When you need to drop off your tech devices for a repair, how confident are you that they won’t be snooped on?

CBC’s Marketplace took smartphones and laptops to repair stores across Ontario — including large chains Best Buy and Mobile Klinik — and found that in more than half of the documented cases, technicians accessed intimate photos and private information not relevant to the repair.

Marketplace dropped off devices at 20 stores, ranging from small independent shops to medium-sized chains to larger national chains, after installing monitoring software on the devices. In total, 16 stores were recorded. (At four stores, the tracking software didn’t log anything, or the stores didn’t appear to turn the devices on.)

Technicians at nine stores accessed private data, including one technician who not only viewed photos but copied them onto a USB key.

  • AllHailTheSheep@sh.itjust.works
    link
    fedilink
    arrow-up
    105
    arrow-down
    1
    ·
    1 year ago

    as a technician myself, I hate this. I truly don’t understand why any tech would ever do any snooping. I fix dozens of devices a day, I need the password so I can test the new part and make sure everything is working as it should be after the repair. I’m far to busy and apathetic to give a shit what people have on their devices.

    side note, for those of y’all with Samsung phones, there’s a maintenance mode that will allow the tech to test everything after the repair but not access any data on your device.

    • GreenIcePear@lemm.ee
      link
      fedilink
      arrow-up
      25
      ·
      1 year ago

      How would I go about putting my device in maintenance mode? Iirc that was only available for repairs at Samsung Authorized stores?

    • jimbo@lemmy.world
      link
      fedilink
      arrow-up
      12
      ·
      1 year ago

      I truly don’t understand why any tech would ever do any snooping.

      You don’t understand that some people are just dirt bags?

  • beaubbe@lemmy.world
    link
    fedilink
    arrow-up
    53
    arrow-down
    4
    ·
    1 year ago

    Unsurprising. Most repair shops will ask for your PW to “test that the device works”. If it is for a battery change, or screen fix or whatnot, refuse to give it! It is not required. They can confirm the fix just by accessing the lock screen itself.

      • Suburbanl3g3nd@lemmings.world
        link
        fedilink
        arrow-up
        39
        ·
        1 year ago

        Samsung phones have this but apparently the Samsung diagnostic tool doesn’t work in the repair mode. Dumbest thing I’ve ever heard.

        I just use a secondary app to lock down all apps when it needs serviced then.

          • logicbomb@lemmy.world
            link
            fedilink
            arrow-up
            6
            arrow-down
            33
            ·
            1 year ago

            Yeah it’s great. When anything goes wrong, you can just throw it in the trash and get a new one.

            • winkerjadams@lemmy.dbzer0.com
              link
              fedilink
              English
              arrow-up
              24
              arrow-down
              1
              ·
              1 year ago

              Like when I accidentally broke the glass on my camera bump and I was able to buy the replacement and fix it myself for under $20, right?

              • logicbomb@lemmy.world
                link
                fedilink
                arrow-up
                2
                arrow-down
                19
                ·
                edit-2
                1 year ago

                And you believe that’s because it’s an android? So anybody who buys an android phone can expect that nothing will ever go wrong with the hardware?

                Edit: To any morons downvoting, that’s literally what the person said. Here, I’ll quote them: “Nice thing about having an Android is I’ve never needed service”

                Literally saying that the reason they never needed service is that it’s an android. There is no other way to interpret the statement.

    • ttr@lemmy.zip
      link
      fedilink
      arrow-up
      23
      arrow-down
      4
      ·
      edit-2
      1 year ago

      Shitty people will do shitty things. That said, if you don’t give your password, be prepared to have the technician test all sorts of stuff in front of you. The selfie camera, ear speaker, microphone, etc. sometimes are mounted on the screen. If there are problems, the tech will need to redo the repair. Not advocating for giving your pw, but be prepared for the process to be less convenient.

      Edit: My bad, should have clarified I’m talking about phones exclusively. If you’re worried about your computer, create a non-admin user and give them that password. If they had the skills to bypass that, they wouldn’t be working at a repair shop.

      • Crozekiel@lemmy.zip
        link
        fedilink
        arrow-up
        8
        ·
        1 year ago

        If they had the skills to bypass that, they wouldn’t be working at a repair shop.

