The Legend of the DOD Hard Drive Wipe Standard
Few technologies in the history of mankind have evolved as quickly and dramatically as the hard drive. Data storage that cost hundreds of thousands of dollars and filled a room 50 years ago now costs less than the price of a movie ticket, can fit in your pocket, and can hold thousands of times more data.
Because computing technology changes so rapidly, there’s often a lag between new standards and widespread adoption among the public; such is the case with hard drive wiping. Debate inside the computer science community over which method works best has also created confusion among consumers.
Today we’re breaking down the oft-cited Department of Defense (DOD) 5220.22-M data wiping “standard” to help you understand what it is, what it’s not, and why we no longer use the exact DOD method of data erasure here at CompuCycle.
Why Data Wiping is Necessary
For at least 20 years, experts have recognized the need for data erasure that goes beyond simply deleting files or even formatting, which makes the data difficult to recover but not impossible if one has the motivation and the tools. Thus, data wiping is necessary to prevent sensitive information from falling into the wrong hands.
The terms “data wiping” and “data erasure” are actually kind of misnomers. The process doesn’t involve scrubbing the hard disk drive free of data, and it uses software to overwrite the important data underneath with random or otherwise useless data, which renders it irretrievable. So the end result is the same, but the question is: How many times does the underlying data need to be overwritten to ensure its protection?
The History of Data Wiping Standards
The DOD 5220.22-M was one of the earliest protocols adopted by many as an erasure method, although it was never intended for civilian use or even an official government standard. After all, why would the Department of Defense set the standard and enforce data erasure standards for private individuals and businesses?
And a method, not a standard, is the best description of the 5220.22-M. It was never intended as a standard and, thus, never had the ability to act as one. No IT asset disposal company was ever able to be “certified” to DOD 5220.22-M standards – there was never such certification. Instead, it references a particular method, a set of steps, for overwriting data.
The 5220.22-M appeared in the National Industrial Security Program (NISP) Operating Manual in 1995, and the method called for three overwriting passes of all addressable segments of the hard drive: first overwriting with a character (e.g., a zero), that character’s compliment (a 1), then a random character, with verification of data destruction at the end.
Just one year later, in 1996, two industry experts–Peter Gutmann and Bruce Schneier–released their data erasure algorithms, with the latter’s requiring seven overwriting passes and the former’s as many as 35! However, Gutmann’s method was meant for older hard drive equipment such as modified frequency modulation (MFM) drives, which became obsolete shortly after he presented his paper regarding the process.
In 2001, a DOD memo referenced a variant of the 5220.22 standards (5220.22-ECE) that required seven overwriting passes.
But in 2006, mentions of 5220.22-M disappeared from the NISP manual, and the National Institute of Standards and Technology (NIST) released NIST Special Publication 800-88: Guidelines for Media Sanitization, with a revised version in 2012. Inside, the Institute stated that because of advancing technology, “…for ATA disk drives manufactured after 2001 (over 15 GB) clearing by overwriting the media once is adequate to protect the media from both keyboard and laboratory attack.”
The NIST standard quickly became the industry benchmark, with the DoD and other governmental agencies, including the CIA and Department of Energy, themselves adopting it as their required data sanitization procedure.
Thus, that particular three-pass technique is now related to the DoD in name only; any data disposal companies or software programs claiming they are “approved by the DoD” because they use DoD 5220.22-M are misleading customers, purposefully or not.
Multiple overwrite passes are now unnecessary and an inefficient method of data erasure.
CompuCycle’s Data Sanitization Process
Here at CompuCycle, we continue to reference both the DOD 5220.22-M standard and the NIST 800-88. We understand that the 5220.22-M standard is outdated and was never applicable from an official or government standpoint.
Nevertheless, we believe that because so many of our customers and members of the general public have become so used to that standard, it does still have relevance. In fact, to this day, it’s commonly included as an option in some popular DIY data erasure software programs. We believe the standard itself is in keeping with our philosophy of staying hyper-vigilant when it comes to our customers’ private data. So while we no longer use the exact DOD 5220.22-M overwriting method, we are happy to express that we go above and beyond the DOD 5220.22-M method as part of our data destruction services.
At the same time, we do abide by the NIST 800-88 guidelines that account for complete data destruction no matter the type of drive (SATA, SSD, etc.), whether that means using software erasure alone or also facilitating physical destruction of the hardware.
By adhering to the latest industry guidelines but also understanding the past and how we arrived at today’s landscape, we are able to deliver totally safe data sanitization 100% of the time.