How Should I Dispose of My Old Electronics (That May Have Passwords In Them)?

large piles of scrapped electronics

Recycling is good. I even wrote about recycling your devices a couple of years ago. Just recently the US Computer Emergency Readiness Team or US-CERT (part of the US Department of Homeland Security - DHS) issued Security Tip ST18-15 on Proper Disposal of Electronic Devices. Given that new "Tip" and the fact that this is the season for many people to replace consumer electronics, I'm going to share some of their advice. They also reference NIST Special Publication 800-88 Guidelines for Media Sanitization, as I do my earlier post.

us-cert page screenshot

First and foremost, before you do anything else if there is any way to do so, back up the data on the device. It is a real downer to discover that you wiped out the only copy of a proposal or the only image of Aunt Anita!

Second, verify that backup. I recently upgraded the software on an older mobile phone. I followed the instructions for the backup and even checked to ensure that there was data in the backup folder on the PC where I saved it. Unfortunately, the older version of the backup software used a format that was not readable by the upgraded software. I lost much of the data on that phone because I didn't check the backup. If you are going to a different model or version of a phone, verify the backup before proceeding to erase the data.

The next step is to erase the data. I talked about wiping computer disks in my earlier post. The CERT tip also talks about destroying data on smartphones, tablets, cameras, media players, gaming consoles, copiers, faxes, etc. Any of these could contain information of potential value to attackers including credit card numbers, usernames, passwords, account numbers, a WiFi network password, your address, your birthday, or who knows what else. In all cases, the general idea is the same, erase the data, and then write over the storage device.

Many computer users know that even emptying a recycle bin on a device is not enough to remove the data. The data hang around on the disk in spaces waiting to be reused. Attackers may know how to recover the data. The overwriting process ensures that no trace of the data is left behind.

If you are going to dispose of old memory cards, floppy discs, or CDs/DVDs, physical destruction is the best approach. I have a shredder in my office that can handle any of those (and you should, too: they are not expensive). Absent a shredder capable of destructing the media you wish to destroy, I recommend doing with it as people have done with expired credit cards for decades: cut them up into little pieces with sturdy scissors.

Finally, you need to dispose of the actual hardware. Sellers and manufacturers will sometimes buy old devices. If they are more than a couple of years old, though, it may not be worth the time to pack them up and send them. Some items can go to schools, shelters, or other organizations that refurbish old devices or use unlocked phones for clients in emergency situations. I gave some old working computers to a high schooler who wanted to learn about taking them apart and re-assembling them. If you cannot donate an old device, it is best to recycle it. Municipal waste departments often have programs to handle old electronics, and they are the best bet for devices that cannot be used any longer. The Tip sheet from US-CERT references EPA rules for disposal as a last resort.

We talk in Learning Tree's introduction to cyber security course about the disposal of devices, documents, and storage media and the associated potential for information leakage.

To your safe computing,
John McDermott

Related Training:

Cyber Security

Chat With Us