Commercial repair shops caught snooping on customer data by canny Canadian research crew Computer scientists affiliated with Canada's University of Guelph have found that electronics repair services lack effective privacy protocols and that technicians often snoop on customers' data. In a four-part research study distributed via ArXiv, "No Privacy in the Electronics Repair Industry," University of Guelph …
There have been so many stories over the years of repair personel rummaging through the hard drives of devices in for repair.
It would never even cross my mind to supply a device for repair without a virgin hard disc/os in. Though I'd be likely to request repair only for a hardware part - a socket or module perhaps - that I couldn't easily obtain elsewhere.
Not surprised at all.
For all of my personal (and family) gear I'm the first port of call for repair, and (touch wood) so far I have never had to hand any hardware over to a shop for repair. And if I ever did then any personal data would be removed beforehand.
SWMBO went on a holiday to Las Vegas a few years ago, and she was provided with a dumb phone for the trip. And any documents that had to go with her were placed on a microSD card that was placed into a hollowed out pound coin. And this was just because I don't like the TSA policies they have over there.
I know haters got to hate .... but sometimes I wish they'd actually let you know what it is they're hating.
I've reread what I put and can see nothing offensive. Only that my 'nobody gets my personal data' policy is extended to gum'nts that tell you in advance that they're gonna grab what they want if you visit their precious shores.
---------> Cos you always want to avoid his gaze!
It was just a microSD with images of passports, tickets, etc. So that if the originals were lost they'd have something to refer to.
The hollowed out coin was purchased off the interwebs, was VERY hard to spot, was marked so SWMBO wouldn't try to spend it accidentally, and was UK currency so wouldn't even come out in the US. It's also not illegal, and would have been produced if it (or anything similar) was asked for.
So the fact that Wifey was informed and onboard for the whole thing, as well as being aware of possible issues that might occur, doesn't change the view people have of the situation one bit?
The one I managed to reel in may be blonde but she ain't blonde, if you get what I mean!
Yes, when you arrive in the US on an international flight, you go through Customs. That's a cursory check for the vast majority of people. They look at the form and wave you through. They don't examine your luggage or other possessions. Even if they did, hollowed-out pound coins with SD cards are not high on their list of things to look for.
KittenHuffer mentioned the TSA, who would be involved for the return trip. That's even less of a concern. CBP officers are Federal officers; TSA scanners are not. TSA scanners consistently fail to catch 90-something percent of suspect material in tests. Their primary effect is to make people throw away their water bottles.
Things will go badly if the customs people find a hollowed out coin with microSD. You might just want to set up a (password protected) website in your home country with the documents to download once SWMBO gets to the coffee shop after customs.
Then again, maybe SWMBO getting the rubber glove treatment is part of your fun.
hollowed out pound coin
*Sucks teeth*..
Defacing the currency of the realm eh? Prison is too good for you!
(As a callow yoof I got severely told off by a British Transport plastic policeman[1] for putting an old penny[2] on the local train line - I wanted a nice flattened copper disc and thought it would be fun to try[3])
[1] Looks like a policeman but actually isn't. Yes, they do have some limited ability but, away from stations or rail lines, they have very, very little power. And the one that tried to stop my motorbike as I was riding past our local station nearly ended up with a road-legal, doing a legal speed 125cc learner bike (it was a long time ago) embedded in his pelvis. Lesson: don't leap out in front of a bike doing 30mph and trust that the rider has sufficient reflexes to stop. Luckily for him, I did. I also had the sense to refuse his request for my license and registration details - since I wasn't on BR property nor doing anything illegal he had precisely zero right to ask me for them. He wasn't happy but there was nothing he could do and he knew it.
[2] Big old copper coin. I think it was George VI..
[3] Don't try this kids. I'd forgotten that the line was carrying the new-fangled 125 trains that could go a good deal faster than the old DMU's..
British Transport Police (assuming actual police, not PCSOs) have the same powers as any other police. Yes, their remit is the railways and they won't normally work away from those unless requested by a neighbouring police force, but they do have the normal powers to do what any other police can do. Same applies to other specialist police units such as those who guard indrastructure such as gas terminals, and nuclear sites.
But that is fine if you know what you are doing and have a spare HDD. To get a HDD out of many laptops requires taking it apart, and not only does that mean having the screwdrivers (small or security), but also tools to get into the case without damaging.
People on here are probably OK doing that, but I know many people who would not know what to do or even want to do it (for damaging my case).
Also a lot of people would need to look at the internet for the fixit sites or youtube videos and the laptop maybe their only way onto the internet and if it is busted, they have no way to get that info.
Bring back the days where HDD's were easily removed, RAM upgrades was via a 2 screw slot at the bottom and batteries were not embedded within the guts of the machine
"Bring back the days where HDD's were easily removed, RAM upgrades was via a 2 screw slot at the bottom and batteries were not embedded within the guts of the machine."
Oh absolutely! I recently upgraded a small batch of HP laptops from HDD to SSD for a friend's organisation. Both the RAM and drives were accessible via a one-screw slot on the underside. As part of the payment, I was gifted one of the laptops, which I upgraded similarly, as well as upgrading the RAM. However, not long afterwards, I discovered it needed the CMOS battery replacing, and THAT required the laptop to be completely dismantled and the motherboard removed!
Ah well, 2 out of 3 wasn't too bad, I suppose...
"Bring back the days where HDD's were easily removed, RAM upgrades was via a 2 screw slot at the bottom and batteries were not embedded within the guts of the machine"
Except few will buy them because "everyone"[*] wants slimmer and lighter laptops. Extra panels for ease of access weakens the already thin casing.
[*] most consumers have been trained by marketeers, social meeja influencers and peer pressure.
And if that's not available, you look on iFixit for a manual. Replaced the swollen battery of a 2013 MacBook Pro (the one that had the glued-down batteries) without a problem. Bought the battery off iFixit, followed the great little guide in the package, and hey presto!
That's one thing iFixit is *really* good at...
To get a HDD out of many laptops requires taking it apart
I had some some fun getting some defunct laptops (no HDD or battery) out of Salzburg (we had an office there and I was bringing them back to the UK to be freshened up, rebuilt and re-deployed).
The very officious lady at outgoing passport control demanded that I boot them up (presumably to ensure that they were read computers and not bombs..). She insisted that, if I couldn't boot them up, they would be taken off me and destroyed.
I pointed out that they had no battery or HD so wouldn't be able to boot. She insisted. I suggested that, if they were going to be destroyed, I'd need her name, badge number and rank as well as a signed receipt. We would then invoice the Austrian Government for the cost of replacements..
One of her senior colleagues then had a quiet word with her. I happily signed a bit of paper (in English and German) to indicate that there were no explosives in the laptops and went on my way.
(I did have a toolkit in my luggage - but that was, by this time, already in the cargo hold. And, if I'd had to open each of the cases, I'd miss my flight and would have to spend another 8 hours in the terminal and (of course) miss my connecting flight to the UK).
"It would never even cross my mind to supply a device for repair without a virgin hard disc/os in." Many/most people in my family would never dream of taking any steps to protect themselves. This type of article is annoying on the one hand, so bleeding obvious. And necessary on the other hand, because so many people, like Kyle (Michael Biehn) in The Terminator, "don't know tech stuff". It's like beating a drum. There will never be a point where _everybody_ heard the message, so just keep beating the drum, give one more customer a chance to hear. And on the supplier side, it's management that needs to tighten up their controls. So they also need to read articles like this.
Well this idea of putting in some other drive before sending the laptop to the shop seems to pose a bit of a catch-22 in my mind.
Say my laptop's got a duff headphone jack. I want the OEM or their agent to fix it. Won't this repair party usually be very interested in avoiding the cost of the service if they perceive that I have "voided the warranty"?
Regardless of my "right to repair/upgrade" my kit, I can only see this strategy ending in an interminable debate with the repair party.
Do you put a clean OS on the drive first? One that has all the drivers and sniffs just like the OEM one?
Thanks for the judgement. As it happens, a "dead" machine was brought in and my colleague determined it just need a Windows reinstallation, there was no actual hardware fault. To go the extra mile he ran a quick scan for lost files thinking how pleased the customer would be that we had saved their data, and immediately saw a bunch of filenames that left no doubt that it was child porn. We locked the machine in the safe and rang the police. I can sleep at night over that one.
I'll withhold judgement since we don't know anything about what the agreement was between the customer and shop. It sounds like the customer might have been very vague about what was to be done, in which case attempting to recover files would be justifiable, and then as you say if there were reasonable grounds for suspicion based on filenames it's hard to see this as a privacy violation.
The cases given in the article were obviously more clear-cut.
That really depends how obvious things were, but it would have to involve a pretty low effort before you're breaking your contract or the law. I don't doubt that criminals have been captured that way, and I am inclined to believe that your story isn't a lie, but it certainly isn't justified for other snooping to occur.
give the entire field a bad name, especially since most are looking for sexy pics and usually can't help sharing them around. Not just the idiot 20-yos, there were plenty in their 30s and 40s who got their kicks that way, like there aren't a billion sexy pics just a google away.
