A study by a computer science professor at the University of Guelph found 'absolutely jarring' privacy violations by some Ontario laptop repair shops that accessed customers’ personal information.Jenny Kane/The Associated Press
Privacy violations at computer repair shops are “absolutely jarring,” says a professor involved in a new study, which found half of all stores tested in three Ontario cities unnecessarily accessed customers’ personal information.
Women bore the brunt of the violations. In some cases, the study found, repair shops also copied personal information such as passwords and revealing pictures onto external devices.
“We wanted to see, in what we believe is the first examination of this kind, whether this big and prevalent issue of privacy violations is happening in Canada. And what we found was absolutely jarring,” said Hassan Khan, a computer science professor at the University of Guelph and one of the co-authors of the study, along with master’s students Jason Ceci and Jonah Stegman.
“Part of why we did this study was because we have seen that privacy violations are committed more so with women and non-binary individuals, who are also more likely to face issues from non-consensual image sharing, like a technician accessing devices,” Prof. Khan said in an interview.
The study is scheduled to be presented next summer in San Francisco at the Symposium on Security and Privacy, organized by the Institute of Electrical and Electronics Engineers, which peer-reviewed the research.
The study looked at laptops that were brought to 12 different repair shops from October to December in 2021. Researchers anonymized the collected data but told The Globe and Mail these shops are all in Ontario. Four of them are national service providers, three operated regionally, and five locally.
All of the repair shops were given the same task: to fix an audio driver that is disabled on a laptop. Each computer ran on Microsoft Windows 10 and was otherwise in perfect working condition, free of malware or other defects. Researchers picked this repair because it is considered simple and inexpensive, but also because it does not require access to a customer’s personal files.
Half of the laptops were configured to appear as if they belonged to a man and the other half to a woman. A software functioning as a kind of log was added to the devices before they were dropped off, which allowed researchers to capture the screen on every mouse click and record the keys pressed by a user, executing in the background as a Windows process.
The devices were set up with different accounts, such as those for e-mail and gaming, and populated with browser history across several weeks. Researchers also added a cryptocurrency wallet, as well as personal documents and files.
In those personal files, sexually charged and non-sexual pictures were added, which were obtained with permission from a Reddit group where people post revealing pictures on the social-media website. The names and metadata of the images were scrubbed before use.
Six of the 12 repairs had seen technicians access personal data from customers, and a majority – four of them – were women. In two cases, repair shops also copied the data onto another personal device. And in three cases, logs showed that after privacy violations, some service providers cleared their tracks by removing items in the “Quick Access” or “Recently Accessed Files” on Microsoft Windows.
Mr. Ceci, who is cited as the lead author for the study, acknowledged that the sample size could seem small. “But the goal of the study is not to establish the percentage of how many repairs result in shops snooping on customers,” he said. “It is to find out and definitively state if the snooping happens at all.”
In a separate part of the study, researchers also looked at the issue of passwords. They found that repair shops required customers to provide the login passwords for their devices even when it wasn’t necessary.
Bringing in an Asus UX330U laptop into 11 shops for a battery replacement, researchers saw that all but one service provider asked for the credentials to the device. This is a repair in which only the physical back of a device needs removal to be accessed. But when customers asked if the work could be done without a password, three shops refused to take the device, four agreed to take it but warned they wouldn’t be able to verify their work or be responsible for it, one asked the customer to remove the password, and one said they would reset the device if it was required.
“What we’ve learned through this study is that the vast majority of repair shops provide no privacy policy, and those that do have no means of enforcing them,” Prof. Khan said. “This is a major problem because we all know how much waste electronics cause. And if we can’t fix our devices without being worried about vulnerabilities, such as technicians snooping on our personal information, what alternative do we have?”
“Regulatory bodies need to take appropriate measures to safeguard privacy in the repair industry.”
How to protect your personal data during a laptop repair
If you take your laptop to a Canadian repair shop, there’s a good chance a technician could go through your personal files, according to a new study from the University of Guelph.
Half of all computer repair stores tested in three Ontario cities accessed the personal information of people who brought in their devices to those businesses, the study found, with customers who were women bearing the brunt of those privacy violations.
Here are some expert-recommended tips on how to protect your privacy while giving your laptop to a service centre:
- Encrypt your files. This is a particularly good habit for confidential items, such as credit-card information and website passwords. But you could also take the extra step of encrypting folders that contain photos and other personal data, so that only an intended person is able to access the files with the right credentials. There are built-in tools for this in many devices and also apps available for a fee.
- Clear out cache, cookies and login history from internet browsers. Even if a repair shop asks for the login password to your device, in most cases, they do not require the passwords to your e-mail, social media and other accounts. Feel free to log out from those accounts and erase your history, so that it cannot be accessed.
- Verify the authenticity of the repair shop. Unfortunately, not all shops are created equal. As much as possible, research the repair stores you visit and look for established business history. Don’t be afraid to ask lots of questions about privacy policies.
- Do not provide admin access, unless necessary. Create a guest account that may be used instead. It will impede repair shops from accessing the bulk of your personal files in your main account. In many cases, technicians do not require customers to provide them with the administrator username and password. Ask to see if this is true for you. If an administrator account is needed, disable or temporarily change your password, so that you avoid sharing the real one.
- Back up your data before the repair process. Data loss can be caused by a lot more than just hardware failure. It can also be caused if someone tries to access it. Nowadays, a lot of information is stored on the cloud, which is a good option. Still, external devices, such as hard disks, are a trusty alternative. If using cloud-based platforms for storage, log out of those before handing over your device.