Photocopier Fallout: Congress, FTC "Concerned"

(CBS)  A CBS News investigation last month found that nearly every digital copier built after 2002 stores an image of documents copied, scanned or emailed by the machine on hard drives.

Watch the Original Copier Report

CBS News chief investigative correspondent Armen Keteyian reports parents and students at Dos Palos High School in Sacramento found out the hard way recently, when CBS affiliate KOVRpulled hundreds of student names, home addresses, cell phone and social security numbers off the hard drive of an old school copier.

"The fact that information that we treat very, very carefully somehow got out of our system and is out there is a huge concern to us," said Brian Walker, Dos Palos school district superintendent.

Massachusetts Congressman Ed Markey is of the same mind. Citing our report, he called for an investigation by the Federal Trade Commission -- concerned most Americans don't know their information can be compromised.

"We have to do a lot more to insure that the public and corporations know this," Rep. Markey said, "and that absolute security is applied to copy machines across our country."

Our investigation last month revealed how easy it is to buy used copiers at a warehouse and remove the hard drive packed with personal data.

Using software available free on the Internet, our expert, John Juntunen of Digitial Copier Security, downloaded thousands of documents in less than 12 hours.

From the Buffalo Police Department we found lists of domestic violence complaints, and targets in a major drug raid.

From a New York construction company, we found 95 pages of pay stubs with names, addresses and social security numbers.

And from a health care company, we found hundreds of pages of personal medical records. As a result of our story, Affinity Health was required to notify more than 400,000 people of a potential breach of their privacy.

"I think the copy machine industry has to step up, provide the leadership and technology that insures this information is scrubbed from copy machines," Rep. Markey said.

Now the Federal Trade Commission has jumped onboard, looking for ways to better protect the public from a simple office copier that we now know can leave behind a digital trail of secrets.

[mcateeta]

As a 28 year vet in this industry and a network specialist I think I have a qualified view on this issue. We can rant and rave about the situation as it was so sensationally reported by CBS but pointing the finger at the manufacturer and saying "shame on you" is grossly inappropriate. Most of the manufacturers have numerous methods available on their machines to protect the digital data stored on them. If the data is getting out in public then we need to ask the IT depts of these companies what they're doing. No matter how you slice it the IT dept is responsible for any device and it's use that is attached to their network. The copier companies provide the technology, the dealers provide the know-how. The users make it happen and the management is supposed to control it. Let's concentrate the efforts of prevention where it belongs. And stop pointing the finger at the manufacturers and vendors.

[real-Trib4l]

An absolutely useless report. Utterly nothing more than more fear-mongering.

As other users have stated, I am simply shocked that there are no interviews with the manufacturers, though I'm not surprised if Sharp, Ricoh or Konica Minolta who's machines were featured in this story were not able to be reached for comment. Why didn't they talk to Xerox? The simple answer is that Xerox would have allayed the fear that CBS was attempting to generate by simply restating the previous news story.

To make it worse, they interview a congressman who clearly hasn't done his homework either. It ought to be a pretty short investigation for congress or the FTC since the Common Criteria Certification was created from NIAP, which if I recall correctly was based on the earlier DoD standard for digital information security. Xerox has met/exceeded those specifications for years.

CBS News, I suggest instead of peddling fear that you pony up and do a REAL story on this issue. Talk to the people who know the answer - talk to the people who invented the technology, and most of the technology I'm using to write this comment. Xerox.

A congressman? Really? Honestly, he's got 15 aides to tell him what time it is - do you really think he's the best choice for information for a story about technology? Ugh.

[ctymse]

If you watched the original story on April 19th, then you would know that Ed
McLaughlin, the President of Sharp appeared in the interview with Armen Ketaeyn. All of the other manufacturers were asked, but only Sharp agreed to appear on camera and make a statement. It's good to know that xerox is on board with Common Criteria Certification years after Sharp was the first manufacturer to have their copiers certified.

[real-Trib4l]

Commenting on when manufacturers submitted equipment for certification is a straw-man argument, and is misleading. Xerox is the ONLY manufacturer to have their entire device certified - not just one or two components submitted for testing away from the machine itself. If Sharp is so great, why not submit the entire device? Who cares "who went first" if your devices can be compromised?

Xerox's security personnel were asked to comment, but none of the comments were used - I should have been more specifc. The comments made by Sharp's president suggested that the industry isn't prepared and perhaps all manufacturers were vulnerable were fallacious and also misleading. That may be true of Sharp, but he doesn't speak for the whole industry. Nobody's devices are perfect, but Xerox devices are hands-down the most secure in the industry.

Perhaps it was Larry Kovnat's confidence in his replies that made his comments less than suitable for a sensationalist story - his reply in the comments certainly demonstrates that. Besides, if it doesn't strike fear - it isn't newsworthy.

