Security Shredding and Storage - a shredding industry publication

Export Regulations
Four to Watch

By Ellen Ryan
These trends in information technology are changing processors’ access to the supply of electronics and their ability to return functioning devices to the marketplace.

From the birth of the integrated-circuit microprocessor in the late 1970s to Google Glass, which puts smartphone tools on the frame of your eyeglasses, electronic technology is changing faster and faster—and those who refurbish or recycle it have had to change, too.

For much of the last decade, a popular business model for electronics processors has consisted of selecting the most valuable electronic products, erasing their data, repairing and refurbishing them, and reselling them whole or in parts, leaving items that are older, obsolete, or beyond repair to be separated or shredded for their scrap commodity value. Some processors say up to 50 percent of their revenue comes from resale. But several trends in the purchase and use of electronics are making refurbishment and resale more difficult or more expensive, if not impossible. “If your business is only reselling equipment into the secondary market, it’s not going to last,” predicts David Daoud, managing director of Compliance Standards (Boston), a firm that provides advice and research on information technology asset disposition.

At least four trends seem to have the potential to disrupt the viability of an electronics recycling business based on refurbishment and resale. Two are changes in how businesses purchase, use, and dispose of technology; the other two are changes in the electronic devices themselves.

Trend 1: Bring-your-own-device policies

The first few decades of business IT were one-size-fits-all: Unless your job required specialized tools, you received the computer or mobile phone the company provided to everybody. For the company, such policies simplified purchasing, repair, and replacement. These policies were a boon to refurbishers, too, because they could count on receiving dozens, hundreds, or thousands of identical devices, typically only a few years old and most in good repair.

These days, some companies are switching to “bring-your-own-device” policies for laptop computers, cell phones, and tablets. Employees enjoy the BYOD trend, industry experts say. They can purchase exactly what they need or want. And companies like it, Daoud says, because it can be cheaper to implement—the company and the employee often split the cost of the device. Today’s software and mobile applications can work seamlessly across operating systems and devices, allowing the IT department to be platform-agnostic.

Refurbishers are less enthusiastic about BYOD, however. A business client that implements it might no longer be regularly turning over, say, 800 identical laptop computers or 500 BlackBerrys. That means less predictability, not to mention the loss of a single decisionmaker on asset disposition. Instead, employees replace their own devices when the device is lost, damaged, or no longer meets their needs.

When these employee-selected devices are retired, they are likely to be older. Consumers tend to hold onto their stuff a lot longer than businesses do, says Walter Alcorn, vice president for environmental affairs and industry sustainability at the Consumer Electronics Association (Arlington, Va.). And when they stop using certain electronics, he says, they don’t necessarily recycle or resell them. They might just put them in a drawer. The result is that devices remain off the resale market longer, which lowers their value. Even if employees recycle their devices, they might not do so through the firm that has an IT asset disposition contract with their employer.

With fewer devices coming from business contracts, refurbishers will be left with those from consumer collection. The result is higher costs and lower profits, says Kyle Wiens, founder and CEO of iFixit (San Luis Obispo, Calif.), which provides repair guides and sells tools and parts for repairing consumer electronics. “When you have 100 different tablets or phones on site, you need smarter repair techs who are more flexible and a lot more service parts on hand,” he says. “BYOD will create inefficiency in the market, with the result that more [devices] will be shredded rather than resold.”

Is BYOD going to catch on and last? Sarah Cade, president of PC Rebuilders & Recyclers (Chicago), doesn’t think so. Corporations’ IT departments may not want to deal with dozens of makes and models to repair, she says. “There are problems of reliability, ensuring that the software’s all the same, repairs, data security, and more. Business-grade equipment is more durable. BYOD may be more trouble than it’s worth.”

