If one of my users wiped his laptop I'd be a bit more than pissed. Post build there's often still quite a bit to do.

He's allowed to get rid of his data and that's it. That's how I see it.
posted by cjorgensen at 6:04 AM on July 2, 2010 [3 favorites]

I think it depends how large an IT dept is dealing with it. If it's the dept secretary who also happens to deal with the computers, then blanking it will be annoying as shit. If it's an IT department with full staff, they're just going to ghost it anyways (ie. put a standard setup on it from a disk). If he's worried about his data though, even if it may cause someone else a headache, I think it's his right to erase the disk.
posted by singerdj at 6:09 AM on July 2, 2010 [1 favorite]

In all the companies that I've worked for, laptops were re-imaged as soon as they were returned to the pool. Most IT people won't trust a computer that a user has had for any amount of time and will just wipe it and throw the approved organization image on there before they give it out to the next person.

On preview, what singerdj said.
posted by octothorpe at 6:10 AM on July 2, 2010

He should ask the computer techs what to do.
posted by Carol Anne at 6:11 AM on July 2, 2010

To me, it's more likely that they would do a clean reinstall. It's easier than making sure it contains exactly what they want the next user to have on it and that everything is in working order.
posted by Obscure Reference at 6:11 AM on July 2, 2010

That's weird, whenever I'm somewhere that doesn't wipe a computer between users I get irritated. Why wouldn't they format the drive and toss a pre-set image on it?
posted by soma lkzx at 6:11 AM on July 2, 2010

Yes, definitely depends on the size of your IT department. To wipe the drive and reinstall the OS fresh from an image is the "right" way to do things, though. Also, it's extremely unlikely anyone will be able to tell the difference between a normal reformat and a DBAN secure wipe.

The DBAN thing is what I do when returning my computers to Corporate IT and nobody cares, because they are not being reassigned internally anyway - they're being sold externally for scrap. This may also be the case in your company.
posted by BigLankyBastard at 6:13 AM on July 2, 2010

When that was my sort of job, we wiped every computer before giving it to the new person. It really is the only reasonable thing to do. That said, if one came back pre-wiped, I would be suspicious. Data removed was normal, but outright paranoid wiping was not.
posted by ydant at 6:16 AM on July 2, 2010 [2 favorites]

He should probably ask his IT group if he's cool to wipe it with DBAN. If they don't want him to, he can use Eraser to securely wipe just his data.
posted by The Michael The at 6:18 AM on July 2, 2010 [1 favorite]

DBAN it. They'll image it anyway.
posted by Jairus at 6:25 AM on July 2, 2010

I don't know about all universities, but in this department we wipe and reinstall all systems before deploying. If the system is being scrapped, we destroy the hard drive before sending the carcass out the door.

Assuming that the employee isn't leaving under suspicion, if a professor or staff member wiped the drive before returning it to us, I wouldn't think twice about it. If they've ever had FERPA data on the system, it's the right thing to do. It's what I do with my loaner systems before I return them.

Before wiping it, he should make sure that there's not data that might be needed by someone else and that isn't backed up. Losing necessary data is what creates problems, not reinstalling an OS and applications.
posted by donpardo at 6:26 AM on July 2, 2010

Unless it was a termination and I've been specifically asked to retain data, I've always wiped and imaged.
posted by Cat Pie Hurts at 6:36 AM on July 2, 2010

The right way, of wiping and re-imaging, before hand out is good if applied. However, if you work in a university where the IT group is less than stellar than you might want to do something like eraser. I speak as someone who received university equipment that was not wiped at all.

I am agreeing with Don Pardo. Professors and staff ALWAYS have confidential data regarding students including emails, SSNs, personal addresses, etc. If you have a good relationship with your desktop support, work it out with them so it is not a surprise and couch it in terms of helping them out by removing more thing from their to-do list.
posted by jadepearl at 6:37 AM on July 2, 2010

To "image" a drive is to copy a preset "image file" of hard disk contents onto the drive. For more info see Wikipedia's entry on disk cloning. Generally these are used in large enterprises (companies, universities) so they have a full system with the operating system and a standard set of applications already installed in one fell swoop. It's a lot faster when setting up a bunch of identically configured machines than running through the install process for each application.
posted by reptile at 6:54 AM on July 2, 2010

Can someone explain what "imaging" and "re-imaging" means? Thanks!


Think about what a computer looks like when you first get it: no personal data, just the operating system and programs installed. "Imaging" means recording a copy of the hard drive so that the hard drive can be restored to that point in the future. So rather than reinstall the operating system and all of the programs individually, the IT personnel can simply copy the image onto the hard drive. Voila: all of the programs are in place, but the machine now has no personal information on it, so it's ready for a new user.

