Sky news explores the IT repair trade

by scotslawstudent

IT repair

It is not uncommon for people who repair computers to do things which are relatively harmless but still pretty unethical – stealing your music, for example, is quite commonly done. While that is not particularly horrible it does sort of show the attitude in some repair shops to the customer’s data.

I take the view that computer repair is in no way a more privileged job than washing machine or TV repair people. Perhaps, given the much greater range of wrong doing with computer repair it is actually a less privileged job. You can do just about anything to a washing machine that you’re repairing but if you wander through a customer’s files you end up on thin ice.

The industry has the slightly uncomfortable set of affairs where the job is little understood but relatively easy. A lot of the job of IT repairs is taking prefabricated parts out of clearly marked slots and replacing them with nearly identical replacements. The design and manufacture of those parts are extremely difficult, make no mistake, but the installation gets easier nearly every year. That does not mean that it make any more sense to someone when their computer stops working but it means that nearly anyone could be an IT repair guy and there’s absolutely no vetting.

Computers are unique for their ability to take a really significant chunk of your innermost life and make it both quickly accessible and very copyable. Without the Sky News investigation the worst I thought would happen is that my MP3s and videos would get copied into some monolithic tower of hard drives in the heart of the secretive repair lab. It turns out that rather worse things could happen.

The investigation

Sky News apparently asked PC Pro (a Dennis publishing computing enthusiast magazine) readers for horror stories of “rogue traders” and then they set up a honeypot laptop – they loaded it with folders marked “Private” and filled with bank details, pictures etc. They then filled it to the gunwales with spyware that would record what the technicians did, what they clicked or typed, what files they accessed and would take periodic pictures with the integrated webcam.

To create a simple, painless and easily remedied error they loosened a memory chip on the motherboard so that it would incompletely boot and give an error message. To fix this you would open the bottom panel, take the stick of RAM out, blow on the connectors (it really works!) and put it back in. At that point the computer would work again.

The problem, as I hope I have shown, was not rocket science and for people doing this day in, day out it should not have posed a great challenge.

Sky News discovered that the shops investigated were not keeping up the professional end of the deal. One of the shops presumably tried to turn it on, read the messages, fixed the problem and handed the computer back to the stunned Sky News researchers within minutes – that is to their great credit. While they didn’t charge this is up to the people involved. I would see no problem with charging for the work done, it’s not a lot of work but it’s still someone doing their job.

The other shops were much less ethical – they all managed to fix the fault quickly enough, but generally diagnosed a motherboard fault and charged for a replacement part. This is like charging a car owner for a new engine if you’ve tightened some screws. They also returned to the fully functional computer to see what they could get out of the hard drive – the folder marked “Private” becoming a very tempting target. The folder contained photos of the researcher wearing a bikini – which Sky (and Dennis) faithfully reproduced in the final reports – which was faithfully copied to a collection of similar photos on a technician’s USB drive.

The most worrying thing, and the most serious offence, was the repairman who then used some (fabricated) bank details on the laptop to attempt to gain access to a Net West bank account. Since the details were false the man was unable to access the account but that did not stop him trying for several minutes. God alone knows what he would have done if he had gained access but I think we really have to consider that attempted fraud.

Computers may seem like magic, and for a large part that’s what they are, but the IT repair industry should not get any extra leniency when it goes too far than any other repair industry. Now – where are the police investigations into this misconduct?

This sort of wrong doing hurts me more as a (fingers crossed) future professional than as a computer enthusiast. I’ve never used a computer repair shop, I’ve never had to. My parents sent our first Mac off to Applecare (and that held my games and my sister’s university thesis, not personal photos and bank details) and I’ve always just been able to muddle through since. However, not everyone has spent so much of their childhood spurning sunlight and perhaps can’t do their own repairs.

One big reason for why you might send your computer off to be repaired, even if you can fix it yourself, is that you’re too busy. High flying corporate lawyers working 70 hour weeks can hardly come home, get out their mini screwdrivers and fix their laptop after a hard day at work. They might desperately need their computer for work. In that case paying someone to repair it for you would be extremely tempting. If you are a high flying corporate lawyer your laptop might well contain suitably high flying private data and you hardly want your hard drive cloned (copied in full) in a repair shop.

The best ways to get around this are to keep personal data off your computer and on an external drive but this is a Herculean task since personal data is nearly everything you do on a computer. There is always the option of taking the hard drive out – if you can – but the hard drive can often be the fault that needs fixed. You may want to not let it out of your sight, you can get call out tech support that comes to you but this is expensive. The corporate lawyer in my example might be able to get it fixed by inhouse tech support at his firm, but that’s a long shot for most of us.

Beyond that encryption is quite sensible, but this needs to beat a bored, curious IT professional and that’s quite a substantial test. It may also work out that you need to let people look at your computer logged in and working. Encryption does not equal logon password (which is no protection at all), although my disc encryption (on Linux) is tied into that password prompt.

I think the best protection is taking the same measures as Sky News, recording what files are accessed, what’s clicked on, what’s typed etc. I don’t think you can take photos of them without their consent no matter what sort of crime they’re committing – the police actually gave me a warning for this over the summer. Sky News gets away with it because it’s a huge company and it gets to use the “public interest” journalism defence but I don’t know if individuals would, especially since most technicians won’t try to do something blatantly illegal like hacking your bank account. This stinks of closing the door after the horse has bolted but at least this means you can show what happened and that’s quite a useful measure in your defence. After all, you’ve not left your laptop on the train, you’ve brought it to a shop to be fixed.

Advertisements