Government sale of used magnetic tape storage not a big security risk, GAO reports

There is little risk of the government exposing personal data or state secrets by reselling its used magnetic storage tapes, the General Accounting Office reported today.  The Federal Government is the largest user of magnetic tape in the world snapping up one million reels annually, experts say and a large secondary market that buys and resells thee tapes has grown up around it. 

Critics say federal agencies are selling used magnetic tapes containing sensitive government data to companies which then resell them to the general public. Congress too has been  concerned that magnetic tapes containing sensitive government data have become available to the public.

The GAO report says there is no general legal requirement that the government erase all data on all magnetic tapes before disposing of them. However, the National Institute of Standards and Technology (NIST) has issued guidelines that instruct agencies to properly sanitize magnetic tapes with certain kinds of sensitive data before they leave agency control. In its guidelines, NIST defines sanitization as the general process of removing data from storage media, such that there is reasonable assurance that the data may not be easily retrieved.  Even if some data were recoverable from some tape formats that had been overwritten to preserve their servo tracks, the data may not be complete or even decipherable, the GAO report stated.

The GAO study was limited in that it only looked at basically one of five companies it chose to investigate this issue.  The GAO said that according to documents received from this (unnamed) company, it bought tapes from agencies including the National Oceanic and Atmospheric Administration, the Federal Reserve Bank, and the U.S. Air Force. They then resold the tapes on the secondary market. To find out whether tapes sold by this company could contain recoverable data, the GAO obtained and tested 12 used tapes from this company.

According to the GAO report: “Officials at this company told us that, before reselling used tapes, most of them are sanitized using a process known as degaussing. The degaussing process completely destroys any data on a tape, preventing data recovery. However, the company said its process for sanitizing tapes differs when reselling certain high-capacity-storage tape formats. These formats contain a feature called a servo track, which cannot be degaussed without rendering the tape unusable. Consequently, tapes with servo tracks must be sanitized using a less thorough process known as overwriting.

“The company said that it strips the labels from used tapes before sanitizing them and that it was therefore impossible to determine whether any used tape sold by the company had originated with the federal government. Keeping this in mind, the GAO bought from the company, four magnetic tapes with servo tracks and eight without. “It is important to emphasize that there was no way to know whether we had obtained tapes that originated with the government--our intent was to test whether the tapes containing servo tracks could contain data after overwriting,” the GAO stated. “We could not find any comprehensible data on any of the tapes using standard commercially available equipment and data recovery techniques, specialized diagnostic equipment, custom programming, or forensic analysis.”

The GAO report also states that while newer computer disk technology provides a viable storage medium for most applications, magnetic tape continues to provide the government with an inexpensive means of backing up mid- to large-sized mainframe systems in the event of a disaster or system failure.

From CSO: 7 security mistakes people make with their mobile device
Join the discussion
Be the first to comment on this article. Our Commenting Policies