When your computer or smartphone needs repairing, can you trust repair technicians not to access or steal your personal data? According to the results of a recent research by scientists with University of Guelph, Canada, you shouldn’t.

Granted, they tested only 16 repair service providers with rigged devices, but in six cases technicians snooped on customers’ data and in two they copied the data to external devices. Oh, and most of them tried to cover their tracks, either by removing evidence (e.g., by clearing items in the “Quick Access” or “Recently Accessed Files” on Microsoft Windows) or by trying not to generate it (e.g., by just zooming in on photo thumbnails).

Consumer privacy violated

Researchers Jason Ceci, Jonah Stegman, and Hassan Khan conducted a four-part study to measure the state of privacy in the electronics repair industry.

First they asked 18 repair service providers – national (big-box stores), regional (stores of a larger chain), local (mom-and-pop shops), and device manufacturers – whether they have a privacy policy or have set up controls to protect device owners’ personal data from snooping technicians, and found that most have not.

Then they dropped devices at 16 of those service providers after rigging them to log all the actions performed by technicians. After getting the devices back and analyzing audit and interaction logs, they discovered a number of privacy violations, against both female and male experimenters.

The snooping technicians accessed documents and picture folders (and revealing pictures), folders with financial information, and the experimenters’ browsing history. In two cases, the technician copied the revealing pictures to an external device and in one those two cases, the technician also copied a password-containing file.

The study also included an online survey with 112 respondents to collect data on their experiences when getting devices repaired, and found that of those who chose not to get at least one device repaired, 33% cited privacy as a factor for the decision.

Subsequent interviews with some of the responders also revealed that many service providers only have a generic policy on data…