We caught technicians at Best Buy, Mobile Klinik, Canada Computers and others snooping on our personal devices

girlfreddy@lemmy.world to News@lemmy.world – 364 points –
cbc.ca

When you need to drop off your tech devices for a repair, how confident are you that they won't be snooped on?

CBC's Marketplace took smartphones and laptops to repair stores across Ontario — including large chains Best Buy and Mobile Klinik — and found that in more than half of the documented cases, technicians accessed intimate photos and private information not relevant to the repair.

Marketplace dropped off devices at 20 stores, ranging from small independent shops to medium-sized chains to larger national chains, after installing monitoring software on the devices. In total, 16 stores were recorded. (At four stores, the tracking software didn't log anything, or the stores didn't appear to turn the devices on.)

Technicians at nine stores accessed private data, including one technician who not only viewed photos but copied them onto a USB key.

91

as a technician myself, I hate this. I truly don't understand why any tech would ever do any snooping. I fix dozens of devices a day, I need the password so I can test the new part and make sure everything is working as it should be after the repair. I'm far to busy and apathetic to give a shit what people have on their devices.

side note, for those of y'all with Samsung phones, there's a maintenance mode that will allow the tech to test everything after the repair but not access any data on your device.

How would I go about putting my device in maintenance mode? Iirc that was only available for repairs at Samsung Authorized stores?

Settings -> Battery & Device Care -> Maintenance Mode

I truly don’t understand why any tech would ever do any snooping.

You don't understand that some people are just dirt bags?

Unsurprising. Most repair shops will ask for your PW to "test that the device works". If it is for a battery change, or screen fix or whatnot, refuse to give it! It is not required. They can confirm the fix just by accessing the lock screen itself.

Shitty people will do shitty things. That said, if you don't give your password, be prepared to have the technician test all sorts of stuff in front of you. The selfie camera, ear speaker, microphone, etc. sometimes are mounted on the screen. If there are problems, the tech will need to redo the repair. Not advocating for giving your pw, but be prepared for the process to be less convenient.

Edit: My bad, should have clarified I'm talking about phones exclusively. If you're worried about your computer, create a non-admin user and give them that password. If they had the skills to bypass that, they wouldn't be working at a repair shop.

If they had the skills to bypass that, they wouldn't be working at a repair shop.

What are you talking about? I worked at a geek squad back in college days and no one there needed your admin password to get into your computer. We'd just remove the password. The only reason we asked for your password was so you'd get your computer back with the password still on it, lol...

I'm more shocked that none of the techs found the monitoring software and assumed it was something malicious and disabled or removed it...

Bitlocker? FileVault? If you're cracking those, why the fuck are you working at a Best Buy?

Bitlocker or Filevault for the pin/password to get onto your computer? I don't think that'll be a common scenario. I also imagine they bypass the whole password thing, rather than cracking the actual password.

Yup. A majority of the time people didn't have any of that setup anyway. But also most of windows security is centered around external attacks over a network, not someone actually having your computer so there are lots of ways to just remove the password if you can plug in a flash drive or insert a CD.

If someone actually security conscious brought in a computer truly locked down, we would have had a tough time of it, but people that know how to do that aren't bringing their computer to geek squad to be fixed, so it's a catch 22.

Yeah I had a buddy who bought a PC that had a BIOS password on it(which now I realize was probably stolen.. but it was like a big box store 2010 desktop which is weird to steal) I was surprised with how easy it was to bypass that, and gain access with a flash drive and 3 minutes of googling

6 more...

If someone has physical access to your device, they also have the ability to access your files without your password. Unless you are using sophisticated full disk encryption, but that makes it more time consuming to gain access.

I wish Android still had full-disk encryption. It was dropped in Android 10 for file-based encryption, but as far as I know the keys are just somewhere on the device. But I am not sure about that. Like 10%.

They'll be in a hardware security module, just like the computer should be storing encryption keys with the tpm. Tbh I don't know what's actively implemented but definitely on the devices I manage in MDM they're non-compliant without that. I'm sure you probably can get cheap devices without though. Just like you can get home level laptops without tpm.

What it was really dropped? 😱

A lot of times, the camera/earpiece speaker/microphone cables are really fragile and tolerances are tight. The phone isn't designed to be opened. You should, therefore, make sure they work after the repair by making a test call.

You almost always need to the password to test a phone thoroughly. You can see that the screen works on the lock screen, but what about the front facing camera, and secondary microphone that are attached to the screen and need to be transferred, or replaced if you do it like Apple. On newer iPhones the slightest defect can cause face id to not work. On laptops it depends. Sometimes live USBs don't have the right drivers to test all the hardware. When you assume things are simple you're usually wrong.

Weird that you'd mention the cameras, one of the only things you can access from the lock screen.

For everything but data recovery you can get by fine without a password. You aren't gonna have a hardware issue that makes Facebook slightly slower, your device won't turn on.