And then there are legal questions: “Who owns the data?” asks Daoud, about devices containing corporate data but purchased partially or entirely by the employee. “The enterprise owns the business, but the worker owns the device.” Jim Levine, CEO of Regency Technologies (Twinsburg, Ohio), which does IT asset management, recycling, and sales, says he decided against BYOD for his company’s 450 employees for legal liability reasons. Further, “from a corporate standpoint, tech support is better if everything is the same and on the same carrier. I would guess we’re not the only company coming to that conclusion,” Levine says. “For those reasons, BYOD doesn’t show up high on my radar as a concern in bigger businesses.”

That assessment matches the experience to date of HiTech Assets (Oklahoma City), which provides IT asset disposition services. “Our top-five clients—leading American companies, Fortune 100 firms—have all done refreshes” of their equipment recently, says Lane Epperson, president and co-founder. “For example, energy companies we serve are buying a lot of smartphones and tablets,” he says.

These sources suggest the trend might be taking hold primarily in smaller firms, which can be more flexible. But Daoud thinks the move toward BYOD will continue, and he warns that “refurbishers aren’t ready; they aren’t grasping the speed at which this is happening.”

Trend 2: Cloud-based computing

Until recently, most networked offices have had a corner, room, or closet with racks of computers and wires—the network server. Some are now moving their networks to “the cloud”—to a remote network hosting service across town or a continent away on a massive server farm. This is a long-term trend, so it won’t be felt tomorrow or even next year, Alcorn notes. If cloud-based networks become the norm, however, does this mean another type of equipment is out of reach of electronics refurbishers? Perhaps, but many are seeing this cloud’s silver lining.

First, the server farms could be valuable customers. The cloud consists of large, consolidated data centers, says Mike Watson, strategic account director at Electronic Recyclers International (Fresno, Calif.). “As the cloud gets bigger, data centers get bigger. Refurbishers and recyclers have to step up and find this data-center equipment. There’s more and more of it, even though it’s concentrated.”

Second, Cade believes the cloud-based network trend means “a larger marketplace for refurbished computers.” Why? “People aren’t overbuying anymore,” she explains. “There’s more opportunity to use equipment that in the past would have been deemed to have insufficient specifications. Now that storage is in the cloud, those devices are more than suitable. Install a new operating system, upgrade some components, and reuse it. Reuse is the highest form of recycling.” Daoud agrees this is a possibility. “The secondhand [electronics] industry has been used to selling according to the capability of the device,” he notes. “As needs drop, people won’t need to spend so much on a complex device.”

Third, electronics processors can look at this as an opportunity to change their business model to one that’s service-based instead of product-based, Levine says. In the past, he explains, electronics processors often provided services such as IT asset tracking, data destruction, and logistics to companies free in return for receiving their retired equipment. Companies still need those services, he points out, even when they have less equipment to retire. “So some firms are charging a service fee, and I expect that trend to increase in the future.”

One concern that might slow the cloud-computing trend, Alcorn says, is data security. “Edward Snowden’s revelations caused a lot of people to question the use of anonymous data sources and storage,” he says. “This might be a counterweight to the overall trend, [and] not just in the U.S. market.” Companies moving toward cloud-based systems “might consider, ‘Are we confident that our data will be protected?’”

Trend 3: Solid-state drives

Notice how small and light tablets and laptops have gotten? One reason is that they no longer have a hard disk for data storage. Instead, they have a solid-state drive, also called flash memory. This storage medium offers advantages over the spinning hard disk in addition to size and weight: It can access items in memory faster, and it’s almost impervious to damage. But devices with SSD memory can be a challenge for refurbishers.

The primary concern is data erasure. Some techniques used to verifiably erase magnetic storage media such as computer hard disks don’t work for SSD. A report published in 2011 by researchers from the University of California, San Diego, found that SSD manufacturers’ built-in sanitization commands were only completely successful in four out of their 12 tests. Even then, there was no way to verify erasure had taken place. The National Association for Information Destruction (Phoenix) plans to conduct similar research, says CEO Bob Johnson.

