Scrap/Value

Value, like beauty, is in the eye of the beholder. We look at something and think ‘that cost me £400 that did’ and refuse to believe that four years later its worth is around a tenner. We forget that it cost £400 but that is different from what it was worth. You paid about £250 for the little Apple logo for a start or the swoosh, or the Microsoft thing.

I will always remember being on the M25 driving home one evening when my heavily pregnant wife rang me to say that she had been out with her parents and that they had very kindly bought us a pram cum pushchair cum car seat affair. With almost gay abandon she told me that it had cost them almost £700 (in 1999!) just as a beaten up old BMW overtook me doing about 90mph with a sign in the side window saying ‘for sale £695ono’. Worth and value, two very different things.

However, the price of such second hand cars is actually quite a good comparison to second hand IT equipment. You buy your car for say £10,000 and then drive it like a bat out of hell for five years until the clock reaches maybe 70,000 miles and then you get it valued. You know whether you think that price is fair or not. You know if the car is falling apart, or if the clutch is about to go. You expect it to be worth very little. And if it wasn’t working it would not be worth much at all, just scrap, even if you have no idea what scrap value is. It’s just something people say.

But with your old desktop the reverse is true. You know that it is too slow to run the programs you want to use reliably. You know it has started crashing on a regular basis. You know it gets awfully hot if you use it all day. You know it is five years old and was not exactly high spec back then. So having bought a shiny new one which cost you £499 you are naturally not best pleased when some fool like me suggests it will cost you to remove, sanitise and recycle.

Let’s ignore the game changing effect of volume for a minute and look at your average five year old PC in isolation. Yes it did cost you £499 sixty months ago. That is irrelevant to its value now. Has it been well used? Yes, it flipping well has. Was it top of the range when you bought it? No, it was the PC equivalent of the family saloon car. Why are you getting rid of it? Because it is on its last legs and will not do what you want a PC to do now. Ok so now who is the fool?

What people forget is that we have legal responsibilities here. Every business has to recycle WEEE responsibly and prove that they have done so, if necessary. The latter bit is less likely to happen of course but it does not change the regulations or the risk. And every business has to comply with the Data Protection Act. So, you really need some paperwork and you really need to make sure this is going to someone you can trust. But you still don’t want to pay, do you?

You pay for your bins to be emptied. Not the same though is it? I mean paying to get rid of rubbish is accepted, because it’s your rubbish and it is...well...rubbish. You created it and unfortunately you have to dispose of it and so you pay for those bins round the back of the building just like you pay your council tax at home, to have the bins cleared.

This PC isn’t rubbish, it cost £499 remember. Yes it doesn’t work very well and it cannot cope with the latest software you use, but it’s not rubbish. Not in your mind at any rate.

Ok then, you sell it. I really have had customers say this to me. ‘I’ll put it on eBay’. This is the PC that gets quite hot, you’ll recall? The one that crashes? The one that can’t cope with the latest software and you expect to sell it on eBay? And what are you going to do about software, because that stuff on the PC is licensed to you, and although it is transferable, do you want to transfer it? What are you going to put on your new machine? And most importantly of all, what are you going to do about your data on that old machine?

You could, like many people do, just shrug and say you’ll risk it. You could, like many people do, get away with it. Or it could all go a little pear shaped and Genghis Khan and his hordes (the information commissioner to you) could ride over the horizon and fine you up to £500k. In a few months he might even throw you in the chokey too. Given half a chance he will put you on the rack as well, or burn you at the stake.

Sensible people would not sell that PC on eBay. Too complicated, too many potential comebacks. A few would sneak it down the local tip and pretend they were a consumer, but of course the data is still there. The risk is still there. So in the end most people recognise that they have to use someone like eReco. And they still baulk at the cost. Any cost.

Volume becomes crucial here. If you are a big company you dispose regularly and have some sort of routine. Once or twice a year maybe, a nice full van load. eReco charge £900 for a van load, which can weigh up to about 1500kg but we still charge extra for data wiping on top. With these sorts of quantities, we have more scope for getting some value back for you. If your 5 year old PC’s (75 is a about a van load so let’s take that as our hypothetical quantity) pass the PAT safety test we can find a market for even some fairly low spec machines at around £20 each. So we might sell them for £1,500. Our standard agreement is a 50:50 revenue share, so you are due £750 less our sales costs, which might include loading new software for instance. But let’s say for the sake of argument that we don’t have to load any software and you get back your £750.