        What are you talking about? I worked at a geek squad back in college days and no one there needed your admin password to get into your computer. We’d just remove the password. The only reason we asked for your password was so you’d get your computer back with the password still on it, lol…

        I’m more shocked that none of the techs found the monitoring software and assumed it was something malicious and disabled or removed it…

        • ttr@lemmy.zip
          link
          fedilink
          arrow-up
          2
          arrow-down
          1
          ·
          1 year ago

          Bitlocker? FileVault? If you’re cracking those, why the fuck are you working at a Best Buy?

          • mob@sopuli.xyz
            link
            fedilink
            arrow-up
            2
            ·
            edit-2
            1 year ago

            Bitlocker or Filevault for the pin/password to get onto your computer? I don’t think that’ll be a common scenario. I also imagine they bypass the whole password thing, rather than cracking the actual password.

            • Crozekiel@lemmy.zip
              link
              fedilink
              arrow-up
              1
              ·
              1 year ago

              Yup. A majority of the time people didn’t have any of that setup anyway. But also most of windows security is centered around external attacks over a network, not someone actually having your computer so there are lots of ways to just remove the password if you can plug in a flash drive or insert a CD.

              If someone actually security conscious brought in a computer truly locked down, we would have had a tough time of it, but people that know how to do that aren’t bringing their computer to geek squad to be fixed, so it’s a catch 22.

              • mob@sopuli.xyz
                link
                fedilink
                arrow-up
                1
                ·
                1 year ago

                Yeah I had a buddy who bought a PC that had a BIOS password on it(which now I realize was probably stolen… but it was like a big box store 2010 desktop which is weird to steal) I was surprised with how easy it was to bypass that, and gain access with a flash drive and 3 minutes of googling

        • themoonisacheese@sh.itjust.works
          link
          fedilink
          arrow-up
          10
          arrow-down
          1
          ·
          1 year ago

          Phones. Also technicians aren’t that amazing most of the time, if you drop off your thing at the place you bought it they might know the procedure to change a screen but that’s it.

          • Ghoelian@lemmy.dbzer0.com
            link
            fedilink
            English
            arrow-up
            9
            ·
            1 year ago

            Also, even on laptops/desktops this might not always be possible depending on the bios configuration. Corporate devices for example might have the bios and booting from untrusted media locked down.

              • lud@lemm.ee
                link
                fedilink
                arrow-up
                3
                ·
                1 year ago

                Yeah, absolutely not.

                One user got his work iPhone replaced in the apple Store by himself and never told us. Obviously no work apps or anything got installed properly.

                And the work phones aren’t even ours, they are leased 🤦 That was a pain in the ass.

    • CubitOom@infosec.pub
      link
      fedilink
      English
      arrow-up
      10
      arrow-down
      2
      ·
      1 year ago

      If someone has physical access to your device, they also have the ability to access your files without your password. Unless you are using sophisticated full disk encryption, but that makes it more time consuming to gain access.

      • u/lukmly013 💾 (lemmy.sdf.org)@lemmy.sdf.org
        link
        fedilink
        English
        arrow-up
        6
        arrow-down
        1
        ·
        1 year ago

        I wish Android still had full-disk encryption. It was dropped in Android 10 for file-based encryption, but as far as I know the keys are just somewhere on the device. But I am not sure about that. Like 10%.

        • Snowplow8861@lemmus.org
          link
          fedilink
          English
          arrow-up
          6
          ·
          1 year ago

          They’ll be in a hardware security module, just like the computer should be storing encryption keys with the tpm. Tbh I don’t know what’s actively implemented but definitely on the devices I manage in MDM they’re non-compliant without that. I’m sure you probably can get cheap devices without though. Just like you can get home level laptops without tpm.

    • Bizzle@lemmy.world
      link
      fedilink
      English
      arrow-up
      4
      arrow-down
      1
      ·
      1 year ago

      A lot of times, the camera/earpiece speaker/microphone cables are really fragile and tolerances are tight. The phone isn’t designed to be opened. You should, therefore, make sure they work after the repair by making a test call.

