In late 2011, we published our analysis of a bunch of USB keys we’d bought at a lost property auction.
We took $400 (about £260) to a public transport utility’s annual auction and came home with 57 USB keys containing 4400 files.
We didn’t find any Wikileaks-type information – there were no criminal plots, no rush orders for F-35 strike fighters, and no intelligence data from the diplomatic community.
But we did get several surprises, which we wrote about at the time:
* 66% of the keys had one or more malware infections.
* Many of the keys contained personal and work-related files.
* Not a single one of the 4400 files was encrypted.
Our report quickly put the data protection cat amongst the pigeons, with two sides emerging in the debate.
The Government Should Do Something About It camp castigated the transport operator (Railcorp New South Wales) for selling the keys in the first place. As @KineticPearl commented on Naked Security:
What I find interesting is that [RailCorp] are not wiping the keys prior to sale. In this case it made for a good story, but a better one would be that you found absolutely nothing at all due to the diligence of the authority. I feel that the seller should be responsible for preventing data leaking, even if it is not directly their data, after all they are profiting from selling the device.
Even though I’m a strong advocate for privacy (and a staunch believer that opt-out simply isn’t good enough), I ended up in the Government Isn’t There To Nanny-State You camp, and argued the opposite:
I have thought long and hard about this. I don't think that RailCorp should be obliged to wipe the data, in much the same way that I don't think that ISPs should be obliged to watch your internet traffic and block pirated stuff. It's not data which RailCorp collected for its own use, after all
Unsurprisingly, the debate quickly drew in the New South Wales Office of the Privacy Commissioner, the body which oversees how personal information is held and used by the State’s government and public service.
We were delighted to get involved in the Privacy Commissioner’s investigation, and had some fun at SophosLabs showing the investigation team how we automated the retrieval, recovery and reporting of the data on the keys we bought.
In particular, we were able to show that the recovery process, though lengthy (USB keys tend to be quite slow, and we loaded and stored every byte from 50 of the keys), could be completely automated, apart from the insertion and removal of each key in turn.
Cleaners, for example, could acquire USB data dumps whilst working their way through an office building overnight – without attracting attention by losing time on their regular job.
We were also able to recover files from two apparently-wiped test devices brought in by the investigation team. Even USB keys that most people would consider safely blanked out and suitable for re-use may still contain critical information.
The Privacy Commissioner’s report has recently been published.
(Even if you’re usually afraid of government reports, give this one a read. At just three pages it is concise, clear and uncompromising – but without being cynical or judgmental.)
The bottom line of the report – literally and figuratively – is that @KineticPearl was right, and I was wrong.
Railcorp made a proactive decision to destroy lost USB keys in future, rather than to try to wipe them and sell them, and the Privacy Commission was pleased:
The Privacy Commissioner considers that RailCorp's assessment of the risk to the privacy of individuals is correct and that the decision to cease auctioning USBs is the most reasonable outcome.
The Privacy Commissioner commends RailCorp's decision, made without waiting for the completion of this inquiry.
This begs the question, “What to do with your USB keys?”
Wiping USB keys that are being retired from service might not have the purgative result you want. Destroying them instead is an effective and simple alternative.
But how do you protect yourself from leaking data on USB keys which get lost? Or on keys which are transferred between users, departments and even companies?
One answer: only ever write encrypted data to your USB keys.
(Yes. We have crypto products to help you do just that. I’m not suggesting you use these products simply because we have them – it’s the other way around. We have the products because we think they’re the right way to solve this problem.)
The most shocking thing in our original research was not the high prevalence of malware, nor the fact that the keys got sold in the first place, nor that USB keys are so easy to lose.
The most shocking thing was that not one file on any of the keys we bought was encrypted – even those files which contained personally identifiable information or proprietary information from work.
Encrypt everything and you never have to worry about the stuff you didn’t encrypt!
PS. Why not try our free encryption tool?
It’s an easy way to save and share files securely, whether you use removable devices or cloud-based internet services.
(Direct download; no registration required. Sorry, Mac users: this one’s for Windows only.)