So now getting rid of a whole van load of waste has cost you £150 + data wiping at £5 which is another £375 on 75 PC’s, so that is £525 or £7 a machine. That is £7 to load it on a van, transport it and log it, wipe it, provide waste transfer notes, asset lists and certificates of destruction, PAT test it and store it until we sell it.

In reality of course, a number of the PC’s would fail the test. A number of hard drives would fail the erasure process and thus would have to be destroyed, so the costs could rise. But as an example it all sort of stacks up. £7 per PC seems like a fair price.

My point being if you have volumes to recycle, cost effectiveness and value for money are relatively easy to achieve. Saving the Earth does not cost the Earth.

But our one PC could end up costing £50 or even a bit more to recycle. And we can only get that low if you are easy to get too on the way back from somewhere else. And that can make the whole process seem unfairly expensive. Which I understand, appreciate and consider. But...

Unfortunately, the same rules apply to all businesses and organisations, regardless of size. You have to do this stuff or risk the consequences (you remember, Genghis; stakes, racks and burning). Which is why these people who offer free collections suck in so many people.

On the volume side, if you are collecting 75 PC’s a free collection is possible. If they do not offer you any cash back (and they won’t) they get £1500 worth of kit. On our cost base, you could do that and still make a profit. Not a huge profit but a profit nevertheless. But if ten of the PC’s failed the PAT test that profit would disappear, and you do not know what state the kit is in before you collect it so this is all done sight unseen as it were.

So, if you were that free service, what would you do? Well the major cost is the data wiping. We charge £5 per drive because besides the labour involved we pay a license fee per drive. But if we did not use the Infosec 5 software, but downgraded to one of the others on the market, which do not charge a few quid per drive wiped, we could save a fair amount. Sure, the data is technically recoverable but you are now into a situation where your risk revolves around your PC falling into the hands of someone with a fair amount of skill and criminal intent. Genghis would not be best pleased if it happened but as long as you had the paperwork, you might survive the experience.

Another cost is recycling within WEEE regulations. You are not allowed to sell stuff to people who intend to whisk it out of the country. Because it may end up in landfill or be used for nefarious purposes. Which is a shame financially because you can sell these guys anything, working or not, for cash. Annoying this sustainability lark sometimes!

So my message for today is that it isn’t about your valuation of the items worth. It isn’t even about the price I quote you. It is about the value of what we do. If you buy into that...if you believe that sustainability is important and that you would much rather your sensitive data was not shared with all and sundry...then the price will be just right.

Small businesses recycling small amounts will pay more, but isn’t that the same with everything?

Doing Porridge for your Data?

During an election campaign it is probably natural to ask ourselves what a government is for? And the answer is to govern...to conduct the policy, actions and affairs of a state, organisation or people with authority...to quote a dictionary definition. Obviously quite a complicated business but when it comes down to it I believe it amounts to setting boundaries.

That is what laws are. You can do this but you cannot do that, and if you do we will punish you. In an ideal world, any government’s legislation should leave its people in no doubt as to how they are expected to behave, everything should be black and white, and we should therefore understand the consequences of our actions.

Data security is regulated but the legal boundaries are anything but clear. Not to the vast majority of people. If you sat your average business manager in a room and asked him what he was supposed to do with the data within his control, he would not have a clue.

To a certain extent that is our own fault. Not many people have ‘check the data protection act and how it applies to my role’ on their to-do list. But they should of course. It would make things so much easier in the long run, especially if the information available was written so that anyone not related to Steven Hawking had a chance of understanding it.

Here’s a thing. An example of what I mean. When you dispose of an old Business PC, you are being governed (that word again) by two sets of legislation...WEEE and Data Protection. One classifies your old PC as waste and therefore it must be moved under a waste transfer note, by a licensed carrier and all that jazz. Not very exciting and we could have a debate about when it becomes waste, but essentially it is, so there, live with it and get a waste transfer note. It is better than a fine.

