Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Privacy

Small Study Finds Computer Repair Shops Accessed Personal Data - And Sometimes Even Copied It (arstechnica.com) 128

Ars Technica reports on what happened when researchers at the University of Guelph in Ontario, Canada, left laptops overnight at 12 computer repair shops — and then recovered logs after receiving their repairs: The logs showed that technicians from six of the locations had accessed personal data and that two of those shops also copied data onto a personal device....

The amount of snooping may actually have been higher than recorded in the study, which was conducted from October to December 2021. In all, the researchers took the laptops to 16 shops in the greater Ontario region. Logs on devices from two of those visits weren't recoverable. Two of the repairs were performed on the spot and in the customer's presence, so the technician had no opportunity to surreptitiously view personal data. In three cases, Windows Quick Access or Recently Accessed Files had been deleted in what the researchers suspect was an attempt by the snooping technician to cover their tracks....

The vast majority of repair shops provide no privacy policy and those that do have no means of enforcing them. Even worse, repair technicians required a customer to surrender their login password even when it wasn't necessary for the repair needed. These findings came from a separate part of the study, in which the researchers brought an Asus UX330U laptop into 11 shops for a battery replacement. This repair doesn't require a technician to log in to the machine, since the removal of the back of the device and access to the device BIOS (for checking battery health) is all that's needed. Despite this, all but one of the repair service providers asked for the credentials to the device OS anyway.

When the customer asked if they could get the repair without providing the password, three refused to take the device without it, four agreed to take it but warned they wouldn't be able to verify their work or be responsible for it, one asked the customer to remove the password, and one said they would reset the device if it was required.

This discussion has been archived. No new comments can be posted.

Small Study Finds Computer Repair Shops Accessed Personal Data - And Sometimes Even Copied It

Comments Filter:
  • by Joe_Dragon ( 2206452 ) on Sunday November 27, 2022 @04:23PM (#63083660)

    some places may do viruses / malware scans as part of any repair and that can make files be listed as accessed.
    Now some stuff like ccleaner does clear / flag to be cleaned some history like Recently Accessed by default.

    • by quantaman ( 517394 ) on Sunday November 27, 2022 @04:49PM (#63083726)

      some places may do viruses / malware scans as part of any repair and that can make files be listed as accessed.
      Now some stuff like ccleaner does clear / flag to be cleaned some history like Recently Accessed by default.

      Table 1 in the paper is a lot more compelling than the evidence listed in the summary.

      Basically, they looked at three levels of service providers National, Regional, and Local. The National providers are a good comparison group since you'd expect them to have the strongest privacy policies since a store with a particularly bad repair crew can make the news and cause major brand damage.

      Basically as you go from National to Regional to Local technicians start looking at more and more things like personal info, pictures, as well as deleting logs. As well women got snooped on more than men.

      There's also not much reason for the technician to go poking around the user's photos, particularly revealing photos.

      I think my one complaint is that N is pretty small to draw any statistical conclusions, though it's certainly cause to investigate more.

      • by Joce640k ( 829181 ) on Sunday November 27, 2022 @10:56PM (#63084286) Homepage

        There's also not much reason for the technician to go poking around the user's photos, particularly revealing photos.

        You send in a laptop belonging to "hotgrrrl69" and expect the average repair tech to not have a little peek at the files?

        You have a lot to learn about the human race.

      • This whole thing seems a little bit suspect though, I know techs who work for various companies and their prime goal is to get the thing up and running again as quickly as possible and with as little effort as possible, log a completed job, and get it out of the way. The last thing they're going to want to do is start poking around in someone's SSSBBBBBW porn archive.
    • Maybe they do backups as well so the files could be copied legitimately.

    • It's been many years since I did computer repair, but I was the one who implemented the policies and practices at the little repair shop that I worked for.

      I used FOG to create an image of the computer before I did anything else.

      I would then wipe the computer, re-install the OS and then copy the files back into place.

      That was the standard operating procedure. I would sometimes see file names, but I would never open any of the files.

