No Privacy in the Electronics Repair Industry

I worked at a computer rental shop in the mid-90s (renting computers was a thing back then). Customers used to leave files on the returned computers all the time. My colleagues and I used to look at them sometimes. It was almost always boring stuff. Until once a customer returned a computer with CSAM jpeg images. Hundreds of them. Very bad stuff. We called the local police. They were basically useless. They just didn&#x27;t know what we were talking about. Remember, this was almost 30 years ago, before the web. We asked if they had any contacts at the FBI, and if so, to forward the info to them. The next day a couple of FBI suits showed up and took the computer. They knew <i>exactly</i> what we were talking about. The suits were very technical. I was totally impressed.<p>The FBI suits came back about a week later and took statements from everyone. We tried to get info from them about the case, but they wouldn&#x27;t give us anything. However, one suit said the computer wouldn&#x27;t help much for a conviction or even making an arrest because too many hands had touched it. Depressing. However, he did say that the customer is on their radar, and an active investigation had begun. He <i>hinted</i> that it was only a matter of time before the dude was caught in the investigation. I felt a tiny bit better after that. But still, the only experience made me feel like shit. It still does.

Nathan Fielder (who graduated from one of Canada&#x27;s top business schools with really good grades) tried to address this in an episode of Nathan For You (s04e07).<p>The plan? Put customers at ease by offering the world&#x27;s first asexual computer repair.<p><a href="https:&#x2F;&#x2F;www.youtube.com&#x2F;watch?v=jf9I04Oa-hU" rel="nofollow">https:&#x2F;&#x2F;www.youtube.com&#x2F;watch?v=jf9I04Oa-hU</a>

When I had to replace my old Thinkpad&#x27;s screen, I really liked that the repair shop explicitly said that they didn&#x27;t need the credentials to my bitlockered drive and in fact offered to take the drive out physically and give it to me. They could boot off USB into a portable Linux install and do whatever and in fact they did.

I swing by the local Goodwill clearance outlet occasionally looking for vintage electronics. The other day I grabbed a Commodore 1541 floppy drive from a bin. At the checkout, the young employee balked and said “sorry, that shouldn’t have made it out there, it’s against our policy to sell call computer drives because they might have personal info on them”. I asked him to please double check with the oldest, greyest employee in the store. I walked away with it for 3 bucks.

&gt; we drop rigged devices for repair at 16 service providers and collect data on widespread privacy violations by technicians, including snooping on personal data, copying data off the device, and removing tracks of snooping activities<p>Wow... that makes me so uncomfortable<p>More details in 5.2.1 in the pdf: <a href="https:&#x2F;&#x2F;arxiv.org&#x2F;pdf&#x2F;2211.05824.pdf" rel="nofollow">https:&#x2F;&#x2F;arxiv.org&#x2F;pdf&#x2F;2211.05824.pdf</a>

Any time I turn in a macbook for repair they demand my admin password. Fuck off. Erase it, I’ll restore, but I’ll never give you access.<p>They are trained to make you feel like you have something to hide.

There have always been stories about geek squad and other places saving customer&#x27;s files for their personal use, reporting customers to the police for content found on their drives, or handing customer&#x27;s data over to the state. I doubt the government or the repair shops have any interest in putting a stop to it.<p>Any time I&#x27;ve had to take my PCs in for something I pull out the hard drives before driving them over. As long as the machine can POST, I can take care of the rest. It gets a lot trickier with other devices though. I can&#x27;t imagine trying to pull the storage out of laptops, tablets, cell phones, or game consoles.

I recently sent my Steam Deck for RMA, and interestingly in the packing instruction to send it, Valve tells to do a factory reset. Which I did.<p>First I thought it was to simplify their tests when they get it, but now I&#x27;m thinking it could be to make sure technicians don&#x27;t have access to my personal data.

Samsung added a maintenance mode enforced by their Knox hypervisor you can enable before handing a device off for service.<p><a href="https:&#x2F;&#x2F;news.samsung.com&#x2F;global&#x2F;samsung-releases-maintenance-mode-a-new-feature-to-hide-your-personal-information-from-prying-eyes" rel="nofollow">https:&#x2F;&#x2F;news.samsung.com&#x2F;global&#x2F;samsung-releases-maintenance...</a>

Anybody interested in watching electronics repair videos I highly recommend the YouTuber northridgefix <a href="https:&#x2F;&#x2F;m.youtube.com&#x2F;@NorthridgeFix" rel="nofollow">https:&#x2F;&#x2F;m.youtube.com&#x2F;@NorthridgeFix</a> I can not recommend his videos enough. So fun to watch and see we don’t need to throw every device that breaks into the garbage. If I was to need something repaired he is the guy I would send my stuff to.

Sad as it is - there is a lot of corruption in the repair industry, with this only being one facet of the issue. It’s why companies like Apple look on R2R activists like Louis Rossmann with pity internally but won’t budge.

It seems like its not a bad move to replace your hard drive with an empty one before you turn it over for repair. Too bad these new &quot;privacy focused&quot; macs don&#x27;t let you do that anymore. Maybe you can use an external ssd as your main boot disk and storage volume and not keep anything on the internal ssd.

This paper seems like it could really benefit from the peer review. The sample size seems to be very small and seems to ignore that people are more likely to respond to such a survey if they had a bad experience. (Arxiv is a preprint server, the materials uploaded here have not been peer reviewed.)

Ideally every device should store all the user-related data on an easily removable storage module (i.e. SSD&#x2F;SD) separate from the OS files.

If you work at some retail electronics hellscape long enough I&#x27;m sure even Mother Teresa would eventually give in to the temptation to supplement her income by selling customer data, or at least alleviate boredom by browsing pics. I guess I trust apple&#x27;s file vault enough that I&#x27;ll allow them to repair a laptop without a password. I&#x27;ve had two apple laptops fixed and to their credit they didn&#x27;t even ask for the password.<p>I would never give a repair place a password though. It is better to just buy a new device.

That&#x27;s horrible. The most surprising results are in section 5, especially claims that technicians copied files from the repaired devices.

I can&#x27;t help but feel a little suspicious of the motives behind this. Beware the anti-right-to-repair activists.

&quot;Researchers are proposing a logging program that cannot be disabled by the repair technician. It would be clear if the logs were deleted by the technicians.&quot;<p>Nice, now we just need EU getting together and creating a new law forcing that all hardware should have such capability &#x2F;s

One time I didn’t have the time to fix my PC myself so I took it to Fry’s. The tech was bemused when my answer to if I had backed it up was that I had pulled the drives. They did fix it though.

I remember remarking I felt unethical investing in anything but index funds after doing a volunteer help desk freshman and sophomore year of college.<p>People disclose a lot by accident and you can not repeat what you see but it’s hard to forget what you’ve learned.<p>(It’s partly why I didn’t want to be a systems admin or forensics tech and focused on censorship circumvention.)

Yet another way apple protects our privacy - making their products impossible to repair!

I wonder if there is any data referencing equivalent services in the EU.

A Bunch of young, mostly male, underpaid, low-authority folks abuse their customers? Shocker. I mean, sure, we should expect better, but being surprised by this is naive. To the extent that you could once trust your sysadmin, those days are over, that culture is long gone. And even when that was a thing, there were still a bunch of creeps with root around.<p>This is why I fix my own machines, and replace phones when they break.