Technology is everywhere, and it seems to be continuously evolving at an ever-increasing rate. And as consumers are increasingly drawn to the faster speeds, enhanced functionality, and improved design of newer electronic devices, the rate of technology refresh is also on the rise. This means that for all the new technology being produced, there are vast numbers of electronic devices already in the market that are poised for replacement.

While the rush to adopt the latest device could cause a glut of unused older technology to be mothballed in closets, basements and desk drawers, the good news is that what is viewed as the ideal level of technology and condition of an electronic device is not the same worldwide. Often what is considered ‘old technology’ in one region, may be the ideal technology and price point to allow someone in an emerging market to purchase a device that would not otherwise be available to them.

The key then to managing this rapid technology turn over is to maximize the useful life of each electronic device, and in many cases, that means moving the products as quickly and efficiently as possible from their first user to a suitable secondary market for reuse. But there are some well known risks and issues associated with doing this. There are legal requirements around the import and export of some electronic devices. There are also safety and environmental concerns around the handling and disposition of devices or components that cannot be reused. The risk that is generally of most concern to the average consumer is that their device is handled in a secure manner, and that all data and other personally identifiable information associated with their device is properly sanitized.

The Challenge in Returns

Users are often keen to sell or exchange their devices to obtain a newer model, but they typically lack the technical skills to properly destroy all the data from their old electronic devices on their own. So, before handing these devices over to the retailer, carrier, OEM or other service provider, users want the assurance that their devices will be erased and handled responsibly. Likewise, while retailers, carriers, OEMs, and service providers often have policies and programs in-place for end-of-life electronics (e-waste or WEEE) to be recycled, many do not have similar policies and programs to protect user data and ensure these used electronics (UEEE) are functional to reuse.

While the financial, environmental and social benefits of reuse in trade-ins, lease returns, customer returns and warranty channels are many, the risks must be addressed by organizations that manage these devices for reuse. For example, companies that import/export used mobile phones without having the proper test records that prove they are working and ready for direct reuse by a consumer are likely subject to additional waste regulations requiring notices and waste declarations. In many cases, the import/export of electronics that have not been tested and verified as working can be illegal if going to a developing country. Add in data privacy regulations such as the European Union’s Global Data Privacy Regulation (GDPR) or California’s Consumer Privacy Act and the risks for product owners and processors increases.

Consider for example, a used iPhone 11 that does not power on. If the phone cannot be powered on, it cannot be tested or sanitized. If the processor only visually inspects that phone, they may find it to be in Grade A condition, instead of being untested and still containing data. Similarly, if the previous user did not remove the “Find My iPhone” lock, then the user’s data may be repopulated later – even after the processor erases the data. Both scenarios are risks that could leave the retailer, carrier, OEM, and/or service provider liable for data breaches and subject to a fine if that phone is sold for reuse without data sanitization.

The Challenge in B2B and ITAD

Businesses have the challenge of recovering the value from their retired IT assets while ensuring their corporate information – as well as the personal information of their customers – is effectively sanitized and no longer recoverable. This has led some organizations to ban reuse altogether because they fear that residual data on their retired assets may be exposed. Such policies force premature recycling of devices that could have a second life with another user and often conflict with the organization’s sustainability and corporate social responsibility efforts. While recycling to recover the materials in IT hardware has benefit, reuse of the equipment has a far greater positive impact on the environment. Premature recycling of electronics also limits the opportunities to enrich lives with used devices that educate children, enable rural and developing regions to do business in a global economy, and connect families that are living or traveling in other parts of the world.

But what would happen if we could assure people that the data on their electronics would be securely destroyed? Wouldn’t it be better to simply destroy the data without destroying the device so that it could be given a second life with a new owner? What would the social and environmental impact be if we made reuse, and not destruction, the first choice for used electronics?

The perception that the risk of data breaches is greater with reuse than with destruction of the device causes many device owners to opt for physical destruction of the entire device. But when possible, the better option is to simply destroy the data without destroying the device, and R2 certification provides a secure path for doing just that. In the current version of the R2 Standard, every R2 Certified facility is responsible for securing data. In R2v3 – the next evolution of the R2 Standard that is soon to be released – a new specialization will be introduced recognizing those R2 Certified facilities that are specially qualified to logically eradicate data and sanitize devices for reuse. These specialized facilities add more rigorous traceability and more thorough verification to provide increased assurance that sensitive user and business information is destroyed.