Incorrect. On most devices after the power is cycled you can't use the camera on the lockscreen. You have to enter the password once before that feature is enabled. And if you're doing a screen replacement you need to power it off or you risk frying the backlight. How many cellphones have you repaired? 1? Hundreds? Thousands? It was my job for years, and my point is just don't assume things are simple.

1 more...
1 more...
37 more...

This is why we need a guarantee that tech workers are asexual before dropping off our devices for repair

Linking this here just because I only discovered that Nathan For You episode yesterday and would hate for anyone to miss out on the reference: Youtube / Piped.

Edit: fixed broken Piped link

And perhaps some kind of alarm to alert when a sexual person is in the repair area.

You could always have a lie detector added into the process to ensure they didn't look. Though for some reason I think that may be a better fit for someone like a mechanic over tech repair.

lie detectors are themselves lies anyway lol.

just clench your anus, breathe in and breathe out before every answer.

I have never - ever - dropped a device off anywhere.

I have spent hours and hours learning new skills, trouble shooting, and engaging in forums with people who know better than me.

But just drop it off? Never.

Wait wait.

I dropped off my ps2 to get modded.

Haha holy shit, the Canada Computers statement that photos weren't accessed inappropriately & that the employee in question was disciplined, shortly followed by a picture of the technician outright copying only these files to the USB drive. These people are scum

This is why I won't repair any device I can't fix myself (which unfortunately is most of them, I'm not very tech literate).

if you are technical enough to replace a hard drive then when you buy a computer also buy an extra drive. day1 build your machine or recover to the new drive. keep original drive in case of repair need. it also helps to troubleshoot if your problem is hardware or software.

Lol, I barely understand the words you just said.

He's saying that if you can change a hard drive, then you can always just keep a spare one (with a clean OS install) on hand to use whenever you take it in for repairs.

Changing a hard drive is basically knowing where the hard drive is, how to access it, and then unplugging and replugging some cables. Fairly easy, and most newer cases have been designed to make it easy to reach the storage bays.

Not sure why you think explaining the same thing in basically the same way would change anything. I am not tech literate, I wouldn't even know how to open the computer to access these locations. Stop trying to teach me, you're wasting your time.

Now thats a bit rude. You could of just not responded to him. Instead you take time out of your day to say "I don't want to learn."

Sorry, that's my bad. When I see something that looks like a request for information, I try my best to answer it. Even if you personally don't find it useful, someone else in a similar position but different perspective on learning might be interested. Sorry, hope you have a good day!

I never requested information, I simply made a couple statements about my lack of tech literacy. If I wanted to learn, I would have done so years ago.

This is why commenting on lemmy sucks.

8 more...
8 more...
8 more...
8 more...
8 more...
8 more...
8 more...

I've been in tech since 2007 and people are stupid and sometimes they leave "private" photos on the damn desktop. No offense to end users but don't leave your pornos out in the open...buy two USB drives and back it up to both and store in a closet or something. The end user is also at fault here imo. Many times IT people aren't looking for shit but people are stupid enough to leave it right in the open.

People are allowed to leave shit on their private computer out in the open and IT bros have 100% of the moral responsibility to not look at it.

It's unrealistic and more importantly unjust to blame the victim here.

Why are you clicking and opening people's image or video files even if they're right on their desktop? I doubt that's part of the repair troubleshooting you are supposed to be doing. You shouldn't be clicking on their images or videos even if they are easily accessible.

This being so common is creepy, but I feel like I just read/heard about a case where some pedo was recently arrested because a tech found CSAM on his phone during a repair and reported him. I really value privacy, but in that one case I'm glad the tech got nosey. I'm a bit intoxicated right now and cannot remember where I heard about this, but probably some true crime podcast or YouTube channel. I'll update with a source if I remember.

EDIT here's one, but there are dozens of cases like this if you search https://kmph.com/news/local/tech-repair-shop-helps-arrest-customer-possessing-child-pornography-in-fresno

The thing is, it's really hard to be consistent on beliefs, especially in cases like this where it might sound unfavorable.

If you say you're against surveillance and spying on devices, people will generally agree that's a good thing. But this is an example of privacy invasion, and is justified because they caught CSAM, so it must be good, right?

Well in the big picture of things, this would be setting a precedent. Where they can justify these things because they can find and stop these things. This tends to lead to the "think of the children!" fallacy. Legislators are actively using this argument to push anti-privacy measures like breaking encryption so they can stop this. So it unfortunately means, respect privacy, or allow these things to go unchecked.

Freedom comes at a price, and you gotta stay consistent even if it lets bad guys get away with things. You can justify a lot of fascism in the name of stopping the bad guys, since obviously it's not a good look to defend those actions.

Ehh. Your way sets really bad precedent that deprives all of us of freedoms in much more horrific ways than some retard getting caught with CSAM he should not have been having in the first place.

Freedom means more than that and to argue otherwise is to argue innocent people need to be sacrificed on your political altar to make you feel like you can be safe hiding shit. You never can no matter how free your country is.

