When you need to drop off your tech device for repair, how confident are you that it won’t be intercepted?
CBC’s market When smartphones and laptops were brought into repair shops across Ontario, including major chains Best Buy and Mobile Clinics, in more than half of the documented cases, technicians removed intimate photos or personal information unrelated to the repair. It turned out that the information had been accessed.
market After installing the monitoring software on the devices, they took them into 20 stores, ranging from small independent stores to medium-sized chains to large national chains. A total of 16 stores were included. (In four stores, either the tracking software didn’t record anything or the stores didn’t appear to turn on the devices.)
Technicians at nine stores had access to personal data, including one who not only viewed the photos but also copied them to a USB key.
featured videosIn an exclusive investigation, Marketplace dropped devices loaded with secret software to document what repair technicians see during repairs.
“These results are frightening,” said Hassan Khan, an associate professor in the Department of Computer Science at the University of Guelph. “It can look up information, search for data on a user’s device, copy data from a user’s device…this is the worst thing you can do.”
To investigate the extent of privacy violations by repair shop technicians, market teamed up with Khan, who previously worked on Privacy Protection. study When repairing laptops at a number of stores in Ontario, it was discovered that many of the technicians were spying on personal data.
for market As a result of their research, Khan, along with graduate students Angela Tran and Brandon Litt, discovered that the types of personal information many users likely have on their devices, such as financial information, social media, email accounts, and browser history. The data was loaded onto four smartphones and six laptops. Because it was an experiment, the information was fake, so no personal information was at risk.
market Intimate selfie-style photos of the two models with their faces cropped out were also taken, and those photos were saved on the device along with other general photos.
For laptops, Khan and his team first created a repair problem by disabling WiFi. Technicians at the first few stores didn’t have to have devices on hand to make repairs, so by disabling the USB ports, Khan’s team was able to eliminate the need for stores to have devices on hand to make repairs. This caused a new software problem that does not work.
Kahn and his students installed secret logging software that takes screen captures and records what technicians access during each repair.
In testing the smartphone, Concordia University’s Mohammad Manan, a professor and Ph.D. Student Sajjad Polari installed logging software that caused a repair problem with a flickering screen and recorded the technician’s actions on the screen.
Khan and other computer science experts market From what I’ve heard, they don’t need to see any photos or files for these types of repairs.
“It makes no sense to go through these files and look for fixes,” Khan said.
market shared the findings with former Ontario Privacy Commissioner Ann Cavukian, who said, “Personally identifiable data is highly sensitive.”
“We have to stop this [behaviour] …And we have to find a way to draw public attention to this. ”
Federal privacy laws require all commercial businesses, including technology repair shops, to limit the collection of personal information to what is necessary.
accessed intimate photos
market We visited two stores of Mobile Klinik, a smartphone repair chain with over 150 stores across Canada.
At one location in Mississauga, Khan’s team did not detect any snooping on smartphones brought in for repair. However, at one location in Woodbridge, the team documented that mobile clinic technicians were scrolling through Facebook accounts on the device and examining photos, including intimate selfies, stored on the phone.
in a statement to marketa spokesperson for Mobile Clinic said, “This incident is unacceptable,” and “protecting customer privacy is our top priority.”
The company said it has “strong policies in place” to protect customer data. “Following our own investigation and based on information provided by CBC.” market, it is clear that the technician who repaired this device did not follow proper procedures. As a result, the engineer was fired. ”
The company also said market The company said it is using the incident to increase privacy and data security training for its employees and wants to introduce its own secret shopping program using screen capture technology.
rear market When the laptops were dropped off at Best Buy’s Markham store, an electronics and tech repair chain with 164 stores across Canada, Khan’s team found that technicians were using the laptops with names like “bikini” and “perfect for a date.” I discovered that I was viewing multiple photo folders, including a photo folder that I had uploaded. And “nightwear”. The technician also deleted the opened intimate photos from recently accessed files and erased all traces of it being opened.
“They are erasing their footprints,” Khan said. Without this type of logging software, average consumers would not have known that technicians were examining these photos.
