E-wasteland: Private info at risk on discarded computers
by Bill Lambrecht - Post-Dispatch Washington Bureau Chief, St. Louis Post-Dispatch
16 December 2006 (Lagos, Nigeria) –
Computer files on these American high school students are private and revealing.
Some of the students have learning disabilities. Many scored low on tests. One suffered a brain injury as a child, and another ran with gangs, according to California school records that include names, birth dates and family details.
More computer files, these from an elementary school in Virginia, contain what a security expert called “the Holy Grail” for identity thieves seeking to score: teachers’ Social Security numbers, addresses and phone numbers.
All of this sensitive information was discovered in an unlikely place: on discarded computers for sale in Nigeria, a cyber-crime capital of the world.
Unbeknown to their former owners, tens of thousands of discarded U.S. computers get shipped to Nigeria and other developing nations each month. In an ongoing investigation into the fate of electronic waste, the Post-Dispatch bought several old American computers that had been exported to Nigeria. Computer experts in the United States later analyzed their contents.
They contained school records, private messages, photographs, financial information and other revealing materials discarded by people who were taken aback when later told of the newspaper’s findings.
“We were appalled,” said Polly McAllister, a reading teacher in Virginia’s Fairfax County. She was one of about 30 current or former teachers and staff members at Fairhill Elementary School whose Social Security numbers were listed on a hard drive for sale in a computer market in Lagos.
“When we heard about this, I said, ‘This can’t be.’ It’s a very scary thing,” said McAllister, 63. “I had never given a thought to anything like this happening. Who knew all this stuff was going to Nigeria?”
U.S. computers exported as trash often end up scattered across the landscape and leaking contaminants. The worsening problem of digital dumps was a main topic when representatives from 120 countries gathered in Kenya last month in hopes of curbing exploitative dumping.
But there’s more to worry about than polluting the planet: Unless computer owners, businesses and schools take steps to remove information from their hard drives to “wipe clean” the digitally encoded devices inside computers, information stored there can come back to haunt.
‘They try to find your relatives’
Computer dealers interviewed in Lagos said that every month, they receive 500 or so shipping containers loaded with thousands of old monitors, computers, televisions and other electronic gear. Some of it is working and has value, but most is quickly junked or stripped for parts.
Then there are the hard drives that Americans have not bothered to wipe clean, potential treasure-troves of data that circulate in the Nigerian underworld.
In Nigerian computer markets — ramshackle buildings resembling flea markets in rural America — dealers keep an eye out for nonerased hard drives, testing them on computers powered by portable generators. Those bulging with information can bring $50 or more, roughly the price of a new, inexpensive drive.
You never know what you’re going to find there. A year ago, the Basel Action Network, a nonprofit group based in Seattle, recorded asset tags of discarded computers, printers and other equipment from the Illinois Department of Transportation, the Illinois Department of Public Aid, the Illinois Department of Employment and the Illinois State Police.
A young Nigerian computer expert who frequents the markets described what happens: “They look especially for your transactions and money records. They try to find names of your relatives, friends and your relationships to help them with their fraud.”
Many Africans know what’s going on, even if Americans don’t. Oladele Osibanjo is the regional coordinator for the Basel Convention, a 14-year-old global treaty aimed at preventing shipments of hazardous wastes to countries ill-equipped to handle them.
Speaking in his office at the University of Ibadan in Nigeria, Osibanjo called American exports a “vicious circle.”
“The e-waste you are exporting is coming back to you in the form of cyber-crime,” he said. “Maybe when Americans realize what is happening, they will be a little more careful.”
Secrets for sale
In a computer file marked “personal,” a girl from California recalls a traumatic evening in which she blundered in front of her high school audience and broke down in tears. It was one of many potentially embarrassing notes, memos and e-mails found on the hard drives the newspaper purchased.
“I felt like I wanted to die,” she wrote. “I knew at that moment that I would be the object of ridicule of the entire school for the rest of my life.”
The girl, a college-age young woman now, refused to talk about her diary entry when tracked down using information from her hard drive.
Another hard drive for sale in a computer market in Lagos once belonged to Lori Schnack, a district speech pathologist for the Anaheim Union High School District in California.
It contained evaluations of high school students that detailed their test scores and problems — including autism and stuttering — along with classroom recommendations.
Schnack died last year, but her husband, Ted, an engineer, said the school district had done “a lousy job” of protecting data. His way of destroying his families’ old hard drives — shooting them with a rifle — is effective, although it isn’t advisable.
Anaheim schools, with 35,000 students at 22 sites, get rid of hundreds of computers each year. Until recently, that meant turning them over to the Liquidation Company, an auction house in Fontana, Calif., without bothering to remove data.
Liquidation Company officials did not return a reporter’s phone messages, but they told a district representative recently that they knew some of the computers they auctioned ended up in Nigeria.
The company won’t be handling any more of the Anaheim schools’ computers: After inquiries by the Post-Dispatch, Anaheim schools decided to seek another outlet.
“We don’t want anything like this to happen again,” said Terry Harper, purchasing agent for the district.
School officials also began using software that erases hard drives before they are discarded, and may hire a recycling company that would shred old hard drives.