SSD technology is evolving quickly, however, as are the technologies and processes for data erasure. NAID believes it is possible to fully erase, or sanitize, SSD devices and validate that erasure has taken place, Johnson says. But it might not be as simple as erasing a hard disk. Previous efforts that attempted to remove data from cell phones but leave the operating system intact were “inherently risky,” he says, because the devices were not designed to allow targeted data removal. Also, SSD devices that are fully populated with data behave differently when being sanitized than devices with only partially full memory. “It’s much more difficult to [determine] whether or not your system did erase everything, or did it simply move [the data] elsewhere on the drive?” Johnson says. But forensic techniques can determine to what extent data remains on SSD-containing devices, he says. NAID is in the process of beta-testing an add-on to its certification for data sanitization that would specify a company is certified to sanitize SSD devices, he adds.

Businesses concerned about data security might still insist their electronics processor destroy SSD-containing devices rather than refurbish and resell them—with the processor losing anywhere from half to 90 percent of their value in the process. “You’re always going to find someone who says you can’t be totally sure,” Levine says. Regency uses a three-pass overwrite method, which it can verify to ensure the data have been erased, says Julius Hess, Regency vice president. That meets the standards of the U.S. Department of Defense (Washington, D.C.) and the National Institute of Standards and Technology (Gaithersburg, Md.) as well as those of R2/RIOS™ certification, Hess and Levine say. “However, should a company still have concerns with regard to that method of data erasure, mechanical destruction—shredding—is always an option,” Levine adds.

Certification can reassure customers that your processes are routinely evaluated on whether they meet current standards for data destruction. Both the R2 standard and the e-Stewards® standard for certification specify data destruction techniques must meet the requirements of NIST’s Special Publication 800-88, Guidelines for Media Sanitation, and/or the requirements of local, state, and national laws. R2 also specifies that a company that holds NAID’s Certification for Sanitization Operations meets that requirement.

It’s hard to come up with meaningful instructions to the public on data cleaning because there are so many types and ages of devices and so many ways to do it, says Alcorn of the CEA. On laptops and desktop computers, “there may also be aftermarket accessorizing that you didn’t account for, such as external hard drives and communications accessories.” Still, Wiens urges recyclers and refurbishers to educate customers that device destruction is not the only way to ensure data destruction and to demonstrate “the environmental benefits of not shredding everything… . That’s an environmental disaster.”

ERI’s Watson also urges electronics processors to participate in discussions of design for recycling and to engage and educate SSD manufacturers on the difficulties of data destruction.

Trend 4: Kill switches

Mobile device kill switches, also called activation locks, are the hottest topic among electronics refurbishers and resellers. A kill switch remotely erases a phone or tablet’s data and disables the device. The goal of such technology is to deter mobile device theft by making the item as useless as a brick—in fact, the process also is called “bricking.” With one of three robberies nationwide—and 40 to 50 percent of robberies in major cities—involving theft of a cell phone, according to the Federal Communications Commission (Washington, D.C.), this technology is gaining wide support.

In June, Apple (Cupertino, Calif.), Samsung (Ridgefield Park, N.J.), Google (Mountain View, Calif.), and Microsoft (Redmond, Wash.) announced they have agreed to add kill switches to their mobile device operating systems. Since Apple added a kill switch to iOS last fall, iPhone robberies have plummeted 38 percent in San Francisco and 24 percent in London, according to a report from New York State Attorney General Eric Schneiderman. He has been pushing an initiative called Secure Our Smartphones, which urges manufacturers to implement kill-switch technology.

Once Google and Microsoft fully implement this technology, some 97 percent of new smartphones available in the United States will have the feature, according to news reports. Even so, law enforcement groups and politicians are working to pass laws that require kill-switch technology on mobile devices. Lawmakers in six states have introduced 11 bills on this subject from January to July of this year, according to ISRI Legislative Analyst Justin Short.