But the data stuff is trickier. According to the law you are not throwing out an old PC, you are giving away your data. From the moment it leaves your possession, your risk is running around outside of your control and protection and legally you need to show a duty of care towards its security. If you have not and it all goes a bit Pete Tong you are in the firing line of a £500k fine. Very soon you would be opening up the doors of the Scrubs and heading for a six month stretch standing nervously with your back to the wall!

Make no mistake about it; the penalties are serious and getting worse. The misuse of data is taken very seriously in Brussels and Westminster. Mess up through negligence or criminal intent and you can expect to feel the full force of the law and the Daily Mail, not necessarily in that order.

The law is often an ass but in this case it is not. It may not be educating us in how to stay on the right side of it enough for my liking but this idea that you are transporting data is good sense. People disposing of an old piece of kit do not see the data, they see the hardware. They are well used to passwords and network security and they don’t really think about what is on the hard drive. So the law is trying to say ‘hey stupid, remember what’s on there.’

The law is trying to protect everyone. Any data a business holds will involve someone else. It may just be name, address and phone number but in many if not most cases it will include sensitive stuff like bank details, medical records, financial information or even criminal records. So the law reminds you to take care.

Hence the existence of some 800 recycling businesses in this country who will deal with IT or data-bearing equipment. Or at least say they will deal with it. And this is where I get worried about the laws. The fact is they make suggestions without defining what they mean. They say use a specialist partner to make sure but they do not help with that choice. There are no British standards, no Kitemark for data erasure or destruction.

That in itself is not unusual. There are many sectors that have no government standards and quite often the sector gets together to try and set its own. The Press Complaints Commission would be a recognisable example of an industry regulating itself. In our case ADISA or the Asset Disposition and Information Security Alliance, which is an independent body certifying members and setting standards, in conjunction with the government, who do work around the edges.

However of those 800 business less than 40 are certified by ADISA. And only 3 are approved by DIPCOG to work in the MoD/Government space. Now this does not make the other 760 or the other 797 bad of course. It just suggests that in the absence of a national standard they do not see the value of playing the game.

That is a shame. The waters are muddy enough and we could do with some clarity. Because without it, who your data walks out of the door with is rather left to chance. And it is you who will pay the fine, not them. In a few months, when the new European laws get ratified, it could be you, or one of your directors, who gets to do the porridge.

Rocket Science

Beware cheaper alternatives. Oh yes, we all like a bargain but in the end it all comes down to quality doesn’t it? A bargain is not a bargain if it doesn’t work for very long. There is no saving if Genghis Khan arrives at your door, hordes behind him, having found your customers bank details for sale on EBay. And that is what this is about, remember. Data security. Your legal obligations not to put your data at risk. And the risks get bigger every day.

I used to sell roof tiles. We gave a 100 year guarantee. Our competitors stopped at fifty. Guarantees were therefore not a huge USP, because fifty years is an awfully long time to start with, another fifty is just unimaginable. But we were also more expensive than everyone else. Go figure. Quality costs.

Data security is not rocket science. We can make it sound like that if you like, with enough jargon to make your eyes water, but what we do at the disposals end of the business is really quite simple. I am going to try and explain it simply too.

The law...the data protection act...says that you, as owner of your business (or organisation) have a duty of care when it comes to protecting your data, because your company data is likely to contain information about other people – your customers, patients, pupils or whatever you have. You are free to give your own private information away if you like, no one will be too bothered about that of course, but if you expose anyone else’s confidential information you are for the high jump, or a large fine.

So if you want to get rid of something that has any data on it, you need to protect it with auditable. That something can be a computer, a laptop or a server, but it can also be a printer, a scanner, a fax machine, a tablet or a Smartphone. If you give one of those away without erasing the data from the device memory, destroying the hard disk or shredding it, you are putting your data at risk and have thus failed in your duty of care.

Now most people get a company like eReco to take away their old kit. There are about 800 such companies in the UK, some of which are charities. Like any other sector, some are great (me sir, we are, honest!) and some not so great. Every single one of them SHOULD (and please note the capital letters) issue some paperwork to prove what they have done, deal with the data and recycle all the kit in line with WEEE regulations.

