Commercial repair shops caught snooping on customer data by canny Canadian research crew

Computer scientists affiliated with Canada's University of Guelph have found that electronics repair services lack effective privacy protocols and that technicians often snoop on customers' data.

In a four-part research study distributed via ArXiv, "No Privacy in the Electronics Repair Industry," University of Guelph researchers Jason Ceci, Jonah Stegman, and Hassan Khan describe how they tested the privacy policies and practices of electronics repair shops.

The inquiry consisted of a field survey of 18 repair service providers in North America – three national, three regional, and five local service providers, as well as two national smartphone repair service providers and five device manufacturers.

Representatives of these firms – unidentified in the study as a consequence of the Canadian university's ethical review requirements – were questioned to determine whether they have privacy policies, and how they treat customer data.

Then, repair personnel were asked to perform battery replacement for Asus UX330U laptops running Microsoft Windows 10 – a fix that should not require login credentials or operating system access. Yet, all but one of the firms asked for login credentials.

"None of the service providers posted any notice informing customers about their privacy policies," the paper says. "Similarly, until the devices were handed over, no researcher was informed about a privacy policy, their rights as a customer, or how to protect their data."

And once the laptops were provided, only the three national and three regional service providers offered a terms and conditions document to be signed. Worse still, these contracts disclaimed liability for any data loss.

I wonder why?

Having assessed the privacy policies of these repair shops, the researchers tested the technicians' actual privacy practices by giving them rigged Windows laptops with dummy data to secretly log how repair staff used the devices.

The results were not encouraging: Six of sixteen technicians snooped on customers' data, and in two of 16 tests copied customer data to external devices. Among these six snoopers, one technician did so in a way to avoid generating evidence, while three others took steps to conceal their activities – the device logs show offending technicians attempted to hide their tracks by deleting items in the "Quick Access" or "Recently Accessed Files" on Microsoft Windows.

In a phone interview, Jason Ceci – a security researcher and co-author of the paper – told The Register that the privacy violations referred to in the paper were mostly snooping through customers' photos.

"Some of them were just going through someone's browsing history," said Ceci. "And then in two of the cases, they were actually copying the data off the device. In one of those two cases, I believe, they were going through financial data."

Ceci said the repair shops evaluated were not identified in the study and that they were also not informed of the researchers' findings. "If we told them that we were going to be looking at the logs, and what they did after, we were worried about possible backlash to the researchers who were [dropping the rigged devices off and providing personal information]," he explained.

The other portions of the study involved an online survey and interviews with consumers to better understand how they interacted with repair services. The data obtained suggests that about a third of broken devices do not get repaired due to the privacy concerns of their owners.

• Russia-based Pushwoosh tricks US Army and others into running its code – for a while
• Google slapped with $391.5m settlement in privacy lawsuit
• Apple sued for collecting user data despite opt-outs
• World Cup apps pose a data security and privacy nightmare

Ceci and his co-authors argue there's a dire need to assess privacy policies and practices in the repair industry, which generates $19 billion annually. They cite reports about past privacy violations – like claims that Best Buy's Geek Squad technicians served as informants for the FBI, as well as reports that Apple and Geek Squad technicians have been accused of stealing nude pictures found on devices brought in for repair.

Ceci said regulators should look at the repair industry and consider clarifying privacy rules for device repairs. He also reiterated a point made in the research paper about device makers taking a more proactive approach to standardize diagnostic interfaces and permissions. He pointed to Samsung's recently introduced "Repair Mode" – a way to protect on-device data during repairs – as an example of the sort of privacy protection device makers ought to consider. ®