This is the accessible text file for GAO report number GAO-07-1233R 
entitled 'Sale of Magnetic Data Tapes Previously Used by the Government 
Presents a Low Security Risk' which was released on September 21, 2007.

This text file was formatted by the U.S. Government Accountability 
Office (GAO) to be accessible to users with visual impairments, as part 
of a longer term project to improve GAO products' accessibility. Every 
attempt has been made to maintain the structural and data integrity of 
the original printed product. Accessibility features, such as text 
descriptions of tables, consecutively numbered footnotes placed at the 
end of the file, and the text of agency comment letters, are provided 
but may not exactly duplicate the presentation or format of the printed 
version. The portable document format (PDF) file is an exact electronic 
replica of the printed version. We welcome your feedback. Please E-mail 
your comments regarding the contents or accessibility features of this 
document to Webmaster@gao.gov.

This is a work of the U.S. government and is not subject to copyright 
protection in the United States. It may be reproduced and distributed 
in its entirety without further permission from GAO. Because this work 
may contain copyrighted images or other material, permission from the 
copyright holder may be necessary if you wish to reproduce this 
material separately.

United States Government Accountability Office: GAO:

September 21, 2007:

The Honorable Joseph I. Lieberman:
Chairman:

The Honorable Susan Collins:
Ranking Member:
Committee on Homeland Security and Governmental Affairs: United States 
Senate:

Subject: Sale of Magnetic Data Tapes Previously Used by the Government 
Presents a Low Security Risk:

The federal government widely uses magnetic tapes for data storage and 
data recovery. According to allegations made by a magnetic-tape company 
official, federal agencies are selling used magnetic tapes containing 
sensitive government data to companies which then resell them to the 
general public. While this is not an illegal practice, you are 
concerned that magnetic tapes containing sensitive government data have 
become available to the public in this manner. There is no general 
legal requirement that the government erase all data on all magnetic 
tapes before disposing of them. However, the National Institute of 
Standards and Technology (NIST) has issued guidelines that instruct 
agencies to properly sanitize magnetic tapes with certain kinds of 
sensitive data before they leave agency control.[Footnote 1] In its 
guidelines, NIST defines sanitization as the general process of 
removing data from storage media, such that there is reasonable 
assurance that the data may not be easily retrieved and reconstructed.

We focused our investigation of this potential security risk by 
attempting to determine whether the companies identified in the 
allegations are purchasing used magnetic tapes from the federal 
government and reselling them and, if so, whether we could recover data 
from used tapes that the companies had resold. In conducting this 
investigation, we spoke with representatives of five companies and 
visited two of these companies. We obtained used magnetic tapes and 
tested them to see if any data could be retrieved. To test the magnetic 
tapes for data, we used a combination of commercially available 
equipment that a standard magnetic tape customer would own as well as 
specialized diagnostic equipment. We did not investigate all existing 
magnetic tape companies in the United States, but focused on the five 
companies referred to us in the allegations. We did not attempt to 
validate whether the companies we investigated disclosed all of their 
business with the federal government. Furthermore, we did not attempt 
to contact agencies to determine whether they sold tapes or to 
determine whether they complied with NIST guidelines when selling used 
magnetic tapes to companies. We did meet with NIST officials to discuss 
their guidelines for media sanitization. We performed our investigation 
from March through August 2007 in accordance with the quality standards 
for investigations as set forth by the President's Council on Integrity 
and Efficiency.

In summary, we could not find any comprehensible data on the used 
magnetic tapes we tested. We obtained these tapes from the only company 
(of the five we investigated) that told us it resells tapes purchased 
from the federal government. Officials at this company told us that, 
before reselling used tapes, most of them are sanitized using a process 
known as degaussing. The degaussing process completely destroys any 
data on a tape, preventing data recovery. However, the company told us 
that its process for sanitizing tapes differs when reselling certain 
high-capacity-storage tape formats. These formats contain a feature 
called a servo track, which cannot be degaussed without rendering the 
tape unusable. Consequently, tapes with servo tracks must be sanitized 
using a less thorough process known as overwriting. The company also 
told us that it strips the labels from used tapes before sanitizing 
them and that it was therefore impossible to determine whether any used 
tape sold by the company had originated with the federal government. 
Keeping this in mind, we obtained, from the company, four magnetic 
tapes with servo tracks and eight without. It is important to emphasize 
that there was no way to know whether we had obtained tapes that 
originated with the government--our intent was to test whether the 
tapes containing servo tracks could contain data after overwriting. We 
could not find any comprehensible data on any of the tapes using 
standard commercially available equipment and data recovery techniques, 
specialized diagnostic equipment, custom programming, or forensic 
analysis.

