If you’ve recently had your phone or laptop serviced for repairs, your private data might not be as secure as you think – even if you’re just getting a screen or battery replaced.
University of Guelph researchers Jason Ceci, Jonah Stegman and professor Hassan Khan spent over a year investigating big-box stores, regional chains and local mom-and-pop stores across three cities in Canada to determine the level of privacy in the repair industry, which helps millions of customers each year.
They found it didn’t matter if it was a big box store or a mom-and-pop shop – the majority of service providers lacked privacy policies and failed to communicate how they protect customers’ data, and typically demand more access than required.
But the most shocking discovery? Privacy violations regularly occurred “at just your average shop in Ontario,” Ceci said in an interview with GuelphToday.
While their study, which they say was the first of its kind, found that data theft was uncommon, snooping was a regular occurrence, with viewing revealing pictures or casual folder snooping being the most common violations.
Technicians were largely able to commit these violations because the majority of service providers require all-access to the device, even if it isn’t needed.
For instance, they started the investigation by dropping off laptops for battery replacements – a service that doesn’t require the technician to access the operating system, meaning they don’t need login credentials. However, they were asked for them anyway.
When researchers asked why the password was needed, most said it was either for paperwork or to run diagnostics, and some even said they couldn’t complete the repair without it. The ones who were willing to complete the repair without the password said they wouldn’t be responsible for the quality of the service.
When it came to privacy policies, Ceci said they were ambiguous at best, “if they even had one.”
For example, a policy might state the employees are not trained to access the data except in limited circumstances, but that’s not a guarantee they’re not going to unless it’s explicitly stated.
Since the policies are vague or non-existent, researchers asked whether or not technicians would access their personal data.
“And of course, all of them said absolutely not,” Ceci said. But it turns out, that wasn’t always true.
In the second part of their study, the devices they dropped off for repairs were rigged to monitor everything the technician did with the device.
This time, it was for an audio repair, which requires OS access but doesn’t require accessing user files. They set up the devices with female and male personas, complete with email and gaming accounts and a browser history of several weeks, as well as revealing pictures and a cryptocurrency wallet.
“There were some violations at those same places,” he said.
Their investigation found that over 37 per cent of technicians violated customers’ privacy, accessing users’ documents, revealing pictures and browsing history. One even copied revealing pictures and a password-containing file to an external device.
Some also covered their tracks, clearing items in the quick access or recently accessed files.
Covering tracks probably isn’t even necessary, though, considering a survey they conducted found most respondents wouldn’t know how to tell if a privacy violation occurred.
“That's what the goal of this research was in the end, to help those people,” Ceci said.
While he found people are typically aware of and worried about privacy risks when it comes to repairs, he said they tend to have more trust in businesses with good ratings.
However, those ratings don’t necessarily matter when it comes to privacy concerns. They only investigated local businesses with ratings of 3.5 or higher on Google Maps, several of which were caught snooping or covering their tracks.
Trustworthiness, they said, should instead be determined through legal rules, security controls, open policies and processes, and professional ethics.
Ceci said when looking for a place to get a device repaired, there aren’t really any tells of their trustworthiness, but that some of the more trustworthy places were open to fixing the devices in front of them, which eliminates the chance to snoop.
But that only works if it’s a quick fix.
If you have to leave your device there, he said the best thing to do is backup your files and remove sensitive ones from the device before you go in, even though it can be time consuming to do.
“Like if you're just replacing a key on the keyboard, the password required for that doesn't really make much sense. Then, for some repairs like virus removal, the password might be required, because you might have to go into the computer and remove it from multiple files or something. So it depends on the situation.”
Service providers also need to have clear policies and controls to protect customers’ data from snooping technicians, he said. This includes losing the “all-access” model, in which they require all login credentials for the repair. They also suggest the industry should be subject to assessment via video recording with random audits or mystery shoppers.
They also suggested similar food inspections with the FDA, inspections are completed at service repair shops and certificates administered if they pass the inspection.
You can read the full study here.