Via Bruce Schneier, Ars Technica describes in painful detail how computer repair people snoop and steal people's data all the time:
If you’ve ever worried about the privacy of your sensitive data when seeking a computer or phone repair, a new study suggests you have good reason. It found that privacy violations occurred at least 50 percent of the time, not surprisingly with female customers bearing the brunt.
Researchers at University of Guelph in Ontario, Canada, recovered logs from laptops after receiving overnight repairs from 12 commercial shops. The logs showed that technicians from six of the locations had accessed personal data and that two of those shops also copied data onto a personal device. Devices belonging to females were more likely to be snooped on, and that snooping tended to seek more sensitive data, including both sexually revealing and non-sexual pictures, documents, and financial information.
The amount of snooping may actually have been higher than recorded in the study, which was conducted from October to December 2021. In all, the researchers took the laptops to 16 shops in the greater Ontario region. Logs on devices from two of those visits weren’t recoverable. Two of the repairs were performed on the spot and in the customer's presence, so the technician had no opportunity to surreptitiously view personal data.
In three cases, Windows Quick Access or Recently Accessed Files had been deleted in what the researchers suspect was an attempt by the snooping technician to cover their tracks. As noted earlier, two of the visits resulted in the logs the researchers relied on being unrecoverable. In one, the researcher explained they had installed antivirus software and performed a disk cleanup to “remove multiple viruses on the device.” The researchers received no explanation in the other case.
In all, the findings from the study were:
• Privacy policies and the practice of communicating protocols and controls to protect customers’ data do not exist across service providers of all sizes.
• Service providers largely (10/11) require “all access” to the device, even when it is unnecessary.
• Technicians often snoop on customers’ data (6/16) and sometimes copy those to external devices (2/16).
• Technicians who violate privacy often do so carefully to not generate evidence (1/6) or remove such evidence (3/6).
• A significant proportion of broken devices (26/79, 33 percent) are not repaired due to privacy concerns. For the devices that get repaired, device owners are concerned about threats to their privacy but do not use the proper controls to protect their data.
The results likely confirm what many more experienced computer users already know: that their data is vulnerable to snooping or copying any time they surrender their device to an untrusted or unknown individual, particularly when the individual has their login password. But for a much larger percentage of people wanting to recover crucial data on a broken device, the findings are likely a wake-up call with few, if any, good solutions.
Another way to look at it: do you trust your locksmith?