Of course if these companies were really smart, they’d have wiped the drives before going to the recycling company. I’m sure many do. Still, they don’t risk it and want the drives shredded.
Eventually, AES-256 can probably be bruteforced in a reasonable amount of time. If you write all 1s and then all 0s (or vice-versa) to the drive, on the other hand… there’s no way to recover the data. There’s a lot of debate about that statement, but ultimately, if the drive is in fact zeroed twice, it’s physically impossible to recover the data. The debate seems to be mostly around whether zeroing a drive really does zero every bit and that’s not straightforward to prove (many drive erasure programs will offer a printable “certificate” once a drive has been “secure-wiped”, which often mentions a “million dollar guarantee” or whatever… it’s a sham because how do you prove the program failed to erase the data on the drive? Especially days, weeks, or years later?).
No. See https://security.stackexchange.com/questions/6141/amount-of-...
Time is not the bottleneck, energy is.
They invoke Landauer's principle which states that irreversible computation has an intrinsic cost in terms of energy per elementary operation, namely, k T ln(2) where k is the Boltzmann constant. Assuming brute-force search, more than 2^256 elementary operations would be needed, but that would require more energy than available if one converts the whole Sun's mass into energy.
It doesn't matter if the data is encrypted or not, the point of the matter is the data is still there when presumably that data should not exist outside <X> premises. Encryption serves as a mitigation against theft or accidental leakage of data, its purpose is not to facilitate data disposal.
Put another way, you have to answer Yes to this question for liability purposes: "Is the data gone?" The only way to say Yes with reasonable certainty is physically destroying the storage medium the data resides on.
