E-Waste is a Cybersecurity Problem, Too
Many of us have obsolete devices relegated to the backs of our drawers, little museums of the technology of days long past. These forgotten laptops and phones seem like merely quaint relics, but if they’re not disposed of correctly, they can leak two different but dangerous things: toxic chemicals and sensitive data.
The world generated a record 53.6 million metric tons of electronic waste in 2019, up more than 21% over five years, according to the United Nations’ most recent assessment.
Only about 17% of that e-waste was recycled, and what happens to the rest can be detrimental for both human health and privacy. A new systematic review by The Lancet found that “people living in e-waste exposed regions had significantly elevated levels of heavy metals and persistent organic pollutants,” and it advocated for “novel cost-effective methods for safe recycling operations … to ensure the health and safety of vulnerable populations.”
John Shegerian couldn’t agree more. He’s the co-founder and CEO of ERI, one of the largest electronics disposition providers in the world, and the co-author of ERI’s 2021 book The Insecurity of Everything: How Hardware Data Security is Becoming the Most Important Topic in the World.
We spoke with Shegerian about e-waste’s effect on the future of our world and our privacy, and the role engineers can play in solutions. The conversation has been edited for length and clarity.
ERIJohn Shegerian, Chairman/CEO of ERI and co-author of the 2021 book The Insecurity of Everything
IEEE Spectrum: The conclusion of the Lancet review surely isn’t a shock to you, but others might be surprised about the kinds of pollutants inside our old computers, phones, and TVs — and the danger they present when not handled responsibly.
John Shegerian: When we got into the industry [in 2002], Al Gore had not yet won his awards for “An Inconvenient Truth.” There was no iPhone or Internet of Things. But [e-waste] was still already the fastest-growing solid waste stream in the world. Now, in 2022, electronic waste is now the fastest-growing waste stream by an order of magnitude.
A worker at a prominent New York bank “threw his laptop in the trash in Manhattan and someone fished it out. On that laptop was information from the many clients of the entire banking firm—and the bank’s multi-billion-dollar enterprise.”
People might say, how is that possible given that we’re talking more about environment and there are more companies like yours? The truth is, the magnitude of the problem grossly outstrips the amount of solutions. We have so, so, so many devices. And when [e-waste isn’t disposed of correctly], it can get put into a landfill, thrown into a river or a lake, or just buried. Sadly, it could also be sent to a country where they don’t have the right tools or expertise to dismantle old electronics.
Eventually the linings [of devices] break, and when they’re rained upon, the very toxic materials [they contain] — mercury, lead, arsenic, beryllium, cadmium — come out. If they get back into the land and water, it has very negative effects on the health of our vegetation, our animals, and our people. So unfortunately, no, I’m not surprised [by the Lancet study].
You founded ERI because of the environmental concern, but you and your team quickly came to realize the cybersecurity risk as well: Many of these tossed-out devices contain sensitive personal and/or professional data.
Shegerian: Yes, we saw these little breadcrumbs about data and privacy throughout the 2000s: the birth of Palantir, the founding of LifeLock, what we were seeing ourselves at ERI. Really in 2012 I started speaking to companies about the need to “shred” data the way they shred sensitive papers, they looked at us like we were green Martians. Over the years I spoke about it at conferences anyway, and at one of these in 2017, Robert Hackett from Fortune asked for an interview and wrote an article that ended with this line: “Turns out e-waste isn’t just an environmental menace, but a cybersecurity one too.” Five years of banging the drum, and thanks to this article, we were finally off to the races…comparatively.
Comparatively. Because you find that people, both as individuals and on the enterprise level, aren’t taking the data risk seriously enough. How did that inspire The Insecurity of Everything?
Shegerian: Technology is so ubiquitous that this a societal problem we all have to reckon with. It’s much more serious than just affecting your family or your company. This is a problem of international magnitude, that has homeland security risks around it. That’s why we wrote the book: The vast majority of our clients still were not listening. They just wanted us for environmental work but they weren’t really sold on the hardware data destruction part of the work yet. We wanted to write this book to share some of examples of serious consequences—that this isn’t some remote, theoretical concern.
Can you share some of those anecdotes?
Shegerian: I once had a big, big bank call me up: “John, we’ve had a breach, but we don’t believe it’s phishing or software. We think it came from hardware.” I go out there and it turns out one of their bankers threw his laptop in the trash in Manhattan and someone fished it out. On that laptop was information from the many clients of the entire banking firm—and the bank’s multi-billion-dollar enterprise. The liability, the data … God, just absolutely priceless. If it got into the wrong people’s hands, the ransom that could have been extracted was truly of huge magnitude.
You also have situations like the federal government—I won’t say what branches—telling us: “We have all of these old electronics that are potentially data-heavy, and when companies like yours gave us quotes [for responsible recycling], it seemed kind of expensive. We were told to save money and we found someone to do it for free.”
Free? Yeah, no. What happens is that guy will pick up the devices for free, put them in a container, and sell them wholesale to the highest bidder. Lots of those buyers are harvesting the precious metals and materials out of old electronics — but there are also people adverse for homeland security who want to pull out the hard drives and find a way to harm us here in the U.S. or hold corporate data for ransom. From those examples you can see how you need to protect your financial and personal data on an individual level too.
What do people need to know—and do—to avoid becoming one of these stories?
Shegerian: It is crucial to make sure that if you’re giving [your device] to a retailer who has a take-back or trade-in program, vet them and make sure they’re using responsible recyclers. Make sure they guarantee you that all your data will be destroyed before they take your phone and resell it. If they won’t tell you, with radical transparency, who the vendor is handling the materials or where they’re going to go? Pass.
Hard drives are wiped at ERI’s facilities.ERI
For the engineers of today and tomorrow who are interested in this work, how can they be part of the solution?
Shegerian: Engineers have been such important partners for us, whether it’s creating e-waste shredding machines or things like glass-cleaning technology helps us recycle materials. They’ve also helped us be the first to develop AI and robotics in our facility. So they could come work for someone like us, and answer questions like, how do we recycle more of this material in a faster and better way, with less impact to the environment?
On the other side, engineers are still going to be hired by great OEMs, whether tech or auto companies, and that’s beautiful because now they could design an engineer for circular economy behavior. They could create new products made of recycled copper, gold, silver, steel, plastics, keeping them out of our landfills.
Engineers have a huge opportunity to help leave the world a better, safer, and cleaner place than we inherited. But everyone on Earth is a stakeholder in this. We all have to be part of the solution.