A formal interpretation of the R2v3 standard aims to help certified facilities deal with smart devices that pose unique data sanitization challenges.
After hearing from refurbishers that some devices were difficult to sanitize, Sustainable Electronics Recycling International (SERI) made a formal interpretation request to the R2 Technical Advisory Committee (TAC) to clarify the meaning of “software” in the context of smart wearables and other data-storing devices.
In a discussion of the interpretation, SERI said a trend has begun “where commercial software designed to sanitize data cannot always access new devices for data sanitization because of their unique proprietary design.”
SERI noted that “the intent is not to destroy working devices if a credible method can be used to reliably sanitize the data to the manufacturer’s specifications with transparency and accountability.”
“Therefore, it is important to accept alternative data sanitization solutions which are proven to effectively remove data from the devices that will be resold,” the organization concluded.
Some devices the interpretation might apply to are smart speakers, smart TVs, smart watches, fitness trackers, TV sticks, desk phones, smart thermostats, IP-connected home security devices, and gaming consoles and printers with built-in memory chips (as opposed to hard drives).
Formal interpretation
The R2 Standard Consensus Body later approved the TAC’s R2v3 Formal Interpretation #1.0, which answers the question of whether the term “software” applies only to applications that automate the logical sanitization process and create a record of the sanitization. The interpretation became effective on Nov. 29.
The body determined that “software” refers to any applications that “automate, control and record results of data sanitization” and that software methods must be used as the primary method of sanitization.
However, it also noted that on some devices, “manufacturer-provided factory resets may be the only available option.”
If there is no fully automated application available, then the term can also refer to an application that is “directing, controlling and recording the manual workflow to sanitize the data.” That way, the process is recorded for audit purposes, and there is still accountability and transparency.
That reliable record of the data sanitization event needs to be “more than a spreadsheet which can be subject to alteration or falsification,” SERI noted.
“Historically we have seen spreadsheets of media that has been sanitized. Spreadsheets lend themselves to errors in transcribing information and copying and pasting records, which leads to a lack of accuracy and accountability for each media/device sanitized,” it stated.
One restriction to the interpretation is that it does not apply to situations where software exists but the device is damaged and therefore cannot be sanitized by software. In that case, a factory reset is not accepted.
More stories about data security
- In My Opinion: Limiting the risk of client non-compliance
- Ingram Micro lands 1Password distribution deal
- Blancco’s software flags possible data security loophole