Providing your password to a technician under any circumstances is a terrible idea to start with. Depending on how careless you are[1] they might gain access to your email, social media, bank accounts and all kinds of personal, legal and financial documents. Pictures are the least of your concerns.
The only safe way to do this is to 1) be present during service if it’s a software issue, 2) backup your data somewhere else, and wipe the device clean before handing it in.
[1] safe to assume that people who take their laptops to service shops know _nothing_ about security
If the device is nonfunctional, and has encryption enabled (e.g. Bitlocker or FileVault) you MUST give them your password if you want it repaired and cannot afford to lose data. That is the COMMON CASE. A lot of shops/businesses aren't going to agree to a "stand over my shoulder while I work" clause least of all because your repair goes into a backlog until they can get to it.
> backup your data somewhere else, and wipe the device clean before handing it in.
Well over half the devices going in for repair cannot do that, that's why they're going in for repair.
> safe to assume that people who take their laptops to service shops know _nothing_ about security
Safe to assume that the people being judgmental online know nothing about the technical expertise of the average device owner.
I'd never take a device into somewhere with personal/sensitive information on it, but I recognize I am in an extremely privileged position in having the knowledge and expertise to do so. Even a fully broken screen wouldn't stop me from backing up/wiping. That isn't typical at all.
Probably the best setup to avoid this is to have something like Linux home folder encryption, and to set a separate account just for maintenance. If the device breaks, the technician is given the maintenance account password, not the one with access to your private stuff.
That's fine for hardware issues, which really wouldn't require the personal drive at all to fix. The issue arises for when a software-related issue occurs and the person who could do what you just described could probably also fix it themselves.
Macintosh computers have a "recovery startup" mode where it boots on a minimal OS partition (chosen by holding cmd-R right after power-on). All current Macs gets such a partition as part of normal OS install. This enables checking HW without having access to the customers data (i.e. encrypted partition).
All computers and phones should have such a recovery/repair mode.
I would not be surprised that if this continues to be a problem, then EU will mandate that repair should not be allowed to ask for password and that all devices must have a repair mode. It seems like a straightforward extension of GDPR.
>If the device is nonfunctional, and has encryption enabled (e.g. Bitlocker or FileVault) you MUST give them your password if you want it repaired and cannot afford to lose data.
That needs to change. We create two user accounts for all of the laptops we give out. Someone working on the device only needs to have access to one of the accounts. Windows is still too stupid to hide user data from other users. But at least it's something.
I was with you until the third point. People who know about security in technical fields are uncommon. No tot mention the average Joe .
I do not understand how this is being judgmental? How much do you know about the operation of a nuclear plant, or knee surgery? You are not expected to, same with cybersecurity where knowing to not share your password over a random phone call is already complicated to teach.
The technical guy you went to for help asking you "the numbers you type when the computer starts" sound completely legit.
On macOS at least, if you want to keep data encrypted, you can use encrypted disk images. If you want a more user friendly alternative, you can use https://www.espionageapp.com, which lets you encrypt folders (note: I wrote Espionage).
> If the device is nonfunctional, and has encryption enabled (e.g. Bitlocker or FileVault) you MUST give them your password if you want it repaired and cannot afford to lose data.
In corporate settings key escrow may be used. Windows for example can store bitlocker credentials in AD.
> ...bank accounts...legal... Pictures are the least of your concerns.
Yes and no. Even the least-skilled young repair tech can ogle Hot_Bikini.jpg on impulse, with ~zero expectation of being caught, and an easy "victimless" rationalization. Vs. doing things you allude to would require a very different (and far rarer) sort of perp.
Given the CBC's limited resources, need for clicks, and (if they're sane) aversion to getting involved in serious crimes - using sexy pictures for their story was the right way to go.
I always thought the best way to do handle this scenario is to have removable storage. If a device breaks you could swap that out and send the device for repairs with zero worries. Of course it doesn't fly today because Apple started the board soldering trend... Let's hope for a return to sanity in technology
People just don't realize that giving someone free reign to their phone is the same as giving someone remote access, basically, to your brain.
It's just hard for the mind to grasp how such a physically small device can grant access to so many things.
Maybe once we move more explicitly to phones as bionic extensions of ourselves, people will understand the access they're granting on a visceral, gut level.
The anti-right-to-repair crowd lost this argument with me when Samsung decided that I needed a copy of TikTok on my phone without asking me. It turns out those personal devices are not so private, in general.
Um...yes? Easy & enticing opportunity for generally young & low-paid workers, ~zero enforcement, and the crime is both ~invisible to the victims and nicely into the "just don't want to think about it" zone. What would you expect?
It's the same issue from last generation's photo developing services. It was common knowledge that photo techs printed an extra copy of anything "interesting" for their own collections.
You're going to be quite disappointed by the reality you were born into then.
You're not born with any particular moral standard. You are taught one by the people around you. In fact I would say that it's likely there is a sizable population of earth that would consider you to be a piece of shit for things that you think are perfectly ok.
