Marketplace investigation recorded technicians peeping on personal photos, browser history
What this and Khan’s previous studies shows is that it really comes down to the technician who touches your device, not the chain you take it to. These employees aren’t bonded and have no loyalty to customers or employers; some will follow the law when they think they’re not being observed, and others won’t.
Takeaway: take your devices to someone you trust AND assume they’re looking through everything they have access to. Same as mechanics, washing machine repairmen, etc.
Very true, there’s no standards beyond each tech’s personal ethics.
Also, wipe your hard drives before you throw out computers. Folks throw PCs out all the time in my office building, and I pick them up to refurb and ‘freecycle’ them. More than half the time, I’ll plug it in to see if it will boot it up, and the drives are still intact, and loaded up with personal data… Then I plug in my DBAN USB stick and wipe the drive(s) 3x.
I had an old Windows Phone I recycled years ago. It had nothing on it since I had migrated everything to Google a while earlier. Instead of wiping it, I dropped it at the recycling place in Vancouver.
Imagine my surprise when I get an automated email 6 months later saying someone just tried logging into my Microsoft account on that device from Shenzhen, China.
Wipe your shit, folks! It’s good advice inside and outside the bathroom.
Take someone technologically curious, pay them near minimum wage, and give them unfettered access to someone’s system…… and people are surprised this is happening? That’s why in enterprise IT departments you have guard rails and permissions for lower positions until they end up mature enough, in a position of trust with comparable pay and they don’t care what’s on a system.
Treat a PC or any personal digital device that can hold lots of storage of content like a large house or storage building filled with all kinds of your personal stuff. Filled with your old photos, paper files, banking information and personal information.
Would you allow just anyone to wander into this house to see everything inside or even make copies of everything?
This is the best summary I could come up with:
For the Marketplace investigation, Khan, along with graduate students Angela Tran and Brandon Lit, loaded four smartphones and six laptops with the kind of private data many users would have on their devices: financial information, social media and email accounts, as well as browser history.
For the smartphone test, Prof. Mohammad Mannan from Concordia University and his Ph.D. student Sajjad Pourali created a repair issue — a flickering screen — and installed logging software that screen-recorded the technicians’ actions.
However, at a location in Woodbridge, the team documented that a Mobile Klinik technician scrolled through the Facebook account on the device, and looked through photos stored on the phone, including intimate selfies.
After Marketplace dropped off a laptop at a Markham location of the electronics and tech repair chain Best Buy, which has 164 stores across Canada, Khan’s team found a technician had browsed through several photo folders, including ones with names like “Bikinis,” “Date Fits” and “Nightwear.”
At the Markham location, a technician viewed intimate photos as extra large icons, which makes them easier to see without actually opening them, meaning they wouldn’t turn up as recently accessed files.
In an emailed statement, Canada Computers said it takes “its obligation to respect its customers’ personal information very seriously” and that its own investigation of the incident indicated it was an isolated event where one technician at one location violated its privacy policy.
The original article contains 1,567 words, the summary contains 232 words. Saved 85%. I’m a bot and I’m open source!
“That one time we got caught is the only time that ever happened” -Canada Computers
Former tech at an indie shop (in the USA):
I didn’t want to dig into people’s personal shit, especially not their niche porn collections.
Browsing history was one thing we actually would look at in order to determine infection vector (when doing virus removal). We would usually counsel the customer on how to avoid it in the future. Obviously didn’t do that on non-virus issues because that would be wrong and a total waste of my limited time.
The only time we would look at any images, erotic or not, is if they looked suspicious on a scan or by filename.
Because of prior incidents, we also would check files that might be CSAM and report those to the cops. Usually a thumbnail in a scanner/explorer/etc program would bring that suspicion.
I personally wouldn’t want any files from a customer PC, and the only USB I’d be using is the shop one with all the antivirus on it.
This is crazy!
And completely expected unfortunately.
That’s true…
Oh, and I had a thought about their methodology - the screen recording software only works when it’s booted from the internal hard drive. Boot with a USB stick with a Linux live image, mount the internal drive as read-only, and you can copy the entire thing, and nobody will ever know.
Most people struggle with the idea of installing an OS let alone a portable OS that can be moved from one machine to another. I doubt the CBC has any Linux nerds outside of the IT department.
Also, even mounting a drive as RO can leave traces. In a forensics lab special devices are used to read drives while stoping any changes from being made to a disk in order to not disturb evidence.