Minnesota is the only state to have passed a kill-switch bill to date. It requires all smartphones manufactured on or after July 1, 2015, and sold or purchased in Minnesota to come with a preloaded antitheft function or be capable of downloading such, at no cost to the purchaser. The law also places additional requirements on resellers. As of July 1, 2014, businesses in Minnesota that buy used wireless devices for resale must keep records of the transactions for three years, hold material for 30 days if requested to do so by law enforcement officials, and pay sellers only by mailed check or electronic transfer.

Electronics refurbishers and resellers acknowledge cell phone theft is a concern, but they point out that as it exists currently, kill-switch technology also makes legitimate resale and reuse of these devices extremely difficult. Here’s why: Only someone with the original owner’s username and password can activate—or deactivate—the kill switch. When someone sells, trades in, or gives away a used mobile device, that information does not go with it. If that original owner activates the kill switch, there is no way for the new owner to make the device usable. The result, Levine says, is “a company like [ours] that follows the law—[and] we get thousands of phones monthly—will have no choice but to destroy them or potentially use them for parts at a greatly reduced value.”

The phone manufacturers—Apple, Samsung, and the like—control the kill-switch technology on their phones. They might be able to restore the phone or tablet’s functionality and data if a lost or stolen phone is recovered and returned to its owner. Or they can clear the phone and reinstall the operating system to make bricked devices usable again to resell them. But because they’re the only ones who can do so, this also gives them the power to keep such devices off the market altogether, forcing people to buy new.

The movement toward kill switches and kill-switch laws was a matter of good intentions gone awry, says iFixit’s Wiens—to the detriment of the environment and to refurbishers, many of whom now have piles of useless devices they are stockpiling in hopes of a resolution. Original equipment manufacturers “should name authorized resellers” who can erase the phones’ data, restore the operating system, and keep reusable devices in the marketplace, Cade says, “in order to be able to reuse as much of this equipment as possible.”

“Recyclers need to be noisy about this,” Wiens adds. “They are not understood or respected or factored into decisions” about kill switches.

Electronics processors are tackling this problem in several ways. One approach is to work to ensure that device owners only activate the kill switch when the device is truly lost or stolen—not when they sell it, trade it in, or give it away. This means educating consumers and the companies that purchase or accept used mobile devices that enabling the kill switch is not the only way to wipe all data. “The trade-in program can disable the software for them right there at the counter,” says Eric Harris, ISRI’s director of government and international affairs.

Even if that message does get through, however, it doesn’t help processors that handle devices returned via mail, drop-off bins, collection events, and the like. CTIA, the wireless association (Washington, D.C.), advises those recycling or donating a phone to “use data eraser apps AND reset the wireless device to default factory settings.” But speed-loving Americans are hitting the kill switch anyway, turning their phones into bricks. Harris estimates that about 3 to 5 percent of recoverable devices are affected, and the proportion is growing.

Another approach that has the support of refurbishers and mobile communications service providers is a stolen device database. Each mobile phone or tablet has a unique international mobile equipment identity, or IMEI, number. The processor who receives a bricked device could check the database to find out if someone reported it lost or stolen. If it’s not in the database, they would have the ability to reactivate a bricked device and resell it. This could actually reduce the stolen-phone problem by recovering phones or possibly yielding clues that nab thieves, Levine says. And by bringing these phones back into the reuse market, it could make them affordable for more people, allow refurbishers to make a living, and keep perfectly good products in circulation and out of landfills.

Late last fall, CTIA seemed to take a step in this direction when it announced a highly anticipated global smartphone database and a multicarrier plan to remotely disable phones reported stolen by blocking their IMEI number. “Refurbishers would be able to check the IMEI numbers via [the global wireless association] GSMA so that they can ensure that the phones in their possession are legitimate. And then they could erase the data on the phone and resell it to consumers,” according to a CTIA spokesperson. ISRI’s Harris calls the database “a step in the right direction,” but he has questions about how the system will work: Will there be a fee for gaining access? Will any refurbisher be able to access the database? Will there be limitations on that access? All parties have an interest in protecting the data connecting owners to their phones, he says, thus recyclers might be required to ensure they have certain data-security safeguards in place before they access the database.