They're kids for the most part. I worked for Geek Squad when I was under 20 and saw this kind of stuff all of the time from similar-aged coworkers. I hear you that you expect better but when you hire people who were (or still are) teens and pay people just above minimum wage you can't really expect to get professionals.
I'm considering it from more of a social perspective. It is socially unacceptable for someone to snoop through someone else's personal photos. Many young children would understand this, and teens certainly do.
Computer techs are very underpaid in Canada. One place I got paid around $30/week.... that was in the 1990s though. (the coworkers were awesome but the employer was abusive as all anything)
I've worked at a few places since though and wouldn't recommend that work to my worst enemy. Better pay and hours in fast food, and less customer abuse typically.
One of the things rarely mentioned is that there's two people who get blamed when tech fails - the user themselves, and the tech who comes in to fix it. Not a great recipe for happy encounters or healthy cultures.
yes. Same goes for a lot of other fields, eg airport security. Now one of the shops I worked in was very deep in moral/ethical responsibility but it seems an outlier. The reason I say yes is partially due to morals/ethics having something of a cost. Low paid people aren't paid well enough to mitigate the cruelty or rudeness they're often treated with.
...yes, I thought that was per hour. Allow me to echo the sibling comment and ask how that could even be legal. Did they not have minimum wages in Canada then?
CBC is the public broadcaster in Canada, and Marketplace specifically has a good record of consumer-oriented investigative journalism like this. You might be familiar with another report a few years ago from them that found that Subway chicken may contain as much as 50% soy filler: https://www.cbc.ca/news/business/marketplace-chicken-fast-fo...
I'm personally more likely to trust Marketplace than not.
Elsewhere on this site, you proclaimed to be a libertarian opposed to almost any and all government-related functions. There's nothing wrong with that of course, but... I suspect that probably colours your opinion somewhat?
If you've got data or research that supports your argument that the CBC is, as a whole, deserving of such low quality and trust, I'm genuinely interested to hear it.
Otherwise, it just reads as ideological opposition as opposed to genuine criticism.
FYI, your source now contributes to the Daily Mail and Fox News. By her own admission she is staunchly against the "woke" agenda (whatever that is). Here's an interview with her that balances out your provided link - https://www.canadaland.com/tara-henley-cbc/
Back in the 90's, many of my co-workers would bring me their computers for various reasons, mostly viral because Win 95 and XP were, well you know.
Some would tell me they had teenage boys who may have gone to porn sites and they were afraid that's how they were infected. I would tell them to please get their personal stuff off the machine, because I would be looking for anything out of order. I explained I may have to reinstall windows and I didn't want them to lose their files. They never would! So I would burn their stuff to CD-ROM and then reload it all and give them the CDs.
I was a friend, not a business. If we expect businesses to be decent or prudent with what's on our devices we are naive. Get your stuff off first, then bring in the device! Human nature is always unpredictable.
This piece is pretty sensationalist but obviously there's some wrongs being done. I wish they'd be more specific about "devices" being mobile phones or desktop/laptops....
And then it's like, what do you expect? You're giving them your device with full access to troubleshoot problems, they're going to look around in the process. And in many cases of course there's some kind of NDA 'assumed'. The copying instances and what not are violations no question, but again, you're giving them full access.
I'm not sure a good chunk of the 'my device needs fixing' public cares about this. As long as their device gets fixed and stuff isn't obviously, like, shared out.
> You're giving them your device with full access to troubleshoot problems, they're going to look around in the process.
Only when it is necessary to solve the problem, it does not excuse the tech looking for or even copying personal images.
How would you feel if you hired a plumber to fix a leak in your home, and you found them in the master bedroom rifling through the lingerie drawer? Or making copies of your family photo book they pulled out of a cabinet? Sure, they need access to the entire home to find the leak, but that does not give them blanket permission to just do whatever they want.
Yeah, fair enough. There was definitely some techs caught red-handed in the sting operation, but I dunno it's not that clear what problems they submitted the cases to that might involve some poking around in the Filesystem etc? Anyways, not gonna make excuses, just some of the promotion of this story I also heard came across as over the top
Fairplay, I'm revisiting the article because I also heard radio news reports on this earlier and it was like really freaking out, clips of the Privacy Commissioner's quote etc.
The sting operation they set in play seemed like really trapping the employees when in 8/10 cases they were probably just trying ot figure out what the problem was on the machines? USB and wifi disabled? but what issues did they report to the stores when submitting the cases?
Would this be equivalent to say e.g. that if you upload your photos to Google Photos, you should assume that their employees can freely watch them, as long as they are not sharing them?
But the repair aspect does not imply technicians browsing through unrelated files out of curiosity. You simply cannot blame the user for the technician's unwillingness to respect the user's privacy.
Well, I agree there are major ethical concerns about this topic. You're going to have to trust your technician with your data to some degree. If you don't, don't keep it on your personal device but on an external or have it encrypted.