Cavoukian said engineers “have absolutely no right to this information.”
“I think that’s terrifying,” she said.
market Best Buy did not provide comment despite repeated requests for response.
At a Best Buy store in Oakville, Ont., two Apple Stores and a few independent shops, employees said repairs may require reloading or reinstalling the device’s operating system. Ta. Khan said this would wipe out logging and monitoring software. market We did not leave the device there and excluded these stores from the test.
Photos copied to USB key
market I dropped off my laptop at the Oakville and Markham stores of Canada Computers & Electronics, an electronics and technology repair chain with 42 locations across Canada. At both stores, technicians viewed intimate photos.
At the Markham location, technicians displayed intimate photos as oversized icons. This makes it easier to see without actually opening it and prevents it from appearing as a recently accessed file. This person also viewed the laptop’s browser history and copied all the photos on the laptop to his own girlfriend’s USB key before finally repairing her USB drive.
“On what planet would that be allowed?” Cavukian said.
Canada Computers said in an emailed statement that it takes its “obligation to respect the privacy of our customers” very seriously and that its own investigation into the incident revealed that the incident involved a technician at one of its locations. The incident was determined to be an isolated incident that violated the company’s privacy policy. It also said that “the employee has been subject to disciplinary action.” The chain said other technicians were attempting to “diagnose the issue” and that this “does not include any attempt to inappropriately access personal data.”
The company added: Marketplace According to the investigation, the company’s technicians were “provided with a refresher course on how to protect customers’ personal information while diagnosing and repairing electronic equipment.”
market Also We documented technicians accessing the photos at four independent stores, one other medium-sized chain, Dr. Phone Fix, and KW PC and Cell Repair in Kitchener. SK Computers in Brampton. Markham Computer Link. and Link It Up in Mississauga.
Each of these companies market We communicate our commitment to protecting customer privacy in individual emails, most often mentioning our company policy on data privacy.
KW PC and Cell Repair states that its policy is that “all customer data is private and should not be viewed except by chance during a diagnosis,” and that all employees have a data privacy policy. It added that it is re-implementing the policy.
Link ItUp said it was investigating, saying the company has data handling policies and procedures and that “employees found to be in violation of these policies will be subject to corrective action.”
Computerlink said its engineers “were not involved in any data snooping” and may have randomly accessed some files for troubleshooting and diagnostic purposes, as well as to verify data integrity. He said that there is a sex. SK Computers said a search of all the photos on the computer by its technicians would have been a necessary step to thoroughly inspect the device and identify potential viruses.
Khan said there are more effective and less invasive ways to verify data integrity and check for malware and viruses than opening or viewing personal images.
A phone repair doctor said the phone’s screen exhibited “ghost touches,” a phenomenon in which the screen changes without the user’s prompting, and that photos may have been accidentally accessed without the technician taking any action. Ta. However, the technical team behind Marketplace Testing confirmed that the phone does not have ghost touch issues.
market Devices dropped at seven stores where technicians didn’t sniff: Mobile Clinic in Mississauga; Gadgets of the Future in Mississauga. His PC Shop Computers in Kitchener. PhoneJI in Mississauga. His Apple Service Depot in Markham. KW Cellular in Guelph. and Nerds 4 Hire in Markham.
Mr. Cavoukian asked the Federal Privacy Commissioner to investigate. market‘s discovery.
Canada’s Privacy Commissioner Philippe Dufresne declined an interview request. However, a spokesperson for the Privacy Commission said in a statement that companies should not open files that are not needed to repair a device. If required, meaningful consent must be obtained from the device owner.
“In this day and age, privacy cannot be an afterthought for tech repair companies,” Kaboukian said.
Khan said that technology repairs will be recorded and randomly audited to ensure no privacy breaches occur during repairs, and that fines will be imposed on technology repair companies that access personal data unnecessarily. I hope.
“Users shouldn’t be responsible for magically making sure there’s nothing on their device that these people can’t snoop on.”
