Sale of Magnetic Data Tapes Previously Used by the Government Presents a Low Security Risk
GAO-07-1233R: Published: Sep 21, 2007. Publicly Released: Sep 21, 2007.
The federal government widely uses magnetic tapes for data storage and data recovery. According to allegations made by a magnetic-tape company official, federal agencies are selling used magnetic tapes containing sensitive government data to companies which then resell them to the general public. While this is not an illegal practice, Congress is concerned that magnetic tapes containing sensitive government data have become available to the public in this manner. There is no general legal requirement that the government erase all data on all magnetic tapes before disposing of them. However, the National Institute of Standards and Technology (NIST) has issued guidelines that instruct agencies to properly sanitize magnetic tapes with certain kinds of sensitive data before they leave agency control. In its guidelines, NIST defines sanitization as the general process of removing data from storage media, such that there is reasonable assurance that the data may not be easily retrieved and reconstructed.
In summary, we could not find any comprehensible data on the used magnetic tapes we tested. We obtained these tapes from this company because it was the only one out of five companies that told us it resells tapes purchased from the federal government. Officials at this company told us that, before reselling used tapes, most of them are sanitized using a process known as degaussing. The degaussing process completely destroys any data on a tape, preventing data recovery. However, the company told us that its process for sanitizing tapes differs when reselling certain high-capacity-storage tape formats. These formats contain a feature called a servo track, which cannot be degaussed without rendering the tape unusable. Consequently, tapes with servo tracks must be sanitized using a less thorough process known as overwriting. The company also told us that it strips the labels from used tapes before sanitizing them and that it was therefore impossible to determine whether any used tape sold by the company had originated with the federal government. Keeping this in mind, we obtained, from the company, four magnetic tapes with servo tracks and eight without. It is important to emphasize that there was no way to know whether we had obtained tapes that originated with the government--our intent was to test whether the tapes containing servo tracks could contain data after overwriting. We could not find any comprehensible data on any of the tapes using standard commercially available equipment and data recovery techniques, specialized diagnostic equipment, custom programming, or forensic analysis. Based on the limited scope of work we performed, we conclude that the selling of used magnetic tapes by the government represents a low security risk, especially if government agencies comply with NIST guidelines in sanitizing their tapes. Even if some data were recoverable from some tape formats that had been overwritten to preserve their servo tracks, the data may not be complete or even decipherable. Generally this investigation does raise some questions about the lack of oversight regarding the sanitization or disposal of used magnetic tapes by agencies. However, the scope of our investigation was not large enough to project our conclusions beyond the tape formats we investigated.