Running head: Photocopier Privacy

Public Photocopiers and the Digital Footprint Karen Alfino, Jamie Dwyer, Deborah Harnke, and Melissa Hisel Emporia State University

Author Note This case study was completed as a course requirement of LI801XC; Foundation of Library and Information Science, at the School of Library and Information Management, Emporia State University.

Photocopier Privacy

Abstract The photocopier is a standard piece of modern office equipment routinely used by millions of people every day. This case examines a little known issue surrounding the use of copy machines photocopier data security. Like computers, digital copy machines store data on an internal hard drive which can be extracted and read. Protection of the data stored on the hard drive of digital photocopy machines is an issue with ethical implications which have only recently become known. Keywords: information ethics, public library, photocopier privacy, copier data security

Photocopier Privacy

Public Photocopiers and the Digital Footprint INTRODUCTION Almost everyone has some familiarity with photocopy machines but as many as sixty percent of people are unaware that all digital photocopy machines manufactured since 2002 contain a hard drive like that of a personal computer, and that those hard drives record and store an image of every document ever scanned on each machine (Keteyian, April 2010). When ownership of a photocopy machine is transferred those images can be extracted either by reprinting the copies directly from the machine or through the use of forensic software created for that purpose. As a result of heightened awareness of this issue prompted by stories in the mainstream media the Federal Trade Commission issued a series of recommendations for owners of digital copy machines at the end of 2010. When available, the FTC recommends utilizing security features built in some photocopy machines as well as investigating other options for data encryption or hard drive removal before transferring ownership of machines (FTC, 2010b). Most manufacturers of copy machines as well as some other software developers have created programs which encrypt the data stored on the hard drives or rewrite them wiping the hard drives memory. Unfortunately, these programs can be expensive, costing as much as $500 (Keteyian, April 2010).

Photocopier Privacy

CASE STUDY The Podunk town library is a small municipal library in eastern New Jersey. A limited budget prevents the town from employing a full-time information technology (IT) professional to support its computer systems and other technology needs so the library manager who was proficient with most common computer applications was assigned responsibility for all library equipment including security upgrades and maintenance. The manager had elected to rent a multi-function digital photocopier/fax/scanner from a regional office equipment companythe town paid a monthly fee based upon the number of copies made and purchased the toner from another vendor at a bulk discount. This fee structure allowed them to economize; by accepting financial responsibility for the first $250 of any repair or service the machine required, the monthly rental fee was 33% lower than the cost of renting the machine with an inclusive maintenance package. The machines manual recommended a monthly service by a certified technician who would clean the machine, override the hard drive and perform software updates. The charge for this service was $75, so when considering the cost and that the contract with the rental company allowed the library to trade the machine every three years for a newer model, the manager deemed the inspections unnecessary and declined the service. Patrons and staff regularly used the machine for a variety of needsoften the nature of documents scanned, faxed or copied were sensitive and personal such as medical records, credit reports, birth certificates, drivers licenses and social security cards. In 2008, after three years and two months of use, the machine began acting up with excessive paper jams and spotty copiesso the manager contacted the rental company and requested an upgrade. The company sent out a technician who picked up the old machine and left a newer machine in its place.

Photocopier Privacy

Neither the library nor the rental company cleared off the hard drive, which by now had stored thousands of documents in its memory. The old machine was sold at auction as part of a lot with six other machines. The winning bid was placed by an anonymous phone bidder who had the machines shipped to a warehouse in Newark, NJ. The hard drives of the digital copiers were removed and the contents were sold to a criminal group of computer hackers who used forensic software to extract the personal information from the copy machines. The data included names, addresses, birthdates and social security numbers for hundreds of people (including patrons of the Podunk town library) and was sold on a hacker listserv for $300. A few months later, several citizens of Podunk experienced identity theft. The police were able to catch the hackers and trace the information back to the copy machine that was used at the library for over three years. The citizens were outraged and threatened to sue the town. Afraid of a high-profile case, the city quietly fired the manager who had dealt with the copy machine, which appeased the citizens. The library manager newly appointed to take care of the copy machine promptly contacted the rental company and signed up for the monthly services to clean off the hard drive.

Photocopier Privacy

QUESTIONS 1. How can Seversons Principles of Information Ethics (respect for intellectual property, respect for privacy, fair representation, nonmaleficience) be applied to this situation? 2. Was the expectation of privacy violated by the rental company or by the library manager? 3. Should the company or the library have been responsible for cleaning off the hard drive before selling it? 4. Would a lawsuit have been able to identify a guilty party other than the hackers themselves? 5. If the copier rental company did not state outright that the monthly service was helpful because information was stored on the hard drive, did they violate the fair representation policy? Were they responsible for making this clear to the library manager who denied the monthly service? 6. Was the library manager treated fairly by the town? Could he argue that he was wrongly fired? 7. What are other ethical or moral dilemmas related to this case?

Photocopier Privacy

References Federal Trade Commission. (2010, November) Copier data security: A guide for businesses [Brochure]. Retrieved from http://business.ftc.gov/documents/bus43-copier-data-security Federal Trade Commission. (2010, December 3) FTC offers business tips for securing data on digital copiers [Press release]. Retrieved from http://www.ftc.gov/opa/2010/12/copierdata.shtm Keteyian, Armen (2010, April). Digital photocopiers loaded with secrets: Your office copy machine might digitally store thousands of documents that get passed on at resale. [CBS Evening News]. Retrieved from http://www.cbsnews.com/stories/2010/04/19/eveningnews/main6412439.shtml?tagcontentMain!contentBody Severson, R. J. (1997). The principles of information ethics. Armonk, NY: M.E. Sharpe