Is it really safe to destroy the data by "overwriting"?
“Overwriting,” which complies with the U.S. Department of Defense standard (DoD 5220.22-M), has been the standard data sanitization method for a long time. Therefore, many people may still recognize this as an absolute data sanitization method. However, NIST SP 800-88, which was introduced in 2006 (revised in 2014 and currently SP 800-88 Rev.1), is now the global standard for data sanitization. For example, when the DoD method was the standard, SSDs did not exist. NIST SP 800-88 Rev.1 states that from a sanitization perspective, the evolution of SSD storage technology (over-provisioning*1 and wear-leveling*2) has been revolutionary,
making it impossible to erase all the data by overwriting.
*1: A certain amount of extra space is reserved for performance improvement and longevity. This extra space is usually inaccessible to the user, so it cannot be overwritten, which is adverse to sanitization. *2: A function that prevents data from being written to a certain area in order to prolong its life. Therefore, even if data is overwritten for sanitization, it may not be written to the target area, which is also detrimental to sanitization.
*2: A function that prevents data from being written to some areas in order to extend its life. Therefore, even if you try to overwrite, there is a possibility that the data will not be written in the target area, which is also unfavorable for data sanitization.