Data breaches can cause significant reputational harm and potentially lead to substantial fines for companies found negligent in their management of electronic devices and their data. That is why the R2v3 Standard has set the industry bar by providing controlled and audited pathways for securing used electronic equipment from unintended access or use, sanitizing data, and testing and verifying functionality prior to reuse. In fact, R2v3 provides the framework for sustainable electronics reuse and recycling practices throughout the entire processing cycle for used electronics, so all electronic devices must be properly secured right from point of initial receipt, through transportation, and all processing activities. And, all devices must be effectively data sanitized regardless of whether they are intended for reuse or materials recovery, but, depending on the type of the device and its intended fate, the method of sanitization will vary, so R2v3 provides several pathways for processing and sanitizing data devices.

The R2 Reuse Process

Data sanitization can use different methods from logical sanitization (aka wiping or purging) to physical destruction of the data media. To determine the proper method of data sanitization, an R2 Facility must first evaluate each electronic device to determine which are capable of reuse. Determining if something is capable of reuse or not requires the assessment of several factors including, the device’s physical condition, level of functionality, and potential value in the destination market.

Apart from removing and replacing any data containing components, items intended for reuse generally must remain intact, and therefore are typically sanitized logically. This type of sanitization process, sometimes referred to as data erasure, uses software that is specifically designed for the type of device being sanitized, to overwrite all user data locations on the device so that any data is unrecoverable. The software is also designed to track the results and maintain records of the sanitization process, but still that is not the end of the process. Quality controls and checks must be implemented to verify the successful sanitization of each device. If sanitization cannot be confirmed, the data-bearing components of that device must be physically destroyed to prevent data from being recovered.

In some devices, the media containing the data can be removed, such as a hard drive in a desktop computer. The media can then be wiped remotely from the device it was in and can be reused in another device. Some say this is a better approach because it anonymizes the media, so it is no longer associated with its original device. If someone was looking to steal information from a specific device, it would be harder to find it this way. While reuse of the media in another device is preferred, the removed media could also be physically destroyed without destroying the whole device. This can be an effective method when there is heightened concern of data breaches, such as with medical or financial records. Keep in mind, however, this is not possible in devices where the media is integrated, such as mobile phones.

Once effectively sanitized of all user data, electronic devices go through a variety of test, repair, or refurbishing processes in order to assess each device’s level of functionality and prepare it for reuse. The specific processes undertaken to prepare an item for reuse will depend on several factors such as the type of device, its condition, and its intended use. As a result, the details of the test and repair operations (including the functions tested), the test methods performed, and the quality assurance plans to ensure the effectiveness of the tests must all be defined in a detailed R2 Reuse Plan. Ultimately, the outcome of the test and repair processes is functioning products that meet the intended customer’s needs and are ready for reuse.

When creating RFP and contract requirements for reverse logistics vendors, it is recommended that businesses include comprehensive requirements to test the functionality of each device and to sanitize all residual data from the previous user. The language in the R2v3 Standard in Core Requirement 7 for Data Security; Appendix B for Data Sanitization; and Appendix C for Test & Repair might be a good start. Organizations that want to go a step further and ensure monitoring by independent auditors, could also require R2v3 Certification with a specialization in Test & Repair (Appendix C). R2 facilities certified to the Test & Repair specialization are qualified to perform warranty repairs, customer returns, trade-ins, lease end, and ITAD processing to the reverse logistics industry. And since Test & Repair requires conformance with the requirements of Data Sanitization (Appendix B), customers will be assured that all data is destroyed and media is sanitized to the most comprehensive data destruction standard in this industry.

---

Sean De Vries
Sean De Vries is the R2 Director with Sustainable Electronics Recycling International (SERI), the non-profit organization that administers the R2 Standard for Sustainable Electronics Reuse and Recycling (R2) practices.  Sean is responsible for the development and implementation of the R2 Standard and works closely with the multi-stakeholder R2 Technical Advisory Committee (TAC) on changes to the standard.