“We regret that sensitive information of this nature ended up in the public domain, and we’re going to take steps to make sure that it doesn’t happen again,” said district spokeswoman Pat Karlak.
‘Not something we can … undo’
Fairfax County, a Washington suburb, is one of the nation’s wealthiest communities with an average household income of nearly $95,000. With 164,000 students, Fairfax also claims the 14th-largest school district in the nation — and boasts of having 94,000 computers.
But for years, the district did nothing to secure its computer information.
In addition to the teachers’ Social Security numbers, the hard drive purchased by the Post-Dispatch contained hundreds of internal school district documents from the mid-to-late 1990s. They included files detailing disciplinary problems, such as the case of a boy who attacked a teacher, stabbed another
student and pulled fire alarms on eight occasions.
Maribeth Luftglass, an assistant superintendent for the Fairfax Schools, said the problems took place before she took charge of the district’s computer systems in 2000. After she arrived, she said, she ordered computers wiped clean before they were discarded or even moved between schools.
“In the 1990s, cyber-crime was not a real hot topic,” she said. “This is unfortunate, but not something we can go back in history and undo.”
Changes were made, but teachers are troubled nonetheless. They worry about who may already have seen their evaluations and other personal data as well as sensitive information about students over the years.
Identity thieves at work
While privacy concerns hit home to the teachers, experts say the information on the old drives poses a practical danger as well.
Identity thieves sometimes dig deeply into computers for valuable information, and some even deploy the same high-tech software used by forensic experts. But all they would have needed to do with the old hard drive from Fairfax County is plug it into any personal computer and look under a file marked “SS#.Doc.”
There they would have been able to harvest Social Security numbers — akin to gold for computer criminals — of Polly McAllister and the others.
“That’s everything they need to apply for credit cards or anything else, and there’s little that could be done to stop them,” said Jay Foley, founder of the Identity Theft Resource Center, a nonprofit group based in San Diego.
Personal details other than Social Security numbers and financial records are also prized by identity thieves, said Todd Stefan, a security specialist at Setec Investigations, based in Los Angeles, one of two companies that analyzed hard drives for the Post-Dispatch.
“If I have one bit of your information, I can masquerade as someone who knows more,” he said. “And the next thing you know, I’m in your bank records.”
In recent months, Americans’ vulnerabilities in the computer age have been exposed by stolen laptops, eBay-traded hard drives, bungled digital record-keeping and other data breaches that exposed tens of thousands of people to identity theft.
But the discovery of hard drives in Nigeria shows the potential for more widespread threats.
Nigeria is known worldwide for computer fraud. Many of the e-mails people receive seeking business partners for recovery of mysterious fortunes — known by authorities as advance-fee fraud schemes — originate in Nigeria.
Over the years, Nigeria has perfected various “419 scams,” named for the portion of the Nigerian criminal code outlawing such fraud.
Ron Williams, who runs a security firm in California, is an ex-Secret Service agent who worked on a government task force investigating Nigerian computer fraud. He described West African con artists as “masters of perpetrating identity theft and fraud. Everybody doing this has learned from them.”
“They were the forerunners of identity theft. They perfected it and they are still engaged in it to a huge degree,” said Williams, who sits on one of the two dozen electronic-crimes task forces around the country established by the U.S. Secret Service.
‘How would I know?’
Secret Service spokesman Eric Zahren said Operation Rolling Stone, his agency’s ongoing computer-fraud investigation, had helped snare 35 people around the world this year.
“I think people should be concerned,” he said, when told of the Post-Dispatch findings.
Dan Fuller is founder and president of EPC Inc., an electronics recycling company in St. Charles. Fuller said brokers billing themselves as recyclers routinely acquire truckloads of computers “and then turn around and put them in export containers.” He is opposed to exports, both on moral grounds and because international dumping impedes the growth of a computer recycling industry in the United States.
Fuller said that until recently, his company rarely received calls or e-mails concerning used hard drives. “Now, all of a sudden, we’re getting tons of inquires about buying them,” he said. “The economics don’t make sense unless you’re trying to retrieve something off of them.”
Identity theft is common; last year the Federal Trade Commission reported 3,920 complaints from Missouri (ranked 19th per capita) and 11,137 from Illinois (ranked 10th). But seldom do people track down how their private information was obtained, said Beth Givens, an identity theft expert who heads the nonprofit Privacy Rights Clearing House in San Diego.
“How would I know that when I tossed out my computer with its hard drive a year ago that it would go to Nigeria, and someone there would be smart enough to use the information to open up a credit card in my name?” she asked. “Or that somebody stole my identity after I donated my computer and it was sold for $5? How could I possibly connect the dots?”
FAIR USE NOTICE. This document contains copyrighted material whose use has not been specifically authorized by the copyright owner. The Basel Action Network is making this article available in our efforts to advance understanding of ecological sustainability and environmental justice issues. We believe that this constitutes a 'fair use' of the copyrighted material as provided for in section 107 of the US Copyright Law. If you wish to use this copyrighted material for purposes of your own that go beyond 'fair use', you must obtain permission from the copyright owner.