Background:

The federal government has used magnetic tapes for data storage for 
over 50 years. Magnetic tapes are typically housed in cartridges or 
cassettes and accessed using a tape drive. Although current computer 
disk technology provides a viable storage medium for most applications, 
magnetic tape continues to provide the government with an inexpensive 
means of backing up mid-to large-sized mainframe systems in the event 
of a disaster or system failure. The evolution of magnetic tape has 
seen the creation of new tape formats, which has led to increased data 
storage capacity, speed, accessibility, and other innovations. See 
figure 1 for an example of different magnetic tape formats.

Figure 1: Examples of Standard Magnetic Tape Formats:

This is a photograph of various types of magnetic tape formats.

[See PDF for image]

[End of figure]

Since some companies still manufacture magnetic tapes, government 
agencies, businesses, and individuals can purchase new tapes that 
reflect the latest innovations in magnetic tape technology. Used tapes 
may also be purchased at a discount price from many of the same 
companies that sell new tapes. A substantial secondary market exists 
for used magnetic tapes in the United States. Before a company resells 
a used tape on the secondary market, the company typically processes 
the tape and certifies that it can be reused. There is no standard 
definition of a certified tape. However, to ensure that used tapes are 
free of data when they are resold, companies use two basic methods for 
sanitizing a magnetic tape--overwriting and degaussing. While 
overwriting involves layering randomized alphanumeric characters on top 
of the original information, degaussing destroys the original 
information entirely. Overwritten data may still be recoverable through 
forensic analysis. Alternatively, when a magnetic tape is degaussed, 
the carefully arrayed magnetic particles representing the data are 
scrambled. This renders the information on the tape completely 
unrecoverable.

There does not appear to be any general legal requirement for federal 
agencies to sanitize all data on all used magnetic tapes prior to 
selling them to the public. According to NIST, agencies have four 
options for sanitizing used magnetic tapes depending on the sensitivity 
of the information contained on them. These four options are disposal, 
overwriting (also called clearing), degaussing (also called purging), 
and physical destruction. Disposal is the process of simply throwing 
away a used magnetic tape without any special disposition given to it. 
According to NIST, some magnetic tapes can be simply thrown out if 
disclosure of the data would have no impact on organizational mission 
and would not damage organizational assets, result in financial loss, 
or result in harm to any individuals. If an agency determines a 
magnetic tape contains data that would meet any of these criteria and 
could potentially have a negative impact if disclosed, NIST guidelines 
recommend that tapes be degaussed or destroyed before leaving an 
agency's control. Tapes that are simply overwritten may contain data 
that are still recoverable using forensic analysis. The final form of 
sanitization, physical destruction, should be undertaken due to the 
high security categorization of the information or for environmental 
reasons, and could include disintegration, incineration, pulverizing, 
shredding, and melting.

Results of Investigation:

All five companies we investigated sell products to the government. 
However, only one company out of the five disclosed that it resells 
tapes purchased from the federal government. According to documents 
received from this company, they bought tapes from agencies including 
the National Oceanic and Atmospheric Administration, the Federal 
Reserve Bank, and the U.S. Air Force. They then resold the tapes on the 
secondary market. It was outside the scope of this investigation to 
determine what kind of sanitization process, if any, the tapes had 
undergone prior to leaving their agencies of origin--in other words, we 
do not know whether agencies followed NIST guidelines before selling 
their used tapes. According to officials at the company that buys tapes 
from the government, it sanitizes most tapes using the degaussing 
process before certifying and reselling them. However, its process for 
erasing tapes differs when processing tapes that contain servo tracks. 
These formats (e.g., LTO2 and 9840 tapes) cannot be degaussed without 
rendering the tape unusable; tapes with servo tracks must be sanitized 
using the less thorough overwriting process. Furthermore, company 
officials told us that they strip the labels from used tapes before 
sanitizing them and that it is therefore impossible to know whether any 
used tape purchased from the company had originated with the federal 
government.

To find out whether tapes sold by this company could contain 
recoverable data, we obtained and tested 12 used tapes from this 
company.[Footnote 2] It is important to emphasize that there was no way 
to know whether we had obtained tapes that originated with the 
government--our intent was to test whether the tapes containing servo 
tracks could contain data after overwriting. While four of these tapes-
-two LTO2 and two 9840 tapes--contained servo tracks, the others did 
not. The first phase of our test was to use standard commercially 
available equipment to read the tapes. We could not find any data on 
the tapes using this method. Continuing with commercially available 
equipment, we then used several standard data recovery techniques and 
commands to attempt to access data on the tapes. After 2 days of work 
we could not find any data on the tapes using this method. The final 
phase of our test was to use specialized diagnostic equipment, custom 
programming, and forensic analysis. After 5 business days, we were able 
to recover small amounts of data (including information related to 
graphic files) from the four tapes containing servo tracks--LT02 and 
9840 tapes. The data we recovered were incomprehensible and we could 
not confirm whether or not any of the tapes had originated from the 
federal government based on the data. We are aware that further work 
could have been performed to attempt to recover data from these tapes, 
however, this work would have represented a very expensive, intensive 
effort spanning months and, potentially, years.