The bottom line, Harris says, is that recyclers need a way to reactivate legally acquired bricked devices. Otherwise, the electronics processor is at an unfair competitive disadvantage to the manufacturer. “It’s a property issue,” Harris says. When the phone is not stolen, “we should have access to disengage that [kill-switch] function and return this phone to its original use in the marketplace.” The ISRI board of directors adopted a policy statement to that end at its July 23 meeting in Minneapolis, stating the association’s support for “voluntary and legislative efforts that provide device owners, including recyclers and refurbishers, convenient and reasonable access to procedures and technology from telecommunication carriers and electronics manufacturers necessary to turn off or disengage any activation locks, ‘kill switches,’ carrier locks, or other locks for technological devices that are not stolen or lost in order to maximize the use, maintenance, and reuse of such devices.”

No one thinks these are anything but uphill battles. Consumers like the idea of a kill switch for thwarting thieves or erasing data from a lost device, but they don’t consider the detrimental effects of preventing these devices from ever being used again, Levine and others note. Many consumers are not aware that they can sell their old phone or purchase a used, refurbished mobile device for a fraction of the cost of a new device. And device manufacturers and the mobile service providers could see resale of used devices as taking money out of their pockets.

Though ISRI is making its case to various stakeholders that recyclers need reasonable access to reactivate non-stolen phones, it’s possible someone will invent a solution that will meet everyone’s needs, Harris says. He envisions an application that

will “erase your data, restore your phone to its original state, and turn off the kill-switch function. It could be very convenient, and there is chatter about it.”

Of course, it’s possible efforts to deactivate kill-switch technologies could “end up inviting some unscrupulous people to the party,” Levine says. “It’ll be like Prohibition: The good guys’ll scrap them or not take them, and the bad guys’ll find a way to circumvent the system and resell them.” This sets up a system that no one wants, he warns: not manufacturers, service providers, law enforcement, or, ultimately, the public.

Ellen Ryan is a Rockville, Md.-based freelance writer. Scrap editor-in-chief Rachel H. Pollack contributed to this article.

This article originally appeared in the September/October 2014 issue of Scrap magazine. Reprinted with permission.

Unlocking Mobile Devices: A Legislative Win for Refurbishers

Until recently, the United States was reportedly the only country in the world that tied its mobile devices to their cellular service provider. If you purchased your cellular service through the AT&T cellular network, you could not take the devices connected to that service and move them to T-Mobile or Sprint—even after your contract ended and even though they’re your property. The devices were locked to their service provider.

Plenty of mobile-device users figured out unauthorized methods to unlock their devices, however, and even though doing so would void the device’s warranty, it was legal until 2012, when the Library of Congress determined that doing so violates copyright law. (The 1998 Digital Millennium Copyright Act gave the Library of Congress the power to make that decision, and it had twice previously determined that unlocking was not a copyright violation.)

After an outcry from the public, several members of Congress backed legislation that would make cell phone unlocking legal. Early versions of the bill raised concerns from electronics processors, however, because they expressly forbid “bulk” unlocking, which allows refurbishers and resellers to put such phones up for sale to any buyer, regardless of cellular service provider—though phone manufacturers and cellular service providers could still do so.

ISRI members and staff worked to convince lawmakers that such a ban put recyclers at a competitive disadvantage, and the ban on bulk unlocking was removed from the final bill. The Unlocking Consumer Choice and Wireless Competition Act passed both houses of Congress in July, and President Obama signed it into law Aug. 1. The win is only temporary, however, because the Library of Congress revisits the issue every three years, with its next decision due in 2015.

Member Login