What this and Khan’s previous studies shows is that it really comes down to the technician who touches your device, not the chain you take it to. These employees aren’t bonded and have no loyalty to customers or employers; some will follow the law when they think they’re not being observed, and others won’t.

Takeaway: take your devices to someone you trust AND assume they’re looking through everything they have access to. Same as mechanics, washing machine repairmen, etc.

Also, wipe your hard drives before you throw out computers. Folks throw PCs out all the time in my office building, and I pick them up to refurb and ‘freecycle’ them. More than half the time, I’ll plug it in to see if it will boot it up, and the drives are still intact, and loaded up with personal data… Then I plug in my DBAN USB stick and wipe the drive(s) 3x.

Take someone technologically curious, pay them near minimum wage, and give them unfettered access to someone’s system…… and people are surprised this is happening? That’s why in enterprise IT departments you have guard rails and permissions for lower positions until they end up mature enough, in a position of trust with comparable pay and they don’t care what’s on a system.

Former tech at an indie shop (in the USA):

I didn’t want to dig into people’s personal shit, especially not their niche porn collections.

Browsing history was one thing we actually would look at in order to determine infection vector (when doing virus removal). We would usually counsel the customer on how to avoid it in the future. Obviously didn’t do that on non-virus issues because that would be wrong and a total waste of my limited time.

The only time we would look at any images, erotic or not, is if they looked suspicious on a scan or by filename.

Because of prior incidents, we also would check files that might be CSAM and report those to the cops. Usually a thumbnail in a scanner/explorer/etc program would bring that suspicion.

I personally wouldn’t want any files from a customer PC, and the only USB I’d be using is the shop one with all the antivirus on it.

This is the best summary I could come up with:

For the Marketplace investigation, Khan, along with graduate students Angela Tran and Brandon Lit, loaded four smartphones and six laptops with the kind of private data many users would have on their devices: financial information, social media and email accounts, as well as browser history.

For the smartphone test, Prof. Mohammad Mannan from Concordia University and his Ph.D. student Sajjad Pourali created a repair issue — a flickering screen — and installed logging software that screen-recorded the technicians’ actions.

However, at a location in Woodbridge, the team documented that a Mobile Klinik technician scrolled through the Facebook account on the device, and looked through photos stored on the phone, including intimate selfies.

After Marketplace dropped off a laptop at a Markham location of the electronics and tech repair chain Best Buy, which has 164 stores across Canada, Khan’s team found a technician had browsed through several photo folders, including ones with names like “Bikinis,” “Date Fits” and “Nightwear.”

At the Markham location, a technician viewed intimate photos as extra large icons, which makes them easier to see without actually opening them, meaning they wouldn’t turn up as recently accessed files.

In an emailed statement, Canada Computers said it takes “its obligation to respect its customers’ personal information very seriously” and that its own investigation of the incident indicated it was an isolated event where one technician at one location violated its privacy policy.

The original article contains 1,567 words, the summary contains 232 words. Saved 85%. I’m a bot and I’m open source!

This is crazy!

Oh, and I had a thought about their methodology - the screen recording software only works when it’s booted from the internal hard drive. Boot with a USB stick with a Linux live image, mount the internal drive as read-only, and you can copy the entire thing, and nobody will ever know.