    • RunningOutOfViolence@lemmy.ca
      link
      fedilink
      arrow-up
      6
      arrow-down
      4
      ·
      1 year ago

      You almost always need to the password to test a phone thoroughly. You can see that the screen works on the lock screen, but what about the front facing camera, and secondary microphone that are attached to the screen and need to be transferred, or replaced if you do it like Apple. On newer iPhones the slightest defect can cause face id to not work. On laptops it depends. Sometimes live USBs don’t have the right drivers to test all the hardware. When you assume things are simple you’re usually wrong.

      • Traister101@lemmy.today
        link
        fedilink
        arrow-up
        6
        arrow-down
        3
        ·
        1 year ago

        Weird that you’d mention the cameras, one of the only things you can access from the lock screen.

        For everything but data recovery you can get by fine without a password. You aren’t gonna have a hardware issue that makes Facebook slightly slower, your device won’t turn on.

        • RunningOutOfViolence@lemmy.ca
          link
          fedilink
          arrow-up
          1
          ·
          1 year ago

          Incorrect. On most devices after the power is cycled you can’t use the camera on the lockscreen. You have to enter the password once before that feature is enabled. And if you’re doing a screen replacement you need to power it off or you risk frying the backlight. How many cellphones have you repaired? 1? Hundreds? Thousands? It was my job for years, and my point is just don’t assume things are simple.

  • mommykink@lemmy.world
    link
    fedilink
    arrow-up
    48
    arrow-down
    3
    ·
    1 year ago

    This is why we need a guarantee that tech workers are asexual before dropping off our devices for repair

    • EK13@lemmy.world
      link
      fedilink
      arrow-up
      18
      arrow-down
      1
      ·
      edit-2
      1 year ago

      Linking this here just because I only discovered that Nathan For You episode yesterday and would hate for anyone to miss out on the reference: Youtube / Piped.

      Edit: fixed broken Piped link

    • kromem@lemmy.world
      link
      fedilink
      English
      arrow-up
      4
      ·
      1 year ago

      You could always have a lie detector added into the process to ensure they didn’t look. Though for some reason I think that may be a better fit for someone like a mechanic over tech repair.

  • Harpsist@lemmy.world
    link
    fedilink
    arrow-up
    38
    arrow-down
    1
    ·
    1 year ago

    I have never - ever - dropped a device off anywhere.

    I have spent hours and hours learning new skills, trouble shooting, and engaging in forums with people who know better than me.

    But just drop it off? Never.

    Wait wait.

    I dropped off my ps2 to get modded.

  • Clipboards@lemmy.world
    link
    fedilink
    English
    arrow-up
    11
    ·
    1 year ago

    Haha holy shit, the Canada Computers statement that photos weren’t accessed inappropriately & that the employee in question was disciplined, shortly followed by a picture of the technician outright copying only these files to the USB drive. These people are scum

    • alekwithak@lemmy.world
      link
      fedilink
      arrow-up
      5
      ·
      1 year ago

      It’s like this in the states, too. Had the same scenario with a battery replacement. “You don’t need the password to make sure the battery works.” “But we need to unlock the device to run diagnostics.” “I’ll unlock it for you and we’ll run them together” “No” “oh okay… The password is 0000, call me if it doesn’t work and I’ll unlock it for you and we’ll run diagnostics together!”

  • XbSuper@lemmy.world
    link
    fedilink
    English
    arrow-up
    13
    arrow-down
    5
    ·
    1 year ago

    This is why I won’t repair any device I can’t fix myself (which unfortunately is most of them, I’m not very tech literate).

    • HubertManne@kbin.social
      link
      fedilink
      arrow-up
      8
      arrow-down
      4
      ·
      1 year ago

      if you are technical enough to replace a hard drive then when you buy a computer also buy an extra drive. day1 build your machine or recover to the new drive. keep original drive in case of repair need. it also helps to troubleshoot if your problem is hardware or software.

        • meant2live218@lemmy.world
          link
          fedilink
          arrow-up
          9
          arrow-down
          1
          ·
          1 year ago

          He’s saying that if you can change a hard drive, then you can always just keep a spare one (with a clean OS install) on hand to use whenever you take it in for repairs.

          Changing a hard drive is basically knowing where the hard drive is, how to access it, and then unplugging and replugging some cables. Fairly easy, and most newer cases have been designed to make it easy to reach the storage bays.

