Mick Payne remembers the moment the madness of the way we dispose of our data was brought home to him.
The chief operating officer of Techbuyer, an IT asset disposal company in Harrogate, was standing in a large windowless room of a data centre in London surrounded by thousands of used hard drives owned by a credit card company. Knowing he could wipe the drives and sell them on, he offered a six-figure sum for all the devices.
The answer was no. Instead, a lorry would be driven up to the site and the data-storing devices would be dropped inside by authorised security personnel. Then industrial machines would shred them into tiny fragments.
“I walked out and thought, ‘This is absolutely crazy’,” says Payne. “They couldn’t allow the disks to leave the building — despite the fact we could wipe them on-site then sell to a new customer who could make use of them for years to come . . . It was a complete waste.”
Payne had experienced first-hand the ubiquitous industry practice of shredding data-storing devices.
Every day when you fire off emails, update a Google document or take a photo, the data generated is not stored in a “cloud” as the metaphor suggests. Instead it is stowed across several of the world’s estimated 70mn servers, each one a steel box about the size of a kitchen sink, made up of all sorts of precious metals, critical minerals and plastics.
The servers contain several data-storing devices, each roughly the size of a VCR tape. They sit inside the world’s 23,000 data centres, some of which span floorspace equivalent to dozens of Olympic-sized swimming pools. When companies decide they want to upgrade their equipment, which usually happens every three to five years, data storing devices are routinely destroyed in a process like the one Payne described.
Companies such as Amazon and Microsoft, as well as banks, police services and government departments, shred millions of data-storing devices each year, the Financial Times has learnt through interviews with more than 30 people who work in and around the decommissioning industry and via dozens of freedom of information requests.
This is despite a growing chorus of industry insiders who say there is another, better option to safely dispose of data: using computer software to securely wipe the devices before selling them on the secondary market.
“From a data security perspective, you do not need to shred,” says Felice Alfieri, a European Commission official who co-authored a report about how to make data centres more sustainable and is promoting “data deletion” over device destruction.
The trust problem
Underpinning the reluctance to move away from shredding is the fear that data could leak, triggering fury from customers and huge fines from regulators.
Last month, the US Securities and Exchange Commission fined Morgan Stanley $35mn for an “astonishing” failure to protect customer data, after the bank’s decommissioned servers and hard drives were sold on without being properly wiped by an inexperienced company it had contracted. This was on top of a $60mn fine in 2020 and a $60mn class action settlement reached earlier this year. Some of the hardware containing bank data ended up being auctioned online.
While the incident stemmed from a failure to wipe the devices before selling them on, the bank now mandates that every one of its data-storing devices is destroyed — the vast majority on site. This approach is widespread.
One employee at Amazon Web Services, who spoke on condition of anonymity, explained that the company shreds every single data-storing device once it is deemed obsolete, usually after three to five years of use: “If we let one [piece of data] slip through, we lose the trust of our customers.” Amazon declined to comment.
A person with knowledge of Microsoft’s data disposal operations says the company shreds everything at its 200-plus Azure data centres. Microsoft says “we currently shred all [data-bearing devices] to ensure customer data privacy is maintained fully.”
Microsoft says it is on track to build 50 to 100 new data centres every year
The UK’s Department for Education, Department for Work and Pensions, Police Scotland and Police Service Northern Ireland told the FT that they shred all decommissioned data-storing devices. Northern Ireland’s force says it has shredded 30,000 pieces of equipment including servers and hard drives over the past two years.
Some government departments say they follow National Cyber Security Centre guidelines, which recommend hard drives should be physically destroyed. However, Her Majesty’s Revenue & Customs and the Department for Business, Energy and Industrial Strategy say they do not mandate shredding and London’s Metropolitan Police says it wipes where possible.
Data centre operators have faced scrutiny in recent years for their huge energy use. In July, they were partially blamed when it was found that the west London electricity grid had run out of capacity to support new homes, threatening housebuilding targets in the capital. The focus on their energy guzzling puts pressure on companies to replace their systems whenever more power-efficient equipment comes to market, creating a trade-off between energy efficiency and environmental waste.
Energy use is “being reduced by just throwing more material at the problem”, says Johann Boedecker, founder of the circular economy consultancy Pentatonic. “The open question is: how much energy reduction is worth how much waste?”
But with another 700 data centres set to be built around the world over the next three years, according to the tech consultancy Gartner, the question of what companies do with millions of tonnes of electrical equipment has become more important than ever.
‘We shred everything’
It is difficult to say exactly how many hard drives are decommissioned globally each year, but one study by the US National Renewable Energy Laboratory estimates it is at least 20mn in America alone. Although most data centre companies discard their storage devices after a few years, they could last for years — or even decades — longer, according to several industry experts.
The research suggests more than 90 per cent are destroyed when equipment is routinely decommissioned, even though most are still functioning. The European Commission estimates that about half face the same fate in the EU.
“Clients are so worried about disposal of data that they’re insisting on the hard drives being destroyed,” says Michael Winterson of global data centre provider Equinix. “It’s a big issue that as an industry we need to figure out.”
“We shred everything with data on it, there are no exceptions,” says Greg Rabinowitz, president of Urban E Recycling, an electronics disposal company in Florida. Decommissioning professionals like Rabinowitz mince the drives at their clients’ behest — two others say they have even had requests to incinerate the remains.