Think of it as the difference between recreating a photo by setting up the exact scene over and over again versus just making another print from the negative. Not only is it faster, but it's more accurate and repeatable.
posted by jedicus at 6:56 AM on July 2, 2010

How likely is it that the computer techs would reinstall the OS anyway before handing the computer to someone else? Is that the norm in this situation?


They absolutely, positively should be doing this every time a PC changes hands. If they don't, there's some major slacking going on. In that case, DBAN'ing it is a handy way to force them to do what they should be doing anyway and doesn't cause any "extra" work. That said, I would mention or put a note on it saying that it's been DBAN'd so they don't spend time troubleshooting for a bad hard drive when the OS won't load (assuming they even notice -- we'd normally reimage without ever attempting to boot it).
posted by LowellLarson at 7:20 AM on July 2, 2010

In my 15 years in corporate IT departments, I never saw a computer redeployed without a full wipe and reimage first. DBANing a machine prior to that wouldn't add one second of added labor to that process.
posted by deadmessenger at 7:28 AM on July 2, 2010

He absolutely should wipe the hard drive clean.

(1) It doesn't matter if he's making more work for IT. Contrary to what cjorgensen says, they absolutely positively ought to be re-imaging any machines they're recycling for new users. It's the only way to be sure you aren't inadvertantly passing on a previous user's personal information or, worse, FERPA-protected information about previous students from a previous user. If he is making more work for IT, it is only because IT is severely failing their university.

(2) What IT suspects or doesn't suspect is immaterial if the drive is wiped. Maybe someone at IT thinks you might be a terrible pervert, with no evidence whatsoever to back that suspicion up. So what?

(3) University IT departments are substantially likely to have a student employee do lots of the boring grunt work like recycling machines to new users, and student employees are in my estimation not as likely to be trustworthy about your personal data as a full-time person who has a career to lose if they're caught fucking around with your data.
posted by ROU_Xenophobe at 7:29 AM on July 2, 2010 [1 favorite]

Seconding Eraser if their IT department is marginal and they don't provide crisp new imaged (stock OS with whatever applications they usuallly install, already installed) to employees.

Unless he is leaving on bad terms, or he doesn't know anyone in IT, I would ask them how they would like the computer returned in terms of his data.

Me I'd dban it as I just don't like leaving bread crumbs, but I could also see myself just using Eraser on C:\Documents and Settings\hislogin
posted by cavalier at 7:31 AM on July 2, 2010

Just a thought...if you do DBAN the machine and someone does get suspicious, it doesn't matter because there would be no data to be suspicious about.
posted by eatcake at 8:11 AM on July 2, 2010

My point to this is that it isn't the user's call.

And to the people that say it doesn't add one second of work have to be working at places that have one uniform build. This often isn't practical (or possible). What do you do with software that is individually licensed that requires a serial number to install? What about the one off pieces that are assigned to that one job?

What you as techs will do with the machine once it gets back is 100% irrelevant to what the user should do with the machine before he gives it over.

I could care less what the user does with his data (but it had best be his and not his employer's), but as soon as he starts messing with the PC itself I'm not going to be happy. There should be no expectation of privacy on University owned equipment. It should be used to produce what they are paying him to produce, and the PC should be turned in as it was assigned to him.

I've worked in both education and corporate and in neither place would wiping the machine be acceptable.

Malicious destruction of data could even be actionable. I'd damn well make sure I had every piece of data I'd been hired to produce onto a University server before I did this. If you deleted even one memo that they believe they have rights to....

Keep your furry forum visiting and online banking confined to your personal computers.

Asking first is the only way I find this proposal acceptable.
posted by cjorgensen at 8:16 AM on July 2, 2010 [5 favorites]

Every IT job I've had (and have) we simple re-image and depending on the user, redeploy specific apps via Altiris. When we get a laptop or PC back, we do not care what the previous user did to it. As long as it boots.
posted by KevinSkomsvold at 8:26 AM on July 2, 2010

If he's leaving their employment why spend too much time worrying about if this makes life marginally harder for a group he doesn't answer to?

I'm not saying that as an advocate of being a jerk. Wiping the machine is what they SHOULD be doing. If putting them in a position where they have no choice but to do what is best for your friend, the next person to get the machine, and the university as a whole... tough.

As a number of other pros have said above, this is the only right thing to do. However it's not uncommon for understaffed/undertalented overwhelmed departments to cut corners. A few years ago Georgetown University had a horrific data breach when an external drive went missing. The sensitive data wasn't what the current user had put on it, but what the person who'd had that drive before had put and left on it. Nobody has bothered to wipe the unit, either because they assumed the previous user was following proper practices (they weren't), the subsequent user would remove old data (didn't), or they just were in a hurry and figured if the drive was already working, why mess with it?

