Friday, June 11, 2021

Settlement for AppleCare Privacy Invasion

spencerdailey (via Hacker News):

Back in 2018, I encountered what I’d consider the cardinal sin of opsec by an Apple store employee. He asked me to disable my Mac’s password before I turned it in for a multi-day off-site repair. The casual manner in which he asked me led me to assume this was not the first time he had pushed this question, and that it was a common practice at this store (Barton Creek Mall in south Austin, for those who care).

Apple customers already place a great deal of trust in repair technicians who have the user’s password, but disabling it for logging in means everyone who handles or has physical access to the device could trivially steal data from it or install malware on it. A Mac going offsite gets handled by several intermediaries, not just the technicians.

The only safe option is to make several backups and then erase the device before getting it repaired.

Benjamin Mayo (Hacker News, also: MacRumors):

Apple has settled a case with a 21-year-old student after she sent her iPhone to a repair facility in 2016 only to find that employees had uploaded personal explicit images and videos to her Facebook account from the phone during the repair process.

The student had sent in her iPhone to Apple to get repaired. The invasion of privacy ultimately took place at a repair center in California, run by Pegatron, an Apple contractor. The Telegraph reports Apple paid out millions in settlement compensation.

2016, meaning that this lawsuit was already well underway when Apple’s lobbyist recently argued against independent repair shops on the grounds that its own repair service offered better privacy.

Kevin Purdy:

This kind of arrangement isn’t unusual. In fact, large companies almost always outsource repair and servicing to third parties. But it is also not something they readily acknowledge when they’re arguing against right to repair laws. And for good reason. As it turns out: the incidence of misdeeds by employees at authorized service providers are actually pretty common – and certainly no less common than independent repair shops. In 2019, for example, an Apple Genius Bar employee was caught texting intimate photos of a customer to himself under the guise of helping her with a repair. The same thing happened in 2016 at an Apple Store in Brisbane, Australia.

Also, there is lots of evidence that, far from emphasizing quality of service, OEMs work to spend as little as possible on authorized repair. Note the 2019 ICE raid on a Texas-based Samsung authorized repair provider CVE Technology that discovered undocumented workers performing authorized repair on Samsung devices.

In fact, when asked directly at the 2019 FTC Nix the Fix symposium whether there was any data to support industry’s contention that authorized repair is either higher quality or more secure than independent repair, Walter Alcorn of the Consumer Technology Association (CTA) admitted straight out that there was none.


5 Comments RSS · Twitter

That's the area where I want Apple to actually spend their enormous cash piles and get things right. A setup with password requests to access all the data at some unknown facility out of sight is a massive privacy violation and a security hole.

First of all, there should be another way to do all that.

In addition, if there are no other ways or until the other means are fully implemented, it should be a much higher bar for oversight to make sure workers with customer data aren't doing anything wrong.

Last year, I had to have my company ship me a new laptop because the Apple Store said I would have to disable full-disk encryption before they could repair my butterfly keyboard.

Your data is at least as important as that.

I now take a full backup of anything that has to be repaired and wipe it before taking it to the Apple Store.

>The only safe option is to make several backups and then erase the device before getting it repaired.

So where is Time Capsule? Or they want you to do iCloud?

I do not understand this requirement. Two things, one, I see no reason Apple would need to access your data to fix anything. In the old days, they could literally boot from a FireWire, USB, Thunderbolt drive to test the system (assuming the problem is not internal drive related). Do newer versions of Mac OS not allow for external booting? Secondly, I was always told the shop would likely wipe my data anyway if they needed to test a fresh installation of the OS.

Either way, full disk encryption can stay enabled because the shop either needs to access the system and will do a fresh installation or they do not need to access the data because the fix is purely hardware related and can be tested with any bootable media. Color me confused.

Ps Apple's position on third party repair has always been contemptible and utterly self serving. I honestly blame us, the consumers for allowing companies to push this agenda for so long. Apple is one of the biggest offenders, but they are far from alone. For instance, I think HP might still whitelist components for their PCs, so you can't even swap any bog standard WiFi cards and such. So stupid.

I always advocate to anyone I know who is having something repaired and is going to have to leave it behind to back it up and erase. It's just not that hard these days, at lease for Apple users - the tools are built into the OS. While not flawless, TimeMachine is pretty darn good for being something bundled into the system. With iOS devices it's even easier - be it iCloud backup or a local backup to a computer via cable.

Leave a Comment