What do you mean deprives us of freedoms?

Everyone has a right to lock their bathroom door. Crime might be comitted behind the bathroom door, but usually there will be other evidence of that without looking in the bathroom, so there is no need for the government to legislate that all bathrooms should remove their locks.

No one ever questions the right of locking your bathroom door.

Because the ones who violate our rights the most aren't tyrannical governments but the people around us. The people who rape us, murder us, commit genocide against us, who commit the most unspeakable of depraved acts with the banality of a zombie in a fucking zombie movie.

And you think that's okay in the name of stopping a government from turning tyrannical when you knew it was always going to be like that anyway because all governments are inherently authoritarian in nature.

Well yes, because it's not up to the government to take care of or protect your kids. And it's your job to make sure they can protect themselves online. That's just common sense.

Additionally, the government is still effective at catching bad guys without backdoors to encryption, and this stuff doesn't stop you from monitoring your kids devices.

Yes in the US, Texas for example has used publicly available information to jail moms who travel for abortions.

If the government were to trample on the freedom of privacy, it would affect the right to protest, it would affect freedom of assembly, it would affect freedom of opinion.

China literally monitors most of their citizens communications this way.

We do NOT want governments to invade privacy for the sake of security.

Because, if the government can see what you do, then criminal actors can also see what you do too.

So TIL it's on me to hunt down predators who abduct my kids and use them to make CSAM or sell them into sex slavery. That actually is pretty close to the truth in today's tyrannical world.

Governments are always going to surveil their populations en masse and abuse them in the ways you described and more regardless of what their constitution and code of law says, so it's silly to waste your time with a slippery slope argument when we're already at the bottom of the valley, always have been and always will be. So are criminal actors.

So we need something for us because rights simply won't cut it and the Great Experiment obviously failed. That's not gonna change just because you don't like it.

Well it's understandable that you think the predators are random men in white vans texting your kids, grooming, and abducting them, but in actuality, a ton of the major produces of CSAM are parents or family members.

This doesn't account for a smaller, but significant percentage of self-producers that post online because they're following online sexual trends, innocently self-expressing, or self-exploiting.

Having the goverment ban encryption will only undermine the privacy and security of law abiding citizens, and jeopardize national security. Parents don't have to send messages to their kids really.

The police won't protect your child from your spouse.

Banning encryption won't do anything to curb this concern of yours, its like banning car locks because people could hide heroin in cars.

I can empathize with your stance, but I have to tell you, that the "protect children" argument has been used to justify genocide, racial segregation, and so many other violations of civil rights within the last 100 years.

Dude, I am an abuse survivor. I know more about this first-hand than you with all of your studies. Why do you think I'm saying surveillance is so important? The whole fucking point is it's because family, neighbors, and people of high community esteem are the ones who do it. They're masters of social dynamics and so without surveillance tools for the general public, they'll never be caught and will continue to rule society from the shadows through mass rape, abuse, murder and oppression, especially of women.

But you'll be telling me my dumb ass is just biased, angry and bloodthirsty next. I know your stupid-ass playbook because I've heard this crap over the years.

Try telling the kid next door whose mind will be permanently broken because her piece of shit sperm donor keeps sneaking into her room and diddling her every night that nothing can be done about it because he's sneaky about it and she's incapable of recognizing what's happening to her is wrong, let alone reporting it herself. Tell her that's what freedom means even if it means her innocence is sacrificed on the altar to the slaveowning founding fathers and if she doesn't like it she can just go to counseling and learn to let that shit go (AKA go fuck herself like her daddy did).

Go ahead and tell that to a quarter of all American women and a sixth of all of their men who have been raped in their lifetime and would have seen justice if they were allowed the tools to find and jail or at least kill their rapists themselves. Who are usually spouses or family.

Or the thousands of families whose loved ones are being murdered on the street every year BY the tyrannical government which has always been tyrannical and always would have been because the dumbass framers failed to take into account the obvious genocide of Black people they were actively participating in.

Tell all of those motherfuckers they have to be sacrificed on the altar to George Washington and Thomas Jefferson to appease the freedom gods while we still are being surveiled and searched and murdered with no positive benefit, because that's what freedom and rights actually mean to you.

Feel free to write your own wall of text below so you can feel like you're winning something, I'm not gonna read it:

And that's why you would never be put on a jury Mr. "Hunt the predators and rapists down and kill them violently".

If I were in your position, I might be getting equally angry at the meer suggestion that privacy is important, but I would be wrong for being angry at the wrong topic.

Anyway, this fight against encryption is going to lose, for the sake if journalists who report in hostile countries without freedom of speech, for the sake of kids with parents who'd kill them if they came out as trans, and for people in the intelligence industry.

It's one thing to merely stumble across someone's private content on a PC while working on it, and quite another to actively seek it out and make a copy like the guys in the article were caught doing.