Your friend should wipe the unit before giving it back (after insuring that all his work product that they may need has been preserved somewhere).
posted by phearlez at 8:35 AM on July 2, 2010 [1 favorite]

My point to this is that it isn't the user's call.

It's reasonable for users to take whatever not-insane steps they deem necessary to ensure the integrity of their personal data, or the personal data of students.

This is doubly true when, as in at a university, it's the IT staff themselves, or at least their student employees, who are the main threat to that integrity.

And to the people that say it doesn't add one second of work have to be working at places that have one uniform build.

This is just ludicrous, sorry. It doesn't add one second of work if they have one uniform build... or... wait for the crazy idea... have more than one image stored for restoration.

In any case, whether it adds work or not doesn't matter. If I'm handing a machine back, I need to be certain that the student recycling my machine can't check other students' grades from my records, and so on, even if they're bored and decide to try to scan deleted data. The only way for me to be reasonably certain of this is to wipe the hard drive, so that's what's going to happen.

Malicious destruction of data could even be actionable.

Good luck with that.
posted by ROU_Xenophobe at 8:51 AM on July 2, 2010

At my university it would look shady as hell to turn in a completely wiped laptop and their supervisor would definitely find out. I don't really understand why deleting, defragging and ccleaner isn't enough? Why would any IT dude do some low level data snooping on some random user laptop?
posted by yeahyeahyeahwhoo at 9:03 AM on July 2, 2010

"What do you do with software that is individually licensed that requires a serial number to install?"

Sure, but if they're any kind of decent IT department, they should have this information already, via automated pc audits and/or having the software/serial number in hand. If your friend feels doubtful about your department's effectiveness, they could run an inventory themselves first (Belarc is an easy one), and make sure they save all local data that they've been working on, either by burning it to a CD or uploading it to the shared drive on the server.

Also, if you handed in a laptop to me that you'd wiped, it probably wouldn't add any additional time to my getting it redeployed - I'd just run DBAN again, since I wouldn't know how many passes you'd opted for, and proceed from there.
posted by HopperFan at 9:11 AM on July 2, 2010

Anecdatapoint: my school's IT department reimaged my laptop for me several times to help with malware issues and it was never a big deal, so I think you can probably nuke it and you'll be fine.
posted by Aizkolari at 9:14 AM on July 2, 2010

I think you're going to get conflicting opinions. Small shop guys who are horrified of such a thing because their license keys and not kept anywhere and they never bothered to build and image or never bought volume software. Medium/big shop guys who don't care because their installs are image based and have volume licensing for everything.

I doubt a university would care. I would perhaps talk to a tech if this was smaller company. Of course the tech would err on the side of doing the least amount of work possible and would not necessarily do the best job protecting your private information.

As far as the whole 'its not the users decision to make' argument. Well, if I get my identity stolen because of that laptop, I seriously doubt the university will pay me for my troubles. They'll just CYA and say that that info should not have been on the laptop. The best way to guarantee that is a wipe.
posted by damn dirty ape at 9:20 AM on July 2, 2010

"Small shop guys who are horrified of such a thing because their license keys and not kept anywhere and they never bothered to build and image or never bought volume software. Medium/big shop guys who don't care because their installs are image based and have volume licensing for everything."

Yeah, this is true.

Also, while I wish this was also true - "keep your....online banking confined to your personal computers," in every environment I've ever worked in (medical, corporate, education) people do this. If your friend wants to do the right thing by the IT staff, and also protect their personal data, they might consider the following.

Friend : Hey Boss, I read this article about Georgetown blah blah blah, and I'm concerned about personal info remaining on my laptop after it's redeployed. What procedure does our IT department follow for mitigating that risk?

Typical Boss : I don't really know.

Friend : Would you mind if I checked with them, and asked them to run me through the process?

Boss : Sure, go ahead.

Being upfront about it is probably always going to work out better in the end.
posted by HopperFan at 9:42 AM on July 2, 2010

I think it's pretty clear that the answer is "This will vary from place to place." I think this makes it resoundingly clear that the answer is "Ask first."

I also bounced this scenario off all the sysadmins I know, and resoundingly most could care less, but all would find it a bit shady. So if your friend wants to potentially piss off his IT people and be known as the guy who probably had something shady to hide, then by all means, nuke from orbit.

If he wants to do it the right way he should ask first. He wasn't hired to make IT decisions. Everything else is a smoke screen.
posted by cjorgensen at 10:00 AM on July 2, 2010

Why would any IT dude do some low level data snooping on some random user laptop?

I've seen plenty of university IT departments where an awful lot of the front-line work was done by bored hacker-seeming undergraduates.

So: for the lulz.

Being upfront about it is probably always going to work out better in the end.

