Is My Privacy Violated At Computer Repair Stores?
This week we are answering an important question that was emailed to us from a nearby community neighbour. This is a question that I have been asked from time to time through my IT years and it is one where I tend to tread delicately with my response. Nobody wants accusations flying about willy-nilly without just cause. Nor, do I want customers running to the hills in fear of their privacy getting violated when needing technical assistance with their computers or systems. But, you do need to be fully aware about what can transpire when giving trust... rather than it being earned.
In my near 25 years of being an IT professional, I have never taken a customer's device to work on without them being present. In a corporate environment however, this is entirely different, as the devices belong to the business, not the user, and, as per corporate policy, no personal data is allowed to be stored on them. So, taking this device for hours or days to be worked on, in the bowels of the IT office, is fully acceptable. For personal devices however, this is a big no-no. Any work I do for personal devices is done in front of the customer at all times (whether remotely or physically present). Through this process, I also explain every step I am taking and also encourage them to ask questions about what I am doing. Handing your device over to a perfect stranger, unsupervised, can lead to trouble. And if you don't believe me, lets look at some recent proof.
A Conducted Study
Researchers at the University of Guelph Ontario conducted a study to measure privacy in the electronic repair industry, just 2 years ago in 2021, over the course of 5 months. Through this 4 part study, across 3 cities in Canada, 6 laptops were brought to 16 different computer repair vendors, local, regional and nationally operated, and it was found that at least 50% of the laptops had personal data accessed and stolen. This data had nothing to do with the repair and contained financial information, private sensitive documentation and pictures that varied from sexual to non sexual.
In order to capture the violations by the vendors in part 2 of the study, a logging utility that captures screenshots with each mouse click was developed and loaded onto each laptop (Tweak of Windows Problem Steps Recorder that I mentioned in a weekly Tech Tip on social media), along with MS Windows Audit Policy being enabled to log any activity to any type of file. The laptops were also set with a disabled audio driver (so sound would not function). Considered a simple resolve for a computer technician, no access to any files would ever be needed to bring resolution of this issue.
To categorize the violations, the researchers broke them down into 6 categories:
- Accessing The User's Data Folder
- Access to Finance Data Folder
- Browsing History Data
- Access To Any Picture Folder
- Search For Revealing Pictures
- Copying Any of Users Data To External Storage Device
Within these 6 categories, one of the vendors broke all of the violations while others broke 1 or more. Also, within this logging, it proved to show that the violators tried to "erase" their actions by attempting to delete the MS recording tools for Recently accessed files and "Quick Access" data. Obviously, they knew that what they were doing was wrong and tried to hide their tracks.
Out of these 16 vendors, only 2 of them actually followed the procedures, that I righteously practice, by immediately fixing the issue in the presence of the customer while they waited. Only 2. The rest held onto the units for hours or overnight and two of them held onto the devices for two nights.
Just as importantly, within the the first part of the study, 18 vendors were visited with laptops with apparent battery replacement needs in order to measure the availability of Policy, Terms and Controls in place by these vendors, to protect customers personal data from being snooped, and stolen, by technicians. Most had no such thing in place. One of the vendors that did have a Terms & Conditions Waiver, boldly stating:
"[Redacted name] will not treat data on your device as confidential and disclaims any agreement with you or other obligation to do so."
The purpose of Part 1 of this study was not just to reveal any malicious intent but rather to show the severe lack of policy and controls to protect clients against personal data violations. Parts 3 and 4 of the study were tailored to collect data through surveys and further reveal the lack of public knowledge about the built in tools to protect the customers personal information (Like encryption and such), that would prevent such violations from happening.
"We observed that while some service providers shared a privacy policy, it was a generic policy on data collection from customers during retail transactions. These policies did not address key questions for the device repair use case, such as how long user data (such as backups and credentials) are stored, who has access to it, and what controls are in place to protect customers’ privacy."
The results of this single study is disturbing to say the least. For most of these selected "professional" IT vendors to not have proper policy in place is shameful. People need to have more awareness of their rights and must demand proof of such protection BEFORE handing their device over. However, even with this in place, the average user would not know how to check their system afterward for any violations of these policies. So, while on paper you are protected, how would you know if your data had been accessed and stolen?
To further shock me, the fourth part of the study that involved surveys of the customers, revealed only 20% of those surveyed recommended that a resolve to these types of violations, should require repairs be done in the presence of the customers. Another 20% suggested that the resolve would be to ensure that the customer remove any personal data prior to the repair. Really? 20% think that is the solution? If it's a hardware failure how do you propose they do that? And, if you know how to do that, you can most assuredly fix the hardware yourself!
My tech company's main mission is to bring awareness and provide the proper knowledge to our clients. People need to know how to safeguard themselves against these types of violations, among many others. In no way am I bringing this to your attention so we can have a "witch hunt" against all computer repair shops. There are many very reputable, honest and helpful businesses that have earned the trust they have been given. That being said, how do you know if any or all of the employees are snooping through your information?
I have always ensured policies and controls are in place, but additionally, my business never performs any actions on a client's system without them being present, virtually or physically. This safeguards you as well as the business, and - It's the right thing to do. Sadly, the world of complete trust does not exist on a whole. Even those who you think you can trust because they seem nice, can turn out to be the worst violators of trust. And, as we have all been taught by our parents, trust is earned, not given.
What You Need To do
My advice to you, for no matter what business you choose to resolve your IT and technical issues, is to be aware and to be proactive. The tools needed to prevent this type of violation in the first place, are already given to you, through the software on your devices. Yet, many people do not know the tools are there or they don't know how to properly use the tools. A perfect example would be encryption. If one's personal data (pictures, sensitive documents, banking, passwords and personal information) were fully encrypted, violations of this sort would not be a concern. And, the tools for encryption are at your fingertips. Your security should always be a priority yet, many do not make it a priority and, they put it off until it is too late.
Too many times these days, we are guilty of not reading the fine print. The fine print is what keeps us aware and protected. Before handing over your "life's digital data" to a stranger, ensure that one, they have the proper policies, waivers and terms in place, and two, thoroughly read them and ask questions pertaining to the protection of your data before granting access. Who has access? Where and how is my data backed up or stored? How do you protect that data? What if my data is compromised or lost? These are just some of the questions you need to ask. And if they don't or can't answer them to your satisfaction, walk out of that door.
Be safe, and be mindful! Don't forget to Like and Share our post and please let us know in the comments about your experiences with computer repair and the steps you took to ensure you were protecting your data!