Besides, the guy who commented above me is right - the burden is really on the IT departments who've now been set to scramble to implement the security - not the manufacturer. It's the manufacturer's job to make the security available, not implement it. Now, whether you charge for that security feature is another story altogether...

[rexrox2]

To the "CRACK CBS REPORTER"; Dos Palos High School is NOT in Sacramento. It's in the town of Dos Palos, a small south-central San Joaquin Valley town about 30 minutes from Fresno.

[wvujeff1996]

Here is the saddest truth to this whole story. XEROX, an AMERICAN company that CBS opted to not even include in this story, has included on pretty much EVERY digital copier they have made since 2002 an immediate image overwrite feature that was STANDARD! More recently, because of price competition, it has become optional on some models. But, for the most part, it remains standard on most.

Want the real kicker? XEROX equipment is fully Common Criteria certified on every single feature, function, nook, and cranny of the box. Competitors such as RICOH, Sharp, Toshiba, Canon, yadda, yadda, yadda, are most definitely NOT. Don't take my word for it, check the Common Criteria Certification website yourself.

For more about Xerox security, please visit http://www.xerox.com/information-security/enus.html

XEROX IS AMERICAN MADE AND IS THE BEST EQUIPMENT ON THE MARKET BAR NONE.

You pay to insure your business. It may cost a few bucks more to buy that new XEROX, but it sure beats the heck out of paying millions to settle a lawsuit where you breached someone's security!!!

[Erik_S47]

It's not just photocopiers. It's PRINTERS! We had a service technician out to repair our older HP laserjet printer; he took a number from the machine, entered it in a web site, and showed us everything that machine has ever printed!

Why on earth would ANY copier or printer EVER need to save data like that???

[greennnnnn-2009]

bcc243: There is a complete and utter difference between "counting" copies than actually "copying" the copies. Apples and oranges. The copy count has nothing to do with the copy content. This feature is not required to "count" copies. Do you not understand that?

[rev_hellhorn]

Save the "Ironkey" spam for a venue appropriate to advertising. The product isn't even relevant to many of the issues mentioned in the article and comments.

As better ideas go, using a free linux boot CD/DVD is a popular solution for using a PC that may have the native operating compromised.

[thesevenveils]

Ironkey is not applicable to this story.
Ironkey is a stupid product. There are far superior products that perform the same function.

[DaveShoe]

What is scary is popular wireless PC keyboards. They are sold cheap everywhere: Best Buy, WalMart, Target, etc. Nearly all transmit each keypress with no encryption at all for distances as far as a half mile or more. Nearby powerlines can carry the signal for miles. The teeny USB dongle antenna that comes with a wireless keyboard can only pick the keypresses for a few feet, but if you hook a real antenna to the dongle the range increases dramatically. Nothing like typing in your bank's url, then your account login name, and then your password, and finding out later there was a harvesting computer nearby automatically scanning all 256 of the allotted wireless keyboard channels within a two block radius, recording the ASCII keypresses to hard disk, and parsing until a juicy keypress sequence shows up. If you are not sure whether your keyboard is the encrypted type, it probably isn't. Most aren't encrypted because they cost more. Who regulates the sale of this dangerous stuff? Note that wireless mice are safe, as clicks and rolls don't transmit sensitive data.

[thesevenveils]

Ironkey is not applicable to this story.
Ironkey is a stupid product.

[alphaa10000]

This story would be vastly more useful if a sidebar defined the term "digital copier". (Home copiers are not always digital.)

Many consumers have no idea what a digital copier is, much less a hard drive. And by now, millions of consumers may worry that their simple, home copiers are prepared to spy on them.

[AlanW21126p]

I recently bought an old used machine from a local warehouse. I pulled the hard drive, and when I copied all the files from it I ended up with over 4000 photos of bare bu**tts. Not bad.

[kno-1]

Obviously no one has been listening to their Xerox rep for the past 8 years. There is a recall feature on copy machines so one doesn't have to place the same document on the screen over and over again to copy. This storage feature was supposed to be the 1st step into a paperless office. Our Xerox rep told us about this feature in 2004.
What, you all thought the copy machine called out to the toner pixies to magically make your documents reappear and print into the paper trays?
People need to pay more attention.

[rykatspop]

Yeah, the other scam is to purchase an extended service agreement, too. Funny, they're only good for what, 3 to 4 years? About the life of the copier, cell phone, laptop, dryer,media player, etc, then you're forced to upgrade or make a costly repair investment. Everything is plastic, but the engineering behind it is brilliant. Talk about maximizing profit. I'm surprised there isn't an after market being tapped into here with all that unsecured data sitting around. There has to be a buck in somewhere for somebody. Hell, America companies can make money selling trash, sawdust, dirt, why not this?