They can't give me any real proof that the bags of shredded material are the result of sending all my originals through their shredder. I suppose they could record video of the process, but of course that could be faked.
There's just no practical way to prove that you have deleted a large data set, in either digital or physical form. No way to prove that a thing that used to exist no longer exists, unless it was destroyed in an effective process that you observed.
You have to trust people on tasks like data destruction. If they have carefully documented their destruction process, and have shown a pattern of behavior of carefully following their processes, you have reason to believe their reports of having deleted data.
Destroying by Heat
There are ways to observe a destruction and feel confident that the data is gone. For example, both Terminator 2: Judgment Day and Alien 3 end with similar scenarios of destruction by heat. Immerse the dangerous data, either digital or genetic, in molten steel. If only I had had access to a steel refining furnace for those cabinets filled with dental records...
Availability topics with their own pages:
On the general Availability page:
Back to the Security Page