Slashdot: Small Study Finds Computer Repair Shops Accessed Personal Data - And Sometimes Even Copied It
Small Study Finds Computer Repair Shops Accessed Personal Data - And Sometimes Even Copied It
Published on November 28, 2022 at 02:43AM
Ars Technica reports on what happened when researchers at the University of Guelph in Ontario, Canada, left laptops overnight at 12 computer repair shops — and then recovered logs after receiving their repairs: The logs showed that technicians from six of the locations had accessed personal data and that two of those shops also copied data onto a personal device.... The amount of snooping may actually have been higher than recorded in the study, which was conducted from October to December 2021. In all, the researchers took the laptops to 16 shops in the greater Ontario region. Logs on devices from two of those visits weren't recoverable. Two of the repairs were performed on the spot and in the customer's presence, so the technician had no opportunity to surreptitiously view personal data. In three cases, Windows Quick Access or Recently Accessed Files had been deleted in what the researchers suspect was an attempt by the snooping technician to cover their tracks.... The vast majority of repair shops provide no privacy policy and those that do have no means of enforcing them. Even worse, repair technicians required a customer to surrender their login password even when it wasn't necessary for the repair needed. These findings came from a separate part of the study, in which the researchers brought an Asus UX330U laptop into 11 shops for a battery replacement. This repair doesn't require a technician to log in to the machine, since the removal of the back of the device and access to the device BIOS (for checking battery health) is all that's needed. Despite this, all but one of the repair service providers asked for the credentials to the device OS anyway. When the customer asked if they could get the repair without providing the password, three refused to take the device without it, four agreed to take it but warned they wouldn't be able to verify their work or be responsible for it, one asked the customer to remove the password, and one said they would reset the device if it was required.
Published on November 28, 2022 at 02:43AM
Ars Technica reports on what happened when researchers at the University of Guelph in Ontario, Canada, left laptops overnight at 12 computer repair shops — and then recovered logs after receiving their repairs: The logs showed that technicians from six of the locations had accessed personal data and that two of those shops also copied data onto a personal device.... The amount of snooping may actually have been higher than recorded in the study, which was conducted from October to December 2021. In all, the researchers took the laptops to 16 shops in the greater Ontario region. Logs on devices from two of those visits weren't recoverable. Two of the repairs were performed on the spot and in the customer's presence, so the technician had no opportunity to surreptitiously view personal data. In three cases, Windows Quick Access or Recently Accessed Files had been deleted in what the researchers suspect was an attempt by the snooping technician to cover their tracks.... The vast majority of repair shops provide no privacy policy and those that do have no means of enforcing them. Even worse, repair technicians required a customer to surrender their login password even when it wasn't necessary for the repair needed. These findings came from a separate part of the study, in which the researchers brought an Asus UX330U laptop into 11 shops for a battery replacement. This repair doesn't require a technician to log in to the machine, since the removal of the back of the device and access to the device BIOS (for checking battery health) is all that's needed. Despite this, all but one of the repair service providers asked for the credentials to the device OS anyway. When the customer asked if they could get the repair without providing the password, three refused to take the device without it, four agreed to take it but warned they wouldn't be able to verify their work or be responsible for it, one asked the customer to remove the password, and one said they would reset the device if it was required.
Read more of this story at Slashdot.
Comments
Post a Comment