      I would then give the customer optical media (or, if they paid for it, an ext

  • Obviously (Score:5, Insightful)

    by TwistedGreen ( 80055 ) on Sunday November 27, 2022 @04:25PM (#63083662)
    Yep, when you bring your computer in, all your data is at the mercy of the technician. Even if you don't give your password. 99.9% of the time it's of no interest whatsoever. If you have something to hide, well, you should encrypt it or learn to repair it yourself. Not sure why this is a surprise...
    • by jmccue ( 834797 )
      For some reason, I thought this snooping was/is also encouraged by law enforcement.
    • I would expect them not to access it. Because it seems like a breach of privacy and ethics. Now obviously, i would not rely on these shops without additional protections. But your average consumer might.

      • Re: (Score:3, Interesting)

        Seriously?

        1. How many people have a recent backup so that if it's necessary to re-install software/the OS they can recover?
        2. Given that restore points were turned off by default in Win10, how many people even have a restore point?
        3. How many of them even have/can find their legit install media?
        4. How are you supposed to verify it works without running it?

        If it wasn't a laptop, you could just remove the hard drive before bringing it in, along with your install media. And many laptops that appear at first glance

      • Nice sentiment but naive.

    • by gweihir ( 88907 )

      Passwords do not protect against anybody with hardware access. Disk encryption does. Of course, if the disk encryption is tied to the password you should not give that either. Oh, and do a complete shutdown, not some "suspend"-nonsense.

      • Many, probably most, repairs need access to the hard drive to replace drivers, clear malware, etc. There's literally no way to repair it without disk access because the problem isn't hardware but something in the file system. This tip is only helpful if you keep all your data on a volume separate from the boot volume. (Which is a great idea, but try explaining it to the typical clientele of a computer repair shop.)
        • On Windows or Linux, you can have encrypted files which are decrypted with your password, so if you don't give them the password to your personal account then your personal data is encrypted.

          I wouldn't know about OSX, I would tend to imagine they have something similar but they aren't relevant enough for me to take the time to find out.

          • by gweihir ( 88907 )

            Good point. EncFS says it also works on Mac. No idea how difficult it is to set it up there and I use LUKS on linux (separate user/data partition) so I have not experience with EncFS there either.

          • Which is functionally identical to "keep your stuff on a separate volume", but even harder to explain to non-techies. I mean, no one with the tech savvy to set up transparently encrypted files is going to bother taking their machine to the Geek Squad.
        • by gweihir ( 88907 )

          Sure. The key problem in computer security is the user at this time and it will remain so for a long time. If you need help with what is on the storage, you have to provide storage access, obviously. You could get a tech in and look over their shoulder while they work, but that is expensive and time-consuming. May still be worth it, but people are cheap and not very smart, so...

    • Yeah, my reaction was "Well, duh"

      If people have the opportunity to snoop, they will snoop. Maybe not everybody but I would have no expectation of privacy when sending a machine in for repair.

    • by antdude ( 79039 )

      Not everyone knows how to repair though. :(

    • Yep, when you bring your computer in, all your data is at the mercy of the technician. Even if you don't give your password. 99.9% of the time it's of no interest whatsoever. If you have something to hide, well, you should encrypt it or learn to repair it yourself. Not sure why this is a surprise...

      We accessed personal data all the time... we had a program to do it in fact: OnTrack Easy Recovery. We used the similar program to conduct a reasonably secure erase with overwrite.

      Nothing nefarious, but before we did anything that could affect customer data we pulled their drive, grabbed a temp drive, and told ER to backup the data. If anything happened we had a backup to start from, if nothing happened it was just put in the secure erase bin.

      I didn't want to know what people had on their computer in

  • It's not like these issues have been limited to just small repair shops?

    https://www.businessinsider.com/apple-settled-lawsuit-womans-nudes-leaked-iphone-repair-workers-2021-6#:~:text=1%20Apple%20settled%20a%20lawsuit%20involving%20a%20woman,woman%27s%20lawyers%20had%20demanded%20%245%20million%20in%20damages.
    • It doesn't. The study looked at small local shops, as well as medium and large chains and identified the problem is more prevalent in small shops.

      That's the difference between actual science and your whataboutism.

      • by HiThere ( 15173 )

        OTOH, the sample size was really too small to draw any conclusions. It's more a warning than a scientific finding. And a suggestion for a larger study.

        • the sample size was really too small to draw any conclusions

          Was it? Show your working. You may be right, but so far you've only shown one part of a complex statistical problem. For example I could sample a system 10000 times and get 5001 positive responses showing no statistical ability to reject a hypothesis. Or I could sample 10 and get 9 responses showing which suddenly is statistically significant.

