When your computer or smartphone needs repairing, can you trust repair technicians not to access or steal your personal data? According to the results of a recent research by scientists with University of Guelph, Canada, you shouldn’t.
Granted, they tested only 16 repair service providers with rigged devices, but in six cases technicians snooped on customers’ data and in two they copied the data to external devices. Oh, and most of them tried to cover their tracks, either by removing evidence (e.g., by clearing items in the “Quick Access” or “Recently Accessed Files” on Microsoft Windows) or by trying not to generate it (e.g., by just zooming in on photo thumbnails).
Consumer privacy violated
Researchers Jason Ceci, Jonah Stegman, and Hassan Khan conducted a four-part study to measure the state of privacy in the electronics repair industry.
Then they dropped devices at 16 of those service providers after rigging them to log all the actions performed by technicians. After getting the devices back and analyzing audit and interaction logs, they discovered a number of privacy violations, against both female and male experimenters.
The snooping technicians accessed documents and picture folders (and revealing pictures), folders with financial information, and the experimenters’ browsing history. In two cases, the technician copied the revealing pictures to an external device and in one those two cases, the technician also copied a password-containing file.
The study also included an online survey with 112 respondents to collect data on their experiences when getting devices repaired, and found that of those who chose not to get at least one device repaired, 33% cited privacy as a factor for the decision.
Subsequent interviews with some of the responders also revealed that many service providers only have a generic policy on data collection that don’t address key questions for the (computer or smartphone) device repair use case and don’t mention controls in place to protect customers’ data.
Also, that service providers generally demand device access credentials – ostensibly to streamline the repairing process – even though they are not required for some repairs.
“The electronics repair industry provides economic and environmental benefits. However, there is a dire need to measure the current privacy practices in the industry, understand customers’ perspectives, and build effective controls that protect customers’ privacy,” the researchers noted.
How to solve the problem of safeguarding customers’ data from malicious repair technicians?
Device manufacturers should standardize the diagnostic interface to minimize manufacturer-specific differences and OS developers can provide controls such as a tamper-resistant logging utility, the researchers said, but noted these solutions are not perfect.
“Guest accounts or the diagnostic utility are not applicable for repairs like virus removal, and enabling tamper-resistant logging or ‘repair mode’ requires a functioning device. Furthermore, these controls would require users to enable them, and users may not be aware of these features or forget to enable them. However, through open policies, service providers can guide customers on the best control for the device condition and requested repair.”
Service providers should create a policy and adopt controls for protecting customers’ data, and regulatory bodies “should to play a strong role in safeguarding the privacy of consumers in the repair industry,” they added.
I would argue that repeated similar research can also help push for change and raise awareness – if the offending organizations are named and reports of the violations are disseminated online. As the researchers’ survey revealed, 40% of the respondents chose specific service providers based on (good) reputation formed on brand name, the recommendations of others, or Google reviews – and “reputation led to trust.”