That paper is dull but important. It proves you have fulfilled your duty of care. If the worst should happen and Genghis Khan, our beloved Information Commissioner, should appear at your door with a taste for your first born, it is the paperwork which will placate him.

The basics are:

Waste transfer notes. Legally, to transport waste, you need the right notes. You may not consider your old PC to be waste but just believe me, it is in a legal sense. Compared to mass murder, not having a waste transfer note is not the most heinous of crimes, but I am just letting you know so that you can be aware. You did check that, didn’t you?

Asset lists. A bit more important and slightly more exciting. The person who collects your stuff should have an order from you asking him to collect your stuff and detailing what it is, and should then provide a full asset list of what has been collected. In an ideal world these match, and you file them under job done. I gave them PC A and they confirmed they have PC A in their possession. Your duty of care is in a good place. As long as your service provider has all the right licenses to do what they said they were going to do, at any rate. You did check that, didn’t you?

Certificates of data destruction. The final nail in your alibi. You remember PC A? Well we destroyed the data as agreed and here is the certificate to prove it. If that data now turns up somewhere nasty it is not your fault (as long as your service provider has insurance, all the right licenses and did what they said they would do and you checked that was all ok? You did check that, didn’t you?

Now, moving away from the exciting world of paperwork and your perfunctory due diligence, lets have a look at the data erasure or destruction. As I may have mentioned before, best practise is to extend the lifecycle of any equipment recycled, because 80% of the damage is done during manufacture. This is what WEEE regulations say and we all do our best for sustainability. And yes we can make a few bob out of it too. But let’s leave that for now.

Let’s just agree that every supplier, however good or bad they are, wants to sell PC A on. The easiest and cheapest way to do that is to leave it alone and get rid of it, sold as seen, and not worry at all about the hard disk. That happens. A lot. Genghis has a lot of fun. But most service providers will try to erase the old data somehow. Note I said erase, not destroy. If you destroy the hard drive for PC A it is pretty much worthless, so to make any money you would have to put a new drive in. Now already you have had to remove one drive, destroy it, and put another one in. So that has cost time and money. So the best option for all concerned is to leave the drive where it is and run some data erasure software to remove the data.

There is a standard for this, set by CESG, which is basically our sainted security services, GCHQ. To erase data with no known way of retrieving it, you need to use Infosec 5 level software. To keep this simple lets think of the task of dusting a television screen with the sun streaming in through the windows. If you use cheap over the counter software, which anyone can buy, it will cost you about £20 and you can use it forever. It gives you one wipe. Most of the dust is gone from the screen. Note the word most! It is a man’s wipe, a cursory thing not designed to be comprehensive, and if you knew how, you could get the dust back in a trice.

Infosec 5 software is a duster driven by your grandmother. It gives you three comprehensive wipes and gets right into the corners. No dust left anywhere. And in fact, if there is a hint of dust, that drive is rejected as being unsuitable for data erasure and summarily destroyed. Once wiped, no dust is brave enough to return even if a master criminal is involved.

But Infosec 5 software is not cheap and using it is not straightforward, so it is not available over the counter as it were. It is only provided by people like eReco because not only do we have to buy the expensive software license and train Ben and Aaron but we also have to pay a license fee per drive to boot. That is why we charge £5 per drive.

So when someone says ‘and we will sort your data’ you have to ask how? Because this is one of the areas where your duty of care comes into question. Del Boy may get you into some serious trouble if you do not take care.

In conclusion, the cheaper alternative I started off with can only save money in 3 crucial areas as far as I can see. They have to collect the stuff the same as us, but they could use staff who have not been security cleared and only send one driver along, which means your data could be left unattended if he or she needs a comfort break, for instance. Then they can save a bit by not bothering with any paperwork to speak of. Then they can save a lot by not dealing with your data properly. They can then make a bit more by ignoring WEEE regulations and flogging the kit for export to less scrupulous markets.

It’s not rocket science, is it?

Eggs are bloody Eggs

I am having a bit of a go at the charity sector this week. You may have noticed. I also had a pop at Basingstoke purely for fun along the way. So here I go again whilst in the grip of man flu. If a charity collects your old WEEE, as some do, who pays for the collection? Who provides the (necessary) paperwork? Yes, you’ve got it again, someone is being conned here.