If a user comes in with a virus I would expect the technician to explain in educate where the virus came from. That would involve browser history and downloads.
If a technician worked on my device I would expect them to back it up in case of data loss. That data should be held until the end user is satisfied, then securely deleted.
I hated my old iMac because it went dead and I couldn't just remove the hard drive and hand the device in for repair (because the hd is only accessible by taking the device apart).
I went to bestbuy recently for my kid's laptop with issues but still under warranty.
The employee asked for a password but my kid is connected with his Microsoft account.
I created a 'bestbuy' account on the spot with some classic luggage pin because the employee had no idea what to do.
I guess that if my kid went alone, he would have given the ms account password and the employee would have been able to access everything on that account.
I wonder if this systemic thing happens at Microsoft OneDrive, or Google, or the other cloud storage providers. I notice lately most of these apps tend to expect t download pictures/data from our devices, with obscure options to shut these "automatic" functions off. It would be a very interesting investigation/audit of such companies.
Back in the day - 1998 to 2003 - if we were backing up data for a rebuild, we'd check for mp3s and pirated movies, it'd be obvious when copying the data back to the users computer. The music just got added to the technician room playlist.
This is a broken culture problem as it's extremely perverse for technicians to do this. It degrades technologists in general as a trade and profession and it reinforces negative class stereotypes about people in service jobs. However, it does imply a business case for a tech quartermaster service for families who can afford it.
I would never have someone repair my computer, but if I did I would certainly not give it to them with intimate photos or sensitive information on it, for exactly this reason.
I found it very odd that the article needed to show 2 sets of these "private" pics (3 including the video) and focus so much on the models. Sad state of journalism.
> ""These results are frightening," said Hassan Khan, associate professor in the school of computer science at the University of Guelph. "It's looking through information, searching for data on users' devices, copying data off the device.... it's as bad as it gets.""
"It's as bad as it gets", he says, uploading his photos with GPS location data to iCloud, sync'ing his browser history to Microsoft, using keylogger-as-a-service Grammarly to write his article, having his online shopping history emailed to his GMail full of itemised shopping details and delivery addresses, leaving Google services to gather his GPS location in realtime on his trip home for live traffic data updates. "Those are personal photos!" he uploads to Facebook alongside an innocent group picture taken earlier, which Facebook does face recognition on and matches the people in the photo against the contacts list it stole from his phone. His drive home picked up on numberplate recognition cameras, and on neighbour's Ring doorbells. His phone scans the surrounding wifi SSIDs and reports them back to HQ. He enters the front door - "I had the weirdest experience just now", says his partner, "I got an advert on my laptop for something I was talking about with a friend, do you think Alexa or Facebook listen in to our conversations?". "I've been told that can't happen" he says, sitting down at his computer, which prompts him again to login with a Microsoft cloud account, then freezes momentarily as "Microsoft Compatibility Telemetry" takes all the available CPU. "Millions of personal details leaked from 23andMe" he saw in the news headlines[1]. An email arrives from a shop he walked past earlier which picked up his phone's bluetooth ID. His Kindle idles on the table, sending details of every book, every page turn, every passage highlighted, every note made. His car uploading the latest route and tracking data back to the manufacturer. His cloud password vault slowly leaking[2].
"The worst thing in the world would be if someone found out we were naked under our clothes" they both said in unison. "That's as bad as it gets". "Or if someone knew we went on holiday", she said. "Or had a bank account", he said.
----
Each of these companies told Marketplace in separate email statements that they are committed to protecting customers' privacy.". Yes, tech companies say that too. This article is a reminder that if we don't red-team, smoke-test, trial run, our business policies and regulations, we end up with words about how great they are while they aren't functioning or aren't existing.
There is a difference between you intentionally giving a service data, usually specifically to do something for you, and someone pulling data from a device without authorization or legitimate use.
Do you think most tech customers/users are aware enough of the details to give properly informed consent to this kind of thing? I don't. I think much of it is dark-patterned or coerced. I was amazed when iPhone swapped SMS for iMessages. All these years later, I can't believe they had the audacity to do that without any kind of prompting or approval. Previously with Blackberry you had to deliberately choose to use Blackberry messenger. iPhone merged iMessage and SMS into the same interface and if you contacted an iPhone user the phone checks the phone number with Apple and if the recipient is an iMessage user, it diverts the message through Apple servers.
From a user experience point of view it's easier, and you get 'free' picture and video messages. From a tech / privacy / informed consent point of view it's horrible. That was 15 years ago and it's only got worse in terms of tech companies taking what they want and claiming they got consent after by pointing to a line of legalese buried deep in a page nobody reads.
The only safe way to do this is to 1) be present during service if it’s a software issue, 2) backup your data somewhere else, and wipe the device clean before handing it in.
[1] safe to assume that people who take their laptops to service shops know _nothing_ about security