While the shreds are widely sent for recycling, today’s processes only recover about 70 per cent of the materials, according to Julien Walzberg, a researcher at the National Renewable Energy Laboratory.
Recycling plants usually separate the 6mm-wide morsels into aluminium, steel and circuit board for onward sale. But the hard drives contain important materials, such as neodymium and dysprosium in the magnets and nickel and palladium in circuit boards, which are often not recovered. Several of these are on US or EU lists of “critical” materials — so designated because of natural constraints on their supply or for geopolitical reasons. China, for example, produces 60 per cent of all mined rare earths.
The small amounts of critical raw material lost in shredding add up, contributing to the 54mn tonnes of electronic waste produced globally every year. Every speck lost requires more to be mined, often from areas of the world embroiled in conflict. Demand for such materials is projected to grow as the world electrifies itself away from fossil fuels.
“Shredding causes a massive problem for sustainability,” says Deborah Andrews, professor of design for sustainability and circularity at London South Bank University.
The number of hyperscale data centres — large facilities with thousands of servers — in the world
While various projects are being piloted to try to recover some of the materials lost in shredding, tearing up a drive after a few years of use still violates the first rule of sustainable consumption: reuse is always better than recycling.
“Even if you recover all the materials when you recycle a product, all the energy and money you have put into using those materials to manufacture the product’s components . . . is lost,” says Walzberg. In a study this year, he found that reusing a hard drive avoids four times as many carbon dioxide emissions as slicing it up and feeding the pieces through even the best imaginable recycling processes, when both scenarios are compared with current recycling.
The same problem applies to entire servers which, when deemed no longer useful, are often sent for recycling rather than reused. IT company Dell found that manufacturing accounts for half of the carbon footprint of one of its servers, accounting for energy-related emissions from four years of use.
Steve Mellings, who founded and runs the UK decommissioning industry certification programme Adisa, says energy savings from new technology are not as significant as they used to be. “If they’re using a 15-year-old antique server, it’s going to be heavy on consumption, but most servers [developed] over the past decade are pretty good,” he says. And even if advances do warrant a replacement, “that doesn’t mean you need to destroy the old”.
The case for refurbishing and reuse is not just a financial one. There is plenty of evidence to show that the performance gap between newer and older servers is narrowing, with the newer examples “not maintaining the same efficiency improvements” that were seen in the past, according to a recent paper led by academics at the University of East London.
Some of the major cloud computing providers have been taking steps towards reuse. Google says 27 per cent of the components it used in server upgrades in 2021 were refurbished inventory and that it overwrites data on its hard drives for reuse where possible. Microsoft now operates several “circular centres” for refurbishing old servers and says more than 80 per cent of its decommissioned assets will be repurposed by 2024. But for hard drives, specifically, shredding is still the norm.
Several decommissioning experts say that, while some customers have already converted to erasing and reselling their data storing devices, others simply need to be educated about the efficacy and reliability of wiping software to help them move past the ingrained belief that physical destruction is necessary.
Gartner’s Simon Mingay says many data centre operators would love to increase the quantity of goods that are awarded a second life but “they’re hobbled by the requirements being placed on them by their customers.”
For now, most customers still see the risk as outweighing the potential benefits. Rabinowitz, one of the few voices in the decommissioning industry still in favour of shredding, puts the problem simply: “Why risk it if there was any chance something was going to get left on it?”
If the big tech data storers, known in the industry as “hyperscalers”, were to change their practices on drive reuse, others would follow — or so many decommissioning experts believe. But, as things stand, they are opting to prolong the life of the equipment the first time around. Last year Google said it would extend the life of its cloud servers from three to four years and Amazon Web Services prolonged its own from four to five years in February. Last month, Microsoft announced it would extend the life of its server and network equipment from four to six years.
Nonetheless, many experts are adamant that conventional drives can be securely wiped and reused, a practice that first emerged in the early 1990s but that has only gained significant traction over the past decade. “Saying we have to shred because it’s the only thing that’s secure is a miscalculation,” says Fredrik Forslund, vice-president of Blancco, a company that makes wiping software. Forslund describes shredding as “an absolute disaster”.
The FT asked several industry insiders and experts if they were aware of any case where data had leaked after verified wiping software, such as Blancco’s, had been used, and none were. “We’ve verified that sanitisation works and still they shred,” says Adisa’s Mellings. “The level of fear is palpable.”
Graphics by Ian Bott, with input from Hewlett Packard Enterprise. Server diagram based on a design by HPE.
Additional experts consulted: Alistair Farndale and Peter Dimond, Colt DCS; Nathan Church, S2S Group; Laura Cooper, EOL IT Services; David Watkins, Virtus; Jim O’Grady and John Schultz, Hewlett Packard Enterprise; Holland Barry, Cyxtera; Scott Tease, Lenovo; Sophia Flucker, Operational Intelligence; Corey Dehmey, Seri; Justin Greenaway, SWEEEP Kuusakoski; Sean Magann, Sims Lifecycle Services; Tim Loake, Dell Technologies; Julie-Ann Adams, European Electronics Recyclers Association; Brian Wachter, Dynamic Lifecycle Innovations; Tony Celt, Integrated Recycling Technologies; Thierry Van Kerckhoven, Umicore; Lowell Rawcliffe, Vyta; Katie Schindall, Cisco
Photos by Lorne Campbell, Guzelian and SWEEEP Kuusakoski