          The ability to draw conclusions is not just based on sample size, it is also based on sampling process as well as results.

          You're probably right the sample size is quit

  • Own experience (Score:2, Informative)

    by blackomegax ( 807080 )
    Back when I worked for a PC repair shop (way longer than 1 or 2 statue of limitations...., p3/p4 era.), we would copy user data all the time. It was literally part of the job. You back the data up before you commit changes like viral purges or windows re-installs, then restore the data as the user had it.

    Often, we'd keep copies of the porn or pirated movies the users had.

    There was one guy though...had 60+ gb of loli hentai. Turned that one over to the cops, but they ended up doing nothing.
    • Re:Own experience (Score:5, Insightful)

      by thegarbz ( 1787294 ) on Sunday November 27, 2022 @06:10PM (#63083860)

      had 60+ gb of loli hentai. Turned that one over to the cops

      Why? Do you feel bad for the poor abused imaginary pictures? Are you concerned someone is committing a thought crime? The only illegal activity taking place was you snooping through someone's personal data, pretty damn risky to call the cops there.

    • As disgusting as it is, it's not illegal for pedophiles to have "loli hentai" which the cops obviously knew. But you can be sure that those people's names were given to a Taskforce to be added to a watchlist.
    • There was one guy though...had 60+ gb of loli hentai. Turned that one over to the cops, but they ended up doing nothing.

      This never happened so much that it unhappened things that actually happened.

  • by mike42hunt ( 7446156 ) on Sunday November 27, 2022 @05:54PM (#63083840)
    I own a small computer repair shop, baldwinbytes.com. When I back up customer's data I make it a point to tell them that I can't pick and choose what I'm grabbing I just get their user folder after making sure hidden files are shown. Then I check for any folders in the root of the c drive that looked like they were made by the customer and back them up as well. Maybe I'm in the minority but I seriously don't want to know any customers personal details as it's none of my business. Also I will only ask for the password if it's absolutely necessary which unfortunately is necessary much of the time but obviously a battery replacement wouldn't need a password. People put a lot of trust in me when I have their personal data in my possession and I don't want to lose that trust as I'm a very small business and it could harm what I'm trying to do.
  • by Chelloveck ( 14643 ) on Sunday November 27, 2022 @06:46PM (#63083918)
    Bloody amateurs. Everyone knows you remove the drive and image it before you go digging for the nudie pics. Um, I mean I'm shocked - SHOCKED! - to hear of such goings on in this establishment!
  • Because if this were an actual problem, the free market would solve it, right?
  • is standard operating procedure. So when the customer complains that data is missing after what ever disk scan tool ate the data, you have it.
  • The article seems to be very biased in assuming that there is malicious or otherwise unethical intent. People want their info recovered or transferred to a new computer, etc. How am I supposed to do that without searching for the data and potentially looking at it briefly in order to verify it is what I'm looking for? If you are thinking that most people keep this stuff organized, you're wrong. A chaotic mess of folders on the desktop is typical. "Copied the data onto a personal device" could be someth
  • Speaking as a former it service desk grunt, and a manager; oftentimes the process requires looking at some data. I also know folks that have better personal tools than the company provides and between shades of grey stuff automagically happens.
  • Bestbuy having a long standing "off the record" relationship with the FBI for doing exactly this: https://www.cpr.org/2018/03/07... [cpr.org]
  • Just ask Hunter Biden and the entirely of the left slanted media. More fake news! (Hey, someone has to mention the irony)
  • Too bad sometimes the customers forces us to see their personal stuff. One person bought in a computer that would not boot. We got it to boot and the first thing you saw on the boot screen was KIDDY PORN! The Cannon shop a block away reported a person making fake money. How? The colour copier was bought in for not working. When they took it apart they found a 'proof sheet jammed inside. Sometimes it is not the repair shop doing the wrong thing.
  • We trust people every day with sensitive personal information as a matter of course.

    Our HR department knows our salaries and health info. Our insurance knows the smallest medical detail. Our counselors and psychologists hear all sorts of shit in our heads that should never come out. Our lawyer knows our financial and other secrets. The IRS knows our wealth. We used to trust priests with our sins.

    Not all of these thousands of people are going to be worthy of that trust.

    This is why it is a worthwhile eff

You are always doing something marginal when the boss drops by your desk.

Working...