FTC to Look Into Copy Machine Privacy Breakdown
Add digital copiers to your list of things to be afraid of. Turns out most of the machines built since 2002 have copies of every image they scanned stored on their hard drives -- and when those machines change hands, they're seldom wiped clean. The FTC has taken steps to inform manufacturers, resellers and office supply stores about the risks, but what is the agency really empowered to do?
The Federal Trade Commission has responded to an April 29 letter from Rep. Edward J. Markey, D-Mass., expressing concerns about sensitive data stored on digital copiers' hard drives. Markey's letter followed CBS News' April 19 airing of a report on its investigation into the matter.
The FTC said it was aware of the privacy issues and planned to take steps to inform manufacturers, resellers and office supply stores about the risks associated with digital copying and see that they were taking steps to provide options for secure copying.
"We will work with these entities to help ensure that they provide appropriate educational materials on this subject to their clients," wrote FTC chairman Jon Leibowitz. He also directed Markey to educational materials the FTC previously distributed on disposing of computer hard drives.
"We are also reaching out to government contracting officials to advise them of the risks associated with the use of digital copiers and ensure that the government is taking measures to protect the information we collect from the public," Leibowitz continued. The FTC routinely erases and destroys hard drives when it returns copiers, the chairman said.
Leased Copiers Returned
The copier industry has failed to inform the public of the privacy risks of using digital copiers, Ed McLaughlin, president of Sharp Imaging and Information Company of America, admitted in the CBS News report.
During its investigation, CBS found a machine used by a police sex crimes division in Buffalo, N.Y., with information on criminal suspects and domestic violence complaints. It also found pay stubs with Social Security numbers and medical records from insurer Affinity Health Plan, including names and physician diagnoses.
Companies such as Xerox supply overwrite tools for hard drives, but the public may not have the knowledge to use them.
Copiers are leased for fixed periods and then shipped around the world with sensitive data remaining on their hard drives, noted Markey in his letter to FTC Chairman Leibowitz.
"I am concerned that these hard drives represent a treasure trove for thieves," he wrote, "leaving unwitting consumers vulnerable to identity theft as their Social Security numbers, birth certificates, medical records, bank records and other personal information are exposed to individuals who could easily extract the data from the digital copiers' hard drives and use it for criminal purposes."
Business and government agencies need to take steps to erase the data before returning the machine or disposing of it, Markey cautioned.
The FTC and Rep. Markey's office did not return TechNewsWorld's calls requesting comment.
It shouldn't be difficult to apply the same methods of destroying computer data to the data on digital copiers' hard drives, Rob Enderle, principal analyst for the Enderle Group, told TechNewsWorld, but this is not something people have thought about.
"A lot of these things could be sitting in landfills and repurposed," he said.
"This shouldn't have been news," Enderle continued. "Something was overlooked, because they're not sold as storage devices -- they're sold as copy machines."
Educating the Public
The FTC will likely set in place automatic purge rules for digital copiers, said Enderle. After a copying, scanning, or printing job is complete, the files would have to be deleted.
"With the security infrastructure aware of the problem, there will be efforts to encrypt data," he added, noting that existing methods for disposing of PC and server data will be extended to copier information.
"It shouldn't be particularly hard to use the same processes and rules. I don't see the fixes as particularly onerous," Enderle said.
Yet there is doubt as to whether the FTC's efforts will be fruitful.
"To me it's going to be a fair amount of waste of time," said Ira Winkler, author of Spies Among Us and president of the Internet Security Advisors Group, who appeared in the CBS News report that shed light on this problem.
"What can the FTC actually do? The FTC has no control over the Buffalo Police. I don't think the FTC has responsibility for medical records," Winkler told TechNewsWorld.
"They can write a report and tell Congress we need to pass this [information] along. I mean, this is decades late," he said.
"They're going to spend lots and lots of money on something that's glaringly obvious. This is like saying drunk drivers theoretically can kill people. What type of study do you really need done?" Winkler asked.
A Major Oversight
"We have a surprisingly large exposure here," Enderle said.
Digital copiers' hard drives could hold personal medical or banking records, conviction histories or lists of crime suspects.
"There are a whole series of regulations that may now come into play as folks look at what appears to be an improper use of information," added Enderle. "There could be some serious problems."
Disclosure and accountability laws such as Sarbanes Oxley could come into play, he pointed out.
National Security Problem?
Imagine the scenario of a digital copier being leased at one time by a U.S. Embassy and then ending up in the office of another country's embassy while still retaining sensitive data on the hard drive, Enderle suggested.
"This is just one more example that printing confidential information is a very dangerous practice," he emphasized, noting that the data could be scanned and emailed to a million people.
"I'd like to assume it's not related to national security, but it probably was," Winkler said. "But the FTC has no control over federal agencies, so what difference does it make?"
CBS News reported that digital copiers dating back to 2002 store data.
So think twice the next time you head to the copy machine. You don't really know for whom you're copying those tax forms, medical records and corporate files.