          • XbSuper@lemmy.world
            link
            fedilink
            English
            arrow-up
            2
            arrow-down
            12
            ·
            1 year ago

            Not sure why you think explaining the same thing in basically the same way would change anything. I am not tech literate, I wouldn’t even know how to open the computer to access these locations. Stop trying to teach me, you’re wasting your time.

            • 257m@sh.itjust.works
              link
              fedilink
              arrow-up
              10
              arrow-down
              1
              ·
              1 year ago

              Now thats a bit rude. You could of just not responded to him. Instead you take time out of your day to say “I don’t want to learn.”

            • meant2live218@lemmy.world
              link
              fedilink
              arrow-up
              9
              arrow-down
              1
              ·
              1 year ago

              Sorry, that’s my bad. When I see something that looks like a request for information, I try my best to answer it. Even if you personally don’t find it useful, someone else in a similar position but different perspective on learning might be interested. Sorry, hope you have a good day!

              • XbSuper@lemmy.world
                link
                fedilink
                English
                arrow-up
                1
                arrow-down
                10
                ·
                1 year ago

                I never requested information, I simply made a couple statements about my lack of tech literacy. If I wanted to learn, I would have done so years ago.

                This is why commenting on lemmy sucks.

  • Surp@lemmy.world
    link
    fedilink
    arrow-up
    13
    arrow-down
    18
    ·
    1 year ago

    I’ve been in tech since 2007 and people are stupid and sometimes they leave “private” photos on the damn desktop. No offense to end users but don’t leave your pornos out in the open…buy two USB drives and back it up to both and store in a closet or something. The end user is also at fault here imo. Many times IT people aren’t looking for shit but people are stupid enough to leave it right in the open.

    • pinkdrunkenelephants@lemmy.cafe
      link
      fedilink
      English
      arrow-up
      19
      ·
      1 year ago

      People are allowed to leave shit on their private computer out in the open and IT bros have 100% of the moral responsibility to not look at it.

      It’s unrealistic and more importantly unjust to blame the victim here.

    • strawberrysocial@lemmy.world
      link
      fedilink
      English
      arrow-up
      1
      arrow-down
      1
      ·
      1 year ago

      Why are you clicking and opening people’s image or video files even if they’re right on their desktop? I doubt that’s part of the repair troubleshooting you are supposed to be doing. You shouldn’t be clicking on their images or videos even if they are easily accessible.

  • Captain Howdy@lemm.ee
    link
    fedilink
    arrow-up
    3
    arrow-down
    12
    ·
    edit-2
    1 year ago

    This being so common is creepy, but I feel like I just read/heard about a case where some pedo was recently arrested because a tech found CSAM on his phone during a repair and reported him. I really value privacy, but in that one case I’m glad the tech got nosey. I’m a bit intoxicated right now and cannot remember where I heard about this, but probably some true crime podcast or YouTube channel. I’ll update with a source if I remember.

    EDIT here’s one, but there are dozens of cases like this if you search https://kmph.com/news/local/tech-repair-shop-helps-arrest-customer-possessing-child-pornography-in-fresno

    • 👁️👄👁️@lemm.ee
      link
      fedilink
      English
      arrow-up
      18
      arrow-down
      2
      ·
      1 year ago

      The thing is, it’s really hard to be consistent on beliefs, especially in cases like this where it might sound unfavorable.

      If you say you’re against surveillance and spying on devices, people will generally agree that’s a good thing. But this is an example of privacy invasion, and is justified because they caught CSAM, so it must be good, right?

      Well in the big picture of things, this would be setting a precedent. Where they can justify these things because they can find and stop these things. This tends to lead to the “think of the children!” fallacy. Legislators are actively using this argument to push anti-privacy measures like breaking encryption so they can stop this. So it unfortunately means, respect privacy, or allow these things to go unchecked.

      Freedom comes at a price, and you gotta stay consistent even if it lets bad guys get away with things. You can justify a lot of fascism in the name of stopping the bad guys, since obviously it’s not a good look to defend those actions.

      • pinkdrunkenelephants@lemmy.cafe
        link
        fedilink
        English
        arrow-up
        6
        arrow-down
        6
        ·
        1 year ago

        Ehh. Your way sets really bad precedent that deprives all of us of freedoms in much more horrific ways than some retard getting caught with CSAM he should not have been having in the first place.