It may be the poor sap who has volunteered to collect your stuff using his own petrol and his very clean Volvo. It’s clean because he polishes it every Saturday morning of clourse, and he probably has a blanket in the back to protect his carpet from your disgusting IT waste. I am sure he was very nice, polite and helpful, but he is breaking the law. So are you by the way. I think. Let me explain.

Well, for a start, this is waste. You are throwing something out, for free, and that makes it waste. In this country, to transport WEEE, you have to have the right licenses and paperwork, and our nice OAP with the Volvo should be providing you with a Waste Transfer Note. Some of the stuff he is taking from you may well be classified as hazardous. Monitors for instance are so classified, as are laptops because of the screens. So if he is caught transporting it without the paperwork you are caught disposing of your WEEE illegally. Fined, send them down bailiff, next case.

Ok, this is probably not the most serious crime in the world, and the chances of you falling foul of it are pretty slim, but I just thought you should know. And the Volvo driver should know too. His insurance almost certainly will not cover him for his bit of charity work.

But isn’t this clever? Now our charity has your old PC back at the ranch. For nothing. And having made no specific promises on how they will eradicate your data from the equation, what they do is use either a ripped off (and therefore ever more out of date) version of decent software, or use one of the products available off the shelf which are ok but not fail safe. I say ok, because I cannot deny they wipe disks and put a zero in every cell, but this is retrievable. It is not totally safe because it can be recovered. You will have to decide whether this is good enough for you, and whether the ICO will agree that, in the event of a data breach, you have done enough to protect your data. The fine is only £500k.

Our software is bang up to date Infosec 5 rated software from Tabernus. This does three wipes with total random combinations of 0’s and 1’s. It rejects any hard drive that has damaged cells which cannot be overwritten (and we destroy them) and there is no known way to retrieve data after this process. Says who I hear you cry? Says GCHQ and the FBI, that’s who. And we pay a license fee for every hard drive we wipe.

But back to the charity. Now they have your computer, for zero cost, and they have wiped it for zero cost, a depth of service which should help you all to sleep well at night. So what do they do with it all now?

Well, some must carry on down our road and remarket it, for cash. EBay. Maybe they sell as job lots to brokers, but legitimate brokers are very choosy. They only take what they know there is a market for. I would estimate that the average price for an old desktop is under £50, and this figure is only so high because a good machine, with a high specification, can still be worth hundreds. If we took them out of the equation, your bog standard 3 year old PC is worth maybe £25 tops.

Now when you have shelled out precisely nothing that is really not so bad, I suppose. The charity has turned your rubbish into £25 with the help of a willing volunteer, and you’ve got a service of sorts. You might even get a certificate of data destruction I suppose. Maybe, maybe not. But for 99.99% of people this is job done, no come backs, you think you have done a good thing for the world and the charity, good bad or indifferent, has £25 to do whatever good it says it will do.

The other scenario is that they do not flog the PC entirely legitimately in this country. Instead they flog it to some bloke who gets it from them when the shed is full. He takes everything and pays a nice lump sum. Say £200 a pallet. This is great because Del-boy doesn’t really care if it all works or not. He just loads it all up, counts out the notes and disappears.

And this is the stuff that really annoys me, because this is the stuff that goes to Africa and will end up in landfill, as sure as eggs are eggs. And eggs are bloody eggs you know. Even if a charity is sending stuff to Africa legitimately, to help a school or whatever, and this is authorised, when this stuff packs up it is not going to be sent back to Tunbridge Wells is it? Now the people behind European WEEE regulations, the Environment Agency and such like, ought to be seriously dischuffed about this sort of stuff...and guess what, they are. There is even an EA taskforce trying to catch the people who do this under the counter, and I sincerely hope that the people who authorise the legal export of used IT equipment are considering landfill too.

Once again, I must emphasise that I am not against charity. Not legitimate ones. If they are fully authorised to send this stuff abroad, I may not like it but all I can do is write letters of complaint and campaign against it. But a lot of charities are fronts with profit making businesses behind them. A lot of them are not doing what they say they are doing. And whilst they are (allegedly) lining their own pockets, they are risking your data and ruining this planet for our children.

I am against that. How about you?