Advances in solid state memory read/write speed and lower manufacturing costs are making Solid State Drives attractive options in new computers. Not to mention that your smartphone, tablet, and USB flash drives all use this technology.

One problem - 

Flash memory cannot actually be erased

A study by researchers at University of California San Diego revealed that between 4% to 75% of a files contents remain completely intact when an attempt is made to erase flash memory. USB flash drives fared worse, were researchers could recover between 0.57% to 84.9% percent of file contents remaining on a USB flash drive after an overwrite attempt was made.

Testing 12 Solid State Drives, UCSD researchers found that none of the available software techniques for erasing individual files proved effective. Erasing entire SSDs with native sanitize commands was most effective, but only when performed correctly. The software techniques were found to work most, but not all of the time. Of the twelve solid state drives they tested using the native "Erase Unit" command, only four were actually erased. One SSD had reported itself to be sanitized, yet the data was recoverable by the researchers.

Additionally, the methods used by the researchers to determine if the data has been truly wiped from flash memory is not available to the average consumer. Without a way for consumers to verify data has actually been completely removed from flash memory, there is no way to know if so called "data sanitation" is truly effective.

The key issues stem from the way that flash memory differs vs a conventional magnetic hard drive. Flash memory works by pushing electrons from one side to another of a barrier. This change of position is monitored and registered as either a 1 or 0, the binary code that is the basis of all modern computing.

Problem is, this pushing of electrons back and forth, causes the material to fatigue rapidly. To combat this, solid state memory manufactures use a method called "Wear Leveling". This moves data around so read/write is not constantly occurring in the same physical spot on the memory.

Wear Leveling creates a security issue

Flash memory doesn't actually erase data at the time new data is written, it just marks it for deletion. Then comes Wear Leveling, duplicating chunks of data and moving it around between the time it's first written and then overwritten. Data marked for deletion is duplicated and moved by wear leveling and the so called "garbage collection" algorithm that was supposed to go back later and erase data marked for deletion, knows nothing about the data that was duplicated by wear leveling.

Since mobile smartphones, tablets and computers with solid state memory are purchased, sold and discarded at an ever increasing rate, it's important going forward that you are aware that your personal information and data cannot simply be permanently "sanitized" from these devices and could be recovered at a later time by someone who should not have it.

One workaround that researchers suggest for manufacturers to employ is called "Crypto-Erasure". But this method requires that the data is encrypted at the time it's first written. The idea is to encrypt all data on the device, so even if it can be recovered later, it will be useless to anyone who does not have the encryption key to access it. For the majority of devices, this is not the case and unsecured data has already been written to flash memory. This means any data already written to the device cannot necessarily ever be made secure.

Why not just use degaussing to erase flash memory?

Degaussing is a method used to render conventional magnetic media unreadable by exposing it to a very powerful magnetic field. For magnetic media, it is very effective, but flash memory is not affected by magnetic fields. In their research document, the method was evaluated and found to be completely ineffective on flash memory.

So what's the answer? How do you protect yourself?

Anyone with a Windows desktop or laptop can use TruCrypt or PGPDisk to protect their data on an SSD or USB flash drive. Mac users can take advantage of the built in FileVault function found in the Security & Privacy settings. Using these methods, the data will be useless without the encryption key, leaving the device or storage media to be erased and securely re-written to again.

For smartphones and tablets, end user privacy and security is largely in the hands of the manufacturer. While some data could be encrypted before storing on the device, native applications on the phone like note pad, address book, etc would not necessarily encrypt the data and protect your privacy when the device is end of life, and no longer in your possession.

Thankfully there are highly affordable, secure solutions such as LastPass and 1Password that can store your passwords, notes, credit card and other personal information securely so they cannot be accessed without a secure master password.

Hopefully these issues will come to the forefront of mainstream media, forcing all manufactures to provide verifiable encryption on all devices that use flash memory, which for now will increasingly be the storage media of choice until the day when data storage using nanostructures, in so called "Superman Memory Crystals" makes the leap from laboratory to commercially viable and affordable.

With all the news over the NSA's intrusion into privacy, the latest poll shows that 50% of users don't care. Where do you stand on the subject?

Do you care if your personal data can be retrieved after you no longer own a device or storage disk?

Please leave me a comment or send me a Tweet @dougkrug

Image courtesy of thanunkorn/Freedigitalphotos.net