        Freedom means more than that and to argue otherwise is to argue innocent people need to be sacrificed on your political altar to make you feel like you can be safe hiding shit. You never can no matter how free your country is.

        • JWayn596@lemmy.world
          link
          fedilink
          arrow-up
          2
          arrow-down
          1
          ·
          1 year ago

          What do you mean deprives us of freedoms?

          Everyone has a right to lock their bathroom door. Crime might be comitted behind the bathroom door, but usually there will be other evidence of that without looking in the bathroom, so there is no need for the government to legislate that all bathrooms should remove their locks.

          No one ever questions the right of locking your bathroom door.

          • pinkdrunkenelephants@lemmy.cafe
            link
            fedilink
            English
            arrow-up
            1
            ·
            1 year ago

            Because the ones who violate our rights the most aren’t tyrannical governments but the people around us. The people who rape us, murder us, commit genocide against us, who commit the most unspeakable of depraved acts with the banality of a zombie in a fucking zombie movie.

            And you think that’s okay in the name of stopping a government from turning tyrannical when you knew it was always going to be like that anyway because all governments are inherently authoritarian in nature.

            • JWayn596@lemmy.world
              link
              fedilink
              arrow-up
              1
              ·
              1 year ago

              Well yes, because it’s not up to the government to take care of or protect your kids. And it’s your job to make sure they can protect themselves online. That’s just common sense.

              Additionally, the government is still effective at catching bad guys without backdoors to encryption, and this stuff doesn’t stop you from monitoring your kids devices.

              Yes in the US, Texas for example has used publicly available information to jail moms who travel for abortions.

              If the government were to trample on the freedom of privacy, it would affect the right to protest, it would affect freedom of assembly, it would affect freedom of opinion.

              China literally monitors most of their citizens communications this way.

              We do NOT want governments to invade privacy for the sake of security.

              Because, if the government can see what you do, then criminal actors can also see what you do too.

              • pinkdrunkenelephants@lemmy.cafe
                link
                fedilink
                English
                arrow-up
                1
                arrow-down
                1
                ·
                1 year ago

                So TIL it’s on me to hunt down predators who abduct my kids and use them to make CSAM or sell them into sex slavery. That actually is pretty close to the truth in today’s tyrannical world.

                Governments are always going to surveil their populations en masse and abuse them in the ways you described and more regardless of what their constitution and code of law says, so it’s silly to waste your time with a slippery slope argument when we’re already at the bottom of the valley, always have been and always will be. So are criminal actors.

                So we need something for us because rights simply won’t cut it and the Great Experiment obviously failed. That’s not gonna change just because you don’t like it.

                • JWayn596@lemmy.world
                  link
                  fedilink
                  arrow-up
                  1
                  arrow-down
                  1
                  ·
                  edit-2
                  1 year ago

                  Well it’s understandable that you think the predators are random men in white vans texting your kids, grooming, and abducting them, but in actuality, a ton of the major produces of CSAM are parents or family members.

                  This doesn’t account for a smaller, but significant percentage of self-producers that post online because they’re following online sexual trends, innocently self-expressing, or self-exploiting.

                  Having the goverment ban encryption will only undermine the privacy and security of law abiding citizens, and jeopardize national security. Parents don’t have to send messages to their kids really.

                  The police won’t protect your child from your spouse.

                  Banning encryption won’t do anything to curb this concern of yours, its like banning car locks because people could hide heroin in cars.

                  I can empathize with your stance, but I have to tell you, that the “protect children” argument has been used to justify genocide, racial segregation, and so many other violations of civil rights within the last 100 years.

    • jimbo@lemmy.world
      link
      fedilink
      arrow-up
      6
      ·
      edit-2
      1 year ago

      It’s one thing to merely stumble across someone’s private content on a PC while working on it, and quite another to actively seek it out and make a copy like the guys in the article were caught doing.

    • missveeronica@lemmynsfw.com
      link
      fedilink
      arrow-up
      1
      arrow-down
      2
      ·
      1 year ago

      Thank you! I worked at Staples as an Easy Tech (2006) and we were required to search desktops for pedophile materials so we could report them to authorities when found. I never found any myself but that was policy back then.