If you’ve ever worried about the privacy of your sensitive data when seeking a computer or phone repair, a new study suggests you have good reason. It found that privacy violations occurred at least 50 percent of the time, not surprisingly with female customers bearing the brunt.

Researchers at University of Guelph in Ontario, Canada, recovered logs from laptops after receiving overnight repairs from 12 commercial shops. The logs showed that technicians from six of the locations had accessed personal data and that two of those shops also copied data onto a personal device. Devices belonging to females were more likely to be snooped on, and that snooping tended to seek more sensitive data, including both sexually revealing and non-sexual pictures, documents, and financial information.

Blown away

“We were blown away by the results,” Hassan Khan, one of the researchers, said in an interview. Especially concerning, he said, was the copying of data, which happened during repairs for one from a male customer and the other from a female. “We thought they would just look at [the data] at most.”

The amount of snooping may actually have been higher than recorded in the study, which was conducted from October to December 2021. In all, the researchers took the laptops to 16 shops in the greater Ontario region. Logs on devices from two of those visits weren’t recoverable. Two of the repairs were performed on the spot and in the customer's presence, so the technician had no opportunity to surreptitiously view personal data.

In three cases, Windows Quick Access or Recently Accessed Files had been deleted in what the researchers suspect was an attempt by the snooping technician to cover their tracks. As noted earlier, two of the visits resulted in the logs the researchers relied on being unrecoverable. In one, the researcher explained they had installed antivirus software and performed a disk cleanup to “remove multiple viruses on the device.” The researchers received no explanation in the other case.

Here’s a breakdown of the six visits that resulted in snooping:

The laptops were freshly imaged Windows 10 laptops. All were free of malware and other defects and in perfect working condition with one exception: the audio driver was disabled. The researchers chose that glitch because it required only a simple and inexpensive repair, was easy to create, and didn’t require access to users’ personal files.

Half of the laptops were configured to appear as if they belonged to a male and the other half to a female. All of the laptops were set up with email and gaming accounts and populated with browser history across several weeks. The researchers added documents, both sexually revealing and non-sexual pictures, and a cryptocurrency wallet with credentials.

The researchers also configured the laptops to run a custom logging app that used the Windows Steps Recorder utility in the background. The utility captured the screen on every mouse click and recorded each key pressed by the user. The researchers also enabled Windows Audit Policy to log access to any file on the device.

The researchers then brought the laptops to two national outlets, two regional ones, and four local ones. Half the customers were male, and the other half were female.

Password required

Besides finding widespread snooping, the study uncovered other problems. Among them: The vast majority of repair shops provide no privacy policy and those that do have no means of enforcing them. Even worse, repair technicians required a customer to surrender their login password even when it wasn’t necessary for the repair needed.

These findings came from a separate part of the study, in which the researchers brought an Asus UX330U laptop into 11 shops for a battery replacement. This repair doesn’t require a technician to log in to the machine, since the removal of the back of the device and access to the device BIOS (for checking battery health) is all that’s needed. Despite this, all but one of the repair service providers asked for the credentials to the device OS anyway.

When the customer asked if they could get the repair without providing the password, three refused to take the device without it, four agreed to take it but warned they wouldn’t be able to verify their work or be responsible for it, one asked the customer to remove the password, and one said they would reset the device if it was required.

In all, the findings from the study were:

• Privacy policies and the practice of communicating protocols and controls to protect customers’ data do not exist across service providers of all sizes.
• Service providers largely (10/11) require “all access” to the device, even when it is unnecessary.
• Technicians often snoop on customers’ data (6/16) and sometimes copy those to external devices (2/16).
• Technicians who violate privacy often do so carefully to not generate evidence (1/6) or remove such evidence (3/6).
• A significant proportion of broken devices (26/79, 33 percent) are not repaired due to privacy concerns. For the devices that get repaired, device owners are concerned about threats to their privacy but do not use the proper controls to protect their data.

The results likely confirm what many more experienced computer users already know: that their data is vulnerable to snooping or copying any time they surrender their device to an untrusted or unknown individual, particularly when the individual has their login password. But for a much larger percentage of people wanting to recover crucial data on a broken device, the findings are likely a wake-up call with few, if any, good solutions.

“Our investigation shows an absence of policies and controls to safeguard customers’ data across all types of repair service providers,” the researchers concluded. “Our work calls to action device manufacturers, OS developers, repair service providers, and regulatory bodies to take appropriate measures to safeguard customers’ privacy in the repair industry.”

ArsTechnica