A study by Canadian computer scientists has found that technicians at electronics repair shops often sneak a peek at customers’ private data and sometimes copy it, too.
While many PC and smartphones owners worry about how vulnerable their data is when handing a device in for repairs, this research aimed to discover how common snooping is at large and small repair service providers.
As spotted by Ars Technica, researchers at the School of Computer Science, University of Guelph, Canada report their findings in a new paper, suggesting that it’s quite common for repair technicians to snoop on customers’ private data.
The researchers also found that most electronics repair service providers don’t have a privacy policy or protocols to protect customers from technicians snooping on their device’s data, and also by default ask for OS credentials when they’re not necessary for repairs.
To do so, the researchers dropped six newly purchased Windows 10 laptops in for repairs, with the audio drive disabled to create the impression there was an issue that needed fixing. Then, after the devices were fixed and returned, the researchers analysed device logs to check for any privacy violations that may have occurred while in for repair.
They took the six laptops to 16 small, regional and national repair service providers between October and December 2021. Three devices were configured with a male persona and three were configured with a female persona. They recruited three male and three female experimenters to drop the devices in for repair.
The researchers found that technicians at six of the 16 providers snooped on customers data, while technicians at two providers copied data to external devices.
Of the six locations where snooping occurred, three removed evidence, while one did it in a manner to avoid generating evidence.
The researchers picked the audio issue to be fixed because of its ease of repair and that it didn’t require access to user files to repair — unlike malware removal. The researchers found a technician at one national provider accessed a female experimenter’s revealing pictures. At regional service providers, there was a privacy violation against male and female experimenters where documents, pictures and revealing pictures were accessed. A male experimenter’s browser history was viewed by a technician, and revealing pictures were zipped and transferred to an external storage device.
For local service providers, they found a technician had accessed the browser history of one male experimenter, while a technician in this group access the female experimenter’s documents, pictures and revealing pictures, as well as copied a file containing passwords and revealing pictures to an external device.
Additionally, technicians at three service providers cleared items in in Windows’ “Quick Access” list or “Recently Access Files”. In another instance, the technician zoomed in on thumbnails so they didn’t leave a trace of having accessed the file.
The electronics repair industry provides economic and environmental benefits, Khan and fellow researchers write in the paper. “However, there is a dire need to measure the current privacy practices in the industry, understand customers’ perspectives, and build effective controls that protect customers’ privacy.”