No. Wiping it beforehand is the only way to be reasonably certain. They can tell you that their practices are whatever, but that doesn't mean they'll do them.
posted by ROU_Xenophobe at 10:03 AM on July 2, 2010

I think it's pretty clear that the answer is "This will vary from place to place." I think this makes it resoundingly clear that the answer is "Ask first."

No. You protect yourself by wiping the drive, so wipe it.

You further protect yourself by wiping it because you don't know what's going to happen to it. Maybe it will be sent to another user, probably after being reimaged. Maybe it will be sent to surplus, possibly with the drive as IT received it. Maybe it will be trashed, maybe with the drive as IT received it. In any event, the user cannot guarantee that IT will remove beyond reasonable recovery any personal data or student data.

The user can guarantee that trivially, however.

I also bounced this scenario off all the sysadmins I know, and resoundingly most could care less, but all would find it a bit shady.

What they find shady is irrelevant.

So if your friend wants to potentially piss off his IT people and be known as the guy who probably had something shady to hide, then by all means, nuke from orbit.

They're not going to be his IT people any more, and he won't be there to be known as anything.

The very fact that you're talking about him being known as someone who has something to hide, instead of simply rebuilding the machine with no comments to anyone, bespeaks a sloppiness with user privacy and a level of nosiness that means your friend really ought to wipe the drive.
posted by ROU_Xenophobe at 10:14 AM on July 2, 2010

cjorgensen: "My point to this is that it isn't the user's call... There should be no expectation of privacy on University owned equipment."

Isn't that latter sentiment precisely why he ought to wipe the drive?
posted by astrochimp at 11:30 AM on July 2, 2010

Furthermore, if I were getting a compter I knew had had several previous users without being wiped, the first thing I'd do is wipe it, presuming it didn't have any programs on it that I couldn't reinstall myself.

It's only prudent.
posted by astrochimp at 11:52 AM on July 2, 2010

"Being upfront about it is probably always going to work out better in the end.

No. Wiping it beforehand is the only way to be reasonably certain. They can tell you that their practices are whatever, but that doesn't mean they'll do them."

Maybe I wasn't clear enough - asking them to walk me though the process means exactly that. If they say that they run DBAN (or whatever) on all drives first, ask to sit with them as it starts to run. If a user asked me to do this, I wouldn't mind.

"The very fact that you're talking about him being known as someone who has something to hide, instead of simply rebuilding the machine with no comments to anyone, bespeaks a sloppiness with user privacy and a level of nosiness that means your friend really ought to wipe the drive."

No, it really doesn't. I rarely have people wipe their PCs or laptops before handing them over, and yes, I would find it odd if they did.

You're a pretty typical university end-user with the attitude that you're going to do whatever you damn well think is necessary, and that's fine - I was just advocating for a bit of common courtesy.
posted by HopperFan at 2:02 PM on July 2, 2010 [2 favorites]

There should be no expectation of privacy on University owned equipment.

I agree. The user totally shouldn't expect the University to respect the sensitivity of their data. That's just asking for trouble.

As long as University policies and practices don't take into account the legitimate reasons that someone can have private data on their work computers, and as long as IT departments can't be trusted to protect that data, then the user should have no expectations of privacy; they should take steps to protect that privacy themselves.

Your replies are an example of the problem. You continue to repeat that users should just keep private data off of their University-owned machines, overlooking the fact that for many, accessing private data is a necessary part of doing their jobs. Private data isn't all furry forums and Amazon.com orders. It's student emails, univeristy account names and passwords (not always purged immediately when someone leaves), grades, research results, and so on. If a person can't use their University-owned machine to do their University job, then there's a a problem.
posted by Kutsuwamushi at 3:55 PM on July 2, 2010

And if you have a University IT department that isn't empowered, trusted, and responsible enough to deal with private data according to guidelines there's something bigger going on.

That's the last I'm going to say on the issue. The questions are:

He's thinking of using DBAN to wipe it clean but is wondering if he'll be making more work for the computer techs (and raising their suspicions about what he was using it for) by forcing them to reinstall the OS. How likely is it that the computer techs would reinstall the OS anyway before handing the computer to someone else? Is that the norm in this situation?

The answers are: he may be making more work (especially if he doesn't tell people this is what he did and just does it). Yes, it will probably raise some suspicion, (even in places where no one would have a problem with the machine being wiped this is probably a rarity). It varies on how likely the techs will be wiping the PC. It is the norm to do so.

We can talk best practices and what should be allowed, but that wasn't the question.
posted by cjorgensen at 6:18 PM on July 2, 2010

Glad you got your answer then. Hope everything works out for him.
posted by cjorgensen at 6:49 AM on July 3, 2010

This thread is closed to new comments.