Conclusion:

Based on the limited scope of work we performed, we conclude that the 
selling of used magnetic tapes by the government represents a low 
security risk, especially if government agencies comply with NIST 
guidelines in sanitizing their tapes. Even if some data were 
recoverable from some tape formats that had been overwritten to 
preserve their servo tracks, the data may not be complete or even 
decipherable. Generally this investigation does raise some questions 
about the lack of oversight regarding the sanitization or disposal of 
used magnetic tapes by agencies. However, the scope of our 
investigation was not large enough to project our conclusions beyond 
the tape formats we investigated.

This report will be available at no charge on our Web site at 
[hyperlink, http://www.gao.gov]. If you or your staff have any 
questions about this report, please contact me at (202) 512-7455 or 
kutzg@gao.gov. Contact points for our Offices of Public Affairs and 
Congressional Relations may be found on the last page of this report. 
GAO staff who made major contributions to this report include John 
Ryan, Assistant Director; Monica Perez Antatalio, Paul Desaulniers, 
Matthew Harris, Hal Lewis, Andrew McIntosh, Kevin Metcalfe, and Kristen 
Plungas.

Signed by:

Gregory D. Kutz:
Managing Director, Forensic Audits and Special Investigations:

Signed by: 

Keith Rhodes:
Chief Technologist:

(192240)

[End of section]

FOOTNOTES

[1] According to its Web site, NIST is a nonregulatory federal agency 
that promotes U.S. innovation and industrial competitiveness by 
advancing measurement science, standards, and technology in ways that 
enhance economic security and improve quality of life. For this report 
we referred to NIST, Guidelines for Media Sanitization, Special 
Publication 800-88 (Washington, D.C.: Sept. 2006). These guidelines do 
not apply to classified data.

[2] We obtained a total of 12 tapes--2 of each of the LTO2, 9840, 3480, 
3490E, 3590, and 3590E formats.

GAO's Mission:

The Government Accountability Office, the investigative arm of 
Congress, exists to support Congress in meeting its constitutional 
responsibilities and to help improve the performance and accountability 
of the federal government for the American people. GAO examines the use 
of public funds; evaluates federal programs and policies; and provides 
analyses, recommendations, and other assistance to help Congress make 
informed oversight, policy, and funding decisions. GAO's commitment to 
good government is reflected in its core values of accountability, 
integrity, and reliability.

Obtaining Copies of GAO Reports and Testimony:

The fastest and easiest way to obtain copies of GAO documents at no 
cost is through the Internet. GAO's Web site [hyperlink, 
http://www.gao.gov] contains abstracts and full-text files of current 
reports and testimony and an expanding archive of older products. The 
Web site features a search engine to help you locate documents using 
key words and phrases. You can print these documents in their entirety, 
including charts and other graphics.

Each day, GAO issues a list of newly released reports, testimony, and 
correspondence. GAO posts this list, known as "Today's Reports," on its 
Web site daily. The list contains links to the full-text document 
files. To have GAO e-mail this list to you every afternoon, go to 
[hyperlink, http://www.gao.gov] and select "Subscribe to e-mail alerts" 
under the "Order GAO Products" heading.

Order by Mail or Phone:

The first copy of each printed report is free. Additional copies are $2 
each. A check or money order should be made out to the Superintendent 
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or 
more copies mailed to a single address are discounted 25 percent. 
Orders should be sent to:

U.S. Government Accountability Office: 441 G Street NW, Room LM:
Washington, D.C. 20548:

To order by Phone:      

Voice: (202) 512-6000:
TDD: (202) 512-2537:
Fax: (202) 512-6061:

To Report Fraud, Waste, and Abuse in Federal Programs:

Contact:

Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm: 
E-mail: fraudnet@gao.gov: 
Automated answering system: (800) 424-5454 or (202) 512-7470:

Congressional Relations:
Gloria Jarmon, Managing Director, JarmonG@gao.gov: (202) 512-4400: 
U.S. Government Accountability Office: 441 G Street NW, Room 7125: 
Washington, DC 20548:

Public Affairs: 
Susan Becker, Acting Manager, BeckerS@gao.gov: (202) 512-4800: 
U.S. Government Accountability Office: 441 G Street NW, Room 7149: 
Washington, DC 20548: