Few repair shops have privacy policies in place to safeguard your personal data when your gadgets are in for a fix, according to researchers at the University of Guelph in Ontario, Canada.
“Rigged” devices were left overnight with 12 different commercial shops to fix an audio issue. Logs from those devices uncovered what the study called “widespread privacy violations by technicians.” That includes snooping on personal data, copying information off the device, and even attempting to cover their digital tracks by removing evidence or trying not to generate it in the first place.
In total, six devices featuring email and gaming accounts, browser histories, documents, photos (including revealing pictures of women), and a cryptocurrency wallet with credentials were dropped off at a dozen national (big-box), regional (chain), and local (mom-and-pop) service providers.
Half of the Windows 10 laptops were configured to appear as if they belonged to a man and the other half to a woman. The latter, according to the study, were more likely to be tampered with.
“We were blown away by the results,” researcher Hassan Khan told Ars Technica. The team was especially taken back by the copying of data: In two cases, revealing images were saved to an external device, and one worker duplicated a password-containing file.
The study also included an online survey of 112 people, some of whom have declined to get a broken device restored due to privacy concerns. Still, our gadgets’ essential nature and the fear of losing personal information forever has driven plenty of people to repair shops, leaving folks vulnerable to data or identity threats.
“The electronics repair industry provides economic and environmental benefits,” the study said. “However, there is a dire need to measure the current privacy practices in the industry, understand customers’ perspectives, and build effective controls that protect customers’ privacy.
“Our investigation shows an absence of policies and controls to safeguard customers’ data across all types of repair service providers,” the researchers concluded. “Our work calls to action device manufacturers, OS developers, repair service providers, and regulatory bodies to take appropriate measures to safeguard customers’ privacy in the repair industry.”
.