Careful not to dump a data-loaded PC
By Dana Dratch • Bankrate.com

Thinking of selling your old computer or donating it to claim a healthy tax deduction? Think again. You could be giving away the keys to your business.

"The thing is that computers don't work the intuitive way people think they do," says Chris Wysopal, director of research and development for @stake Inc., a digital security consulting company based in Cambridge, Mass.

"When you remove files, the computer doesn't really remove the file. The data is still there."

That means anything you put into the computer -- tax returns, credit card numbers, electronic bill paying data, client information -- is ready and waiting for the person who knows how to find it.

So what are you supposed to do with the 50-pound paperweight that used to be your business's most-valued tool? Relax. You have a couple of options.

Wipe it clean
If the machine in question is used mainly as a word processor and the material in question is a collection of document files, you can delete the files and then follow up with a program to obliterate the information.

Called "wiping the files," this involves using specially designed software such as SecureClean. The program writes several layers of computer code over your data, making it impossible to read. Windows XP has a built in wiping feature. Many times, these programs are bundled with virus protection software, so you might already own one.

But if you use the computer to connect to the Internet, especially for online banking, electronic bill paying or customer-service work, this may not be the best option. Your Internet browser will store all that data, and not necessarily in places where you might think to look.

"Sometimes even the people who wrote the software don't know exactly how it works," says Wysopal.

What's where on your PC
Wondering what's where on your computer? Here's a quick list from James Whittaker, computer science professor at the Florida Institute of Technology and author of "How to Break Software":

• Browser: You'll find cookies and favorites files here.
• E-mail program: The home of address books and sent and deleted e-mail.
• Anti-virus scan logs: These track Internet sites visited and documents that have been scanned. "A lot of people don't realize how much information these contain," says Whittaker.
• Registry entries: This operating system component manages information shared between programs. If you cut and paste anything from the Internet or move data from an accounting program into an e-mail or data file, it will be here.
• Temp files, the recycle bin: These areas track where you've been on the Internet and what information you recently deleted.

Even if you successfully destroy all of your documents, your operating system might have stored a few on other places in the machine, for example under a "recently viewed" feature. This might be fine if the computer contains nothing but old inventory rosters, but it could get a little tricky if the data is a list of your most valued customers, their home addresses and their credit card numbers.

And don't rely on a third party to clear your computer of sensitive data. Wysopal recalls an incident where a company sold its computers through an auction, assured by the auction firm that the machines would be wiped clean before they changed hands. Much to the surprise of the seller and the competitor that bought the PCs, they were not.

Whittaker's advice: Minimize the personal information you store on your computer, especially passwords and cookies. "When you go to a Web site that says 'do you want to store your password?' say 'no.' That way, you don't have those things sitting around on your hard drive."

Reformat the hard drive
If your computer is an integral part of your business, loaded with budgets, banking transactions and client data, your best bet might be to reformat the hard drive.

This is "the most clean way" to remove your data, says Whittaker.

The downside: if you want to sell the operating system and any of your software, you have to reinstall it when you're done.

Corey D. Schou, director of the National Information Assurance Training and Education Center at Idaho State University, even recommends reformatting the hard drive twice. "It makes a little more work" says Schou. "However, it does protect your information asset."

Destroy the drive
If you are concerned about your data, especially if it could help a crook steal your identity or that of your customers, don't sell the box. It's not worth junking the reputation of your business to recoup the cost of a secondhand computer.

"It's a judgment call," says Michael Erbschloe, vice president of research with Computer Economics Inc., a computer research firm in Carlsbad, Calif. "Have I put something on this computer that could cause me damage or result in identity theft?

"We've really been taking the position lately that the best thing to do is destroy the hard disk. I'm more than willing to donate the box. That's a good thing to do.

"But realistically," says Erbschloe, "if you are really, really concerned about security, if you've got a lot of information on there that is sensitive to your business, we're definitely taking the position to destroy the hard disk."

Dana Dratch is a freelance writer based in Georgia.

-- Posted: Nov. 12, 2001