Full disclosure: When I've told people they can't store their iTunes library on their network folder, back in the heady pre-Spotify days, I've been known to first snag an album or two.
If they are storing stuff on your company network, then that is different - no expectation of privacy, and have the right to delete it! However, if you were copying music off their laptop, then that makes you a bad commentard!!
Maybe the Chucklefucks are trying to get five minutes of fame and catch the next Gary Glitter?????
I have a Win10 computer that randomly crashes with an unspecified hardware error, but I won't be taking it to a shop. What I don't get is what the problem is. Linux runs for days, and it passes the laptop's 6 hour hardware tests. The thing won't let me reload Windows either as it gives a random error when I try from the hard disk, won't find the hard disk when I try from USB, and Windows keeps saying anyrhing I try doing in Safe mode isn't allowed in Safe. I'll get it eventually, but it's been damned annoying and certainly isn't making the case for Win11. Personally I think it's Microsoft punishing me for leaving the computer turned off and telling the router to block its access for about 6 months, so they couldn't slurp.
I bought it specifically for doing my taxes on, and all I've ever done on it is taxes, but am concerned that a minimum wage shop tech hunting fame might load up some files so they can "find" them. They get their 15 minutes, and I get to spend a few hundred thourand to avoid going to prison as a kiddie diddler with no guarantee of success. These days in the US, being accused is a guilty verdict even if you're found innocent. Best to not risk it because a new computer is far cheaper.
It's ILLEGAL to look. Under GDPR especially. regardless of who it is and what is/was found, those techs should be fired AND FINED.
I don't keep any data on my laptop, but would still rather buy brand new under an insurance policy than hand it over to PC World or similar.
You can justify snooping however you like but how many personal private nude pics have been stolen or even uploaded onto the internet because repair room techies are basically little kids.
@vishal vashisht
"It's ILLEGAL to look. Under GDPR especially. regardless of who it is and what is/was found, those techs should be fired AND FINED."
After giving the hard drive contents to the FBI (in the US so no GDPR) the IT repair guy was worried he would be 'disappeared' as NOTHING was done about it. So went to a lawyer to make it public. This article being about North America.
It's still illegal to look under the CFAA in the United States. Finding files without snooping is a grey area, but reading lots of files, even if they do contain evidence, is not permitted when the service being performed doesn't require it. Whether or not a crime was committed, and based on the actions of law enforcement there has been no confirmation, searching a drive is already illegal.
@Zippy´s Sausage Factory
"I'm not an American but if the information wasn't legally obtained, doesn't the 4th amendment come into play? "
Me either I just know GDPR doesnt apply. I find it interesting how excited people are to hit the downvote button. I suspect I upset Biden lovers.
I was at a domestic job yesterday where her hotmail account was compromised and the lady had difficulty changing the password as she used it all over other places. We went though various accounts changing them, and despite me having typed in the passwords initially and she wrote them down, when she did it, I still turned my head. Just habit. She thought it was hilarious.
Computer scientists affiliated with Canada's North America's University of Guelph have found that..."
FTFY
https://www.theregister.com/2022/11/14/university_staff_and_students_voice/
That article had "The UK", a country name as in a member of the UN. This one has "Canada", the same thing. Unless you still think Canada belongs to the UK, your complaint is invalid. The other article didn't describe the university as "A European university", so your suggested sentence is also invalid.
A little while back I returned my laptop for potential warranty keyboard repair, where a key cap was detached. The repair was performed as a keyboard replacement.
When the laptop was returned, the HDD had been restored to the factory image. Upon query, I was told this was SOP, for security. I noted that this act had quite the opposite effect, since it covered up any trace there might have been of anything having been done to the previous content of the drive. [Yes, I appreciate that physical access to the drive negates that as a real protection.] Obviously, I'd ensured that there wasn't anything of interest left on the laptop, before return. It was simply the inconvience to reinstall my OS of choice and re-update the factory image install to the latest version too, but I objected to the reasoning.
This was in the UK with a chinese manufacturer that I recall that the government has noted to be of interest for UK infrastructure projects.
