Privacy in the digital world is a hot topic. At issue most recently is what kind of access Chinese-based app TikTok has to user data and what it intends to do with it.

Dr. Hassan Khan poses for a photo at an event.
Dr. Hassan Khan

Privacy concerns often focus on social media and other online activities, but first-ever research from the University of Guelph reminds users the electronics repair business also has access to your data and the notion of privacy in that industry is little more than a myth.

“It’s not that people aren’t concerned,” said Dr. Hassan Khan, professor in the School of Computer Science in the College of Engineering and Physical Sciences. “The majority are, the problem is that despite being concerned, they have absolutely no recourse.

“Once you drop the device for repair, you have no idea what goes on.”

Faced with a broken computer or smartphone, the average person has no technical skills to fix, consumers are pushed into taking such a risk. Electronics repair is a $19-billion industry with no regulation.

“It’s a staggering number,” Khan said. The business model’s success hinges on it being a cost-effective solution (the alternative being to purchase a new device) and its environmental impact, reducing electronic waste.

‘Privacy violations happen’

In a four-part survey of national, regional and local service providers, Khan and his students found troubling practices, outlined in No Privacy in the Electronics Repair Industry. From big box stores to international retailers to smaller, private electronic repair shops, privacy violations occurred repeatedly.

First, researchers developed a field study using 18 service providers to seek electronic repairs on both computers and smartphones. They found most service providers did not have privacy policies or any safeguards protecting customers.

Next, they “rigged” devices configured with gendered personas and dropped them for repair in person, speaking to technicians with a prepared script to ensure consistency.

The researchers also conducted an online survey of more than 100 respondents to gauge their customer experiences and interviewed a portion of the survey respondents to dig a little further.

Researchers learned that many technicians kept the devices overnight and snooped through photos and folders. Some copied that data to external devices, being careful to avoid leaving a digital footprint and therefore skirting the notion of theft.

Some technicians were not entirely truthful with customers seeking help and asked for their login and passwords, claiming “all access” was necessary, regardless of the repair needed.

“We were just shocked,” said Khan, whose own phone screen cracked after slipping out of his pocket. He has learned to live with the damage, his phone among the 33 per cent of broken devices never repaired because of privacy concerns.

“Privacy violations happen, people know they happen,” he said, but the scale to which it occurred surprised researchers. When they inquired about it, many service providers told customers they work on an honour system and would not be in business if people didn’t trust them.

But as Khan pointed out: “How do you trust service providers?”

Regulatory oversight requires co-ordination

The study is the first-ever holistic view of customer privacy in the electronics repair industry in North America. Khan recently presented the research at the 44th IEEE Symposium on Security and Privacy in San Francisco.

The “undercover” aspect of the study is unconventional, he admitted, but so is the problem. The solution, he said, requires co-ordination among device manufacturers, operating system developers, service providers and regulatory agencies.

The paper draws comparisons to the guidelines that exist for public health authorities who inspect food service establishments. One idea Khan suggests is installing cameras facing the workspace technicians use for monitoring purposes and randomly auditing them on a regular basis.

For consumers, he suggested encrypting your data – converting it to an alternative form that only authorized users can decipher. “And then, don’t give that password to anyone,” he warned.

Khan understands, however, that most customers have a basic familiarity with the technology on the devices they use every single day. Most were concerned about threats to financial or identity data.

“We’re hoping that we’ve identified some of the crucial problems and that both researchers and government agencies start investigating,” he said. “Personally, I think just one violation is a big enough reason to come up with a regulatory system.”

This study was supported by the National Sciences and Engineering Research Council of Canada.

Contact:

Dr. Hassan Khan
hassan.khan@uoguelph.ca