This story has been corrected.
It has long been acknowledged in the reuse world that some smart items, such as fitness trackers, are difficult to properly wipe personal data from. One organization is now taking steps to address the problem.
Sustainable Electronics Recycling International (SERI) put together a data expert working group to look at technological solutions. It also made a formal interpretation request to the R2 Technical Advisory Committee (TAC) to clarify language dealing with smart wearables and other devices in SERI’s R2v3 standard and the meaning of “software” as used in Appendix B.
Corey Dehmey, executive director of SERI, told E-Scrap News that since the work to create the R2v3 standard started in 2016, smart devices have exploded in popularity. Everything from watches to garage doors and fridges may store various amounts of personal data, and in many cases the manufacturer only offers a factory reset option to clear it.
However, a factory reset is not an acceptable level of sanitization under the R2v3 standard, Dehmey said, leading to “an interesting dilemma.” The R2v3 standard updated SERI’s previous certification standard, and all facilities wishing to remain certified have to update to R2v3 by June. 30, 2023.
“We’re just in the implementation process for all these facilities. They started implementing v3 and started to run into some bottlenecks,” he said.
Because SERI’s goal is a circular economy that promotes reuse first, the “intent is certainly not to destroy working devices,” Dehmey said, “but in order to reuse a device, you have to be able to ensure the data is gone.”
That’s where SERI’s working group and the R2 TAC come in. Dehmey said the function of the data experts group is to dive into what data is on newer smart devices and what can be done about it, including working with manufacturers to design better ways to sanitize the devices.
“We found devices where you can’t even remove your login credentials, so how do you repurpose a device? How do you give it even to your children, or someone else?” Dehmey said. “The data expert group is really going to dig into the technical aspect of this and see where we can go with it.”
Jeff Seibert, SERI’s chief provocateur, said the group is focused on finding the best methods that are practical and make sense.
The TAC, meanwhile, is looking at the language of the standard and “seeing if there’s ways we can make a workable solution that goes as far as we possibly can without destroying the device,” Dehmey said, but still upholds the high levels required to be a R2v3 certified facility.
For now, the goal is to find a way to sanitize devices “as far as the manufacturers have given us the tools to do so, with some robustness and credibility, so we have confidence” in devices going out for reuse, he added.
Seibert added that facilities are still R2v3 certified and are “finding their way through” how to handle such devices.
“It’s one of the things that these things don’t all mesh yet so there are parallel tracks,” he said, adding that those tracks will soon merge as facilities and SERI figure out how to best sanitize the devices in a way that meets the standard.
The technical group is an ongoing, long-term effort, Dehmey said, while the TAC is hoping to have made progress on the standard language in the next few months.
Dehmey added that the main bulk of items facilities receive are phones, laptops, hard drives and other items that have long had well-defined sanitization solutions.
“I think we’re on the right track. It’s just working through the bumps,” Dehmey said, and making sure that “at the end of the day, data is being protected and we’re maximizing reuse of the devices and enabling the circular economy.”
This story was corrected to accurately reflect the deadline for facilities to switch to the R2v3 standard.
More stories about data security
- In My Opinion: Limiting the risk of client non-compliance
- Ingram Micro lands 1Password distribution deal
- Blancco’s software flags possible data security loophole