When you need to drop off your tech devices for a repair, how confident are you that they won’t be snooped on?
CBC’s Marketplace took smartphones and laptops to repair stores across Ontario — including large chains Best Buy and Mobile Klinik — and found that in more than half of the documented cases, technicians accessed intimate photos and private information not relevant to the repair.
Marketplace dropped off devices at 20 stores, ranging from small independent shops to medium-sized chains to larger national chains, after installing monitoring software on the devices. In total, 16 stores were recorded. (At four stores, the tracking software didn’t log anything, or the stores didn’t appear to turn the devices on.)
Technicians at nine stores accessed private data, including one technician who not only viewed photos but copied them onto a USB key.
“These results are frightening,” said Hassan Khan, associate professor in the school of computer science at the University of Guelph. “It’s looking through information, searching for data on users’ devices, copying data off the device…. it’s as bad as it gets.”
To examine the extent of privacy breaches by technicians at repair stores, Marketplace teamed up with Khan, who had previously done a privacy study on laptop repairs in a number of Ontario stores, which found that many technicians snooped on personal data.
For the Marketplace investigation, Khan, along with graduate students Angela Tran and Brandon Lit, loaded four smartphones and six laptops with the kind of private data many users would have on their devices: financial information, social media and email accounts, as well as browser history. For the sake of the experiment, the information was fake, so no one’s personal information would be at risk.
Marketplace also took intimate selfie-style photos of two models whose faces were cropped out, and those pictures, along with other generic photos, were saved on the devices.
For the laptops, Khan and his team initially created a repair issue by disabling the WiFi. Technicians at the first few stores didn’t need to keep the device in order to fix it, so Khan’s team created a new software problem that would require stores to hold on to the device to repair it, by disabling the USB port.
Khan and his students installed secret logging software that would screen-capture and record what technicians accessed during each repair.
For the smartphone test, Prof. Mohammad Mannan from Concordia University and his Ph.D. student Sajjad Pourali created a repair issue — a flickering screen — and installed logging software that screen-recorded the technicians’ actions.
Khan and other computer science experts Marketplace spoke with said that looking at photos or files would not be necessary for these types of repairs.
“Going through those files to look for a fix does not make sense,” said Khan.
Marketplace shared the findings with former Ontario privacy commissioner Ann Cavoukian, who said, “your personally identifiable data is extremely sensitive.”
“We have to put a stop to this [behaviour] … And we have to find a way to bring it to the public’s attention.”
According to federal privacy law, any commercial business, including tech repair stores, must limit the collection of personal information to what’s necessary.
Intimate photos accessed
Marketplace visited two locations of the smartphone repair chain Mobile Klinik, which has more than 150 stores across Canada.
At Square One mall in Mississauga, Khan’s team did not detect any snooping on the smartphone brought in for repair. However, at a location in Woodbridge, the team documented that a Mobile Klinik technician scrolled through the Facebook account on the device, and looked through photos stored on the phone, including intimate selfies.
In a statement to Marketplace, a Mobile Klinik spokesperson said “what happened in this instance is unacceptable” and that “protecting our customers’ privacy is our first priority.”
The company noted it has “robust policies in place” to safeguard customer data. “Following our own investigation, and based on information provided by CBC Marketplace, it is clear the technician who repaired this device did not follow proper procedure. As a result, the technician has been terminated.”
The company also told Marketplace it is using the incident to reinforce its privacy and data security training with employees and said it wants to institute its own secret shopping program using the screen capturing technology.
After Marketplace dropped off a laptop at a Markham location of the electronics and tech repair chain Best Buy, which has 164 stores across Canada, Khan’s team found a technician had browsed through several photo folders, including ones with names like “Bikinis,” “Date Fits” and “Nightwear.” The technician also removed an intimate photo they had opened from the recently accessed files, thus erasing any indication it had been opened.
“They’re clearing their tracks,” said Khan. Without this type of logging software, the average consumer would have no idea the technician had looked through these photos.
Cavoukian said the technician had “absolutely no right to this information.”
“I just think it’s appalling,” she said.
Marketplace reached out to Best Buy multiple times for a response, but the company did not provide a comment.
At a Best Buy location in Oakville, Ont., two Apple stores and a couple of independent shops, employees said the repair might require reloading or reinstalling the operating system on the devices. Khan said this would have erased the logging and monitoring software, so Marketplace did not leave devices there and excluded these stores from the test.
Photos copied onto USB key
Marketplace left laptops at the Oakville and Markham locations of electronics and tech repair chain Canada Computers & Electronics, a company with 42 locations across Canada. At both stores, technicians viewed intimate photos.
At the Markham location, a technician viewed intimate photos as extra large icons, which makes them easier to see without actually opening them, meaning they wouldn’t turn up as recently accessed files. The person also viewed the laptop’s browser history before ultimately fixing the USB drive and then copying all of the photos on the laptop onto their own USB key.
“On what planet is this permissible?” Cavoukian said.
The company added that in light of Marketplace’s investigation, its technicians have been “provided with a refresher course on how to protect customer personal information while diagnosing and repairing electronic devices.”
Marketplace also documented technicians accessing photos at one other mid-sized chain, Dr. Phone Fix, and four local shops: KW PC and Cell Repair in Kitchener; SK Computers in Brampton; Computer Link in Markham and Link It Up Dundas in Mississauga.
Each of these companies told Marketplace in separate email statements that they are committed to protecting customers’ privacy, and most referred to company policies on data privacy.
Link it Up Dundas said it is investigating and noted it has data-handling policies and procedures and “any employee found in violation of these policies will be subject to corrective action.”
Computerlink said its technicians “do not engage in any data snooping” and that they may have accessed a few files randomly for troubleshooting and diagnostic purposes and to verify data integrity. SK Computers said a technician’s search for all of the photos on the computer would have been a necessary procedure to ensure a thorough examination of the device and to identify potential viruses.
Khan said there are more effective and less invasive ways to verify data integrity and check for malware or viruses than opening or viewing personal images.
Dr. Phone Fix said the phone screen was exhibiting “ghost touch” — i.e. that it changed without any direction from the user — and that it’s possible the photos were inadvertently accessed without any action from the technician. However, the tech team behind Marketplace’s test confirmed the phone did not have a ghost touch issue.
Marketplace dropped off devices at seven stores where technicians did not snoop: Mobile Klinik at Square One mall in Mississauga; Future Gadgets in Mississauga; PC Shop Computers in Kitchener; PhoneJI in Mississauga; Apple Service Depot in Markham; KW Cellular in Guelph; and Nerds 4 Hire in Markham.
Cavoukian called on the federal privacy commissioner to investigate Marketplace‘s findings.
Canada’s privacy commissioner, Phillipe Dufresne, declined a request for an interview. But in a statement, a spokesperson for the Office of the Privacy Commissioner noted companies shouldn’t open files that are not necessary for repairing a device. If it is necessary, they must seek meaningful consent from the person who owns the device.
“In this day and age, privacy can’t be an afterthought” for tech repair companies, said Cavoukian.
Khan would like to see tech repairs recorded and randomly audited to ensure privacy violations do not occur during a repair, and even see fines levied against tech repair companies that access private data unnecessarily.
“The onus should not be on the users to somehow magically make sure that there is nothing on their device that these people would not snoop on.”