I had a similar one with a number of HP/Compaq laptops. Had a recall for bad keyboard, so I copied off the data onto two locations, security wiped the free space and sent the devices off. When they came back, I discovered that the password file had been wiped and that the browser had been used to download some pirated films - this was on two of the three - and the third one showed in the system and security log that someone had turned it on and tried to log in by guessing the password. The films that had been downloaded were dubbed in Hungarian, an Eastern European colleague informed me, and the network log showed that it had obtained an IP address somewhere in Hungary, but I couldn't tell if it was on a corporate network or not. I told HP/Compaq in the UK at the address they'd sent for the return, but I don't know what came of that. It wasn't hard to find these traces either, just files dumped in the trash without emptying, an uncleared browser history etc - I wasn't particularly looking until I thought it odd that there was suddenly no password on the account.
I thoroughly disinfected the machines, just to be sure.
Apple did something similar for my wife - when her machine returned from the replacement of a bad CD drive, the screen was scratched and it had a fresh copy of the OS, with none of her data. It took a bit to convince them to refund the extra fee she paid to preserve her data, despite them very much wiping it without making a backup first. (To this day she wonders if they sent her the wrong laptop.) Good thing she made her own backup before sending it!
Back in the days when I did computer repairs, I always made a point to do as little snooping as possible. Sometimes people would leave shit right on the desktop where it was basically impossible to miss, and on at least one occasion I had to go looking for a video file I could play to test a display, but I always figured that if I had to bring in my computer I'd want someone to respect my privacy, so I would do the same. I never went through people's documents or photos or anything like that.
Exactly this. I did (and still do to some extent) domestic and small business repairs for nearly 20 years. Did I go snooping on people's data? No. I don't care what they do, it's none of my business.
My business was to get their machines up and running as well and as quickly as possible, and for an awful lot of people I was the only person they trusted to do that. That meant I was satisfied that the machine was running properly before it went back to the customer. I would almost certainly have booted a machine and seen it get safety to the desktop after having replaced anything, including a battery, even though it wasn't strictly necessary.
If the machine was seriously misbehaving, I might well have imagined the HDD, too, just as a precaution. If the image wasn't needed, it was overwritten within hours by the next machine's image, but on occasion that image was a lifesaver. Did I snoop on the files on the image? No, it's none of my business.
All that said, the images some people use as their desktop wallpaper are very NSFW, and you can't really avoid seeing rather more of the customer than you would like. Restoring to life a non-booting PC only to find your customer baring all on the desktop is an eye-opener, especially when they're sat right next to you.
There are certainly rogues in our business - I've undone the havoc created by enough of them to know that. But we're not all like that. Some (quite a few I suspect) take pride in our work, respect our customers and go the extra mile to get the job done right and to solve the customer's actual problem.
When I did repairs, which was not often, I didn't have time to browse people's data, but I always copied files, ya know, incase I fscked up the whole thing, and needed to restore? Not sure if this was done by the techs in question, and if it was confused with nefariously riffling though files?
I've seen enough without snooping too, hence the mind bleach.
As with most of you, I'm approached by many people who know me asking me to fix their machines, and as with some of you, I'm not always thrilled with the prospect of doing what could be quite a lot of work for free. People like those mentioned in the article is one of the reasons I still accept each request when it comes in. Even when I don't want to. I've seen way too many repair techs who violate the customer's privacy or who do very shoddy work (the kind of person who thinks wiping and reinstalling Windows with no backup counts as successful repair). Meanwhile, since I have the skills concerned, I also don't know any repair techs I know I can trust. I therefore can never recommend someone to go to get a device repaired at a shop and would usually advise against it, so much that I take on the work if they don't have another technical friend because there's no options left.
At most, after a successful repair, we will check that the customers HDD boots up to whatever, log in screen, desktop etc. We don't want or ask for log in credentials. We simply ask that the BIOS is either set to boot from other devices or they give us (ore remove) any BIOS/BOOT passwords so we can boot an external USB device or temporarily replaced HDD of our own. If the HDD has failed, we replace it. We don't do data recovery but if asked, we'll return the faulty HDD to them.
Generally, we only ever need to boot the manufactures diagnostics tools to confirm the fault and then confirm it's fixed afterwards. Sometimes we do a quick and basic install of Windows depending on the quality of the manufacturers diags tools and likewise, use the manufactures tools to check and update any firmware such as Bios, Intel ME, Thunderbolt etc.
This is almost all warranty repairs mind and only rarely non-corporate customers, so mostly the HDDs are encrypted anyway.
On top of that, anyone caught browsing around a customers HDD contents would be walked out the door and they all know that.
If I feel like the computer would benefit from a software check, I'll ask if I can log in. Often the systems I see are riddled with malware or very out of date.
If I don't do this, many clients say 'it's still got problems' - unrelated to the original issue reported.
Happy to do this in front of the client though. Builds trust.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
