Designer Therry Lee, 28, had her privacy invaded by a computer technician when she took her notebook in for repair. The man, hired by her to change the device’s screen, improperly accessed intimate photos and videos stored on the computer and tried to cover his tracks. What he didn’t realize was that the victim would be familiar with IT, and would discover the intrusion after close scrutiny.
It all started when Therry’s personal notebook screen burned. One of the designer’s friends then recommended a company in the East zone that offered the technical assistance service. She accepted the recommendation. He was looking for technical assistance and that would not give him a “default”, as he stated on Twitter.
On September 9, one of the technical assistance staff went to pick up the device at Therry’s house, and the person responsible for the company — the same guy in charge of repairing the notebook — warned that a new screen would arrive “in 1 or 2 days”.
Therry sent the device to the technician, who then asked for the password to fix the screen. Without much questioning and aiming for a quick repair, the young woman gave the password to access the notebook. She herself recognizes the vacillation. In an interview with Techblog, he said:
“I don’t know everything. Even more as a customer and wanting to fix my personal notebook, I ended up giving my password. When you’re there paying for a service and looking for agility to be able to resume your routine, don’t be suspicious.”
But the technician obtained the password and continued with the “repair”. Two days later, he had completed the service, and told Therry via WhatsApp about a “favor” he had done: replacing the thermal grease that involves the processor and cleaning the cooler, deciding not to charge for the extra work.
Technician rummaged through photos 4 minutes after getting password
It was at this moment that the young woman noticed that there was something wrong with the service. Too much cordiality led her to open her PC for clues: what could the technician have done while he had the password? The discovery was a total invasion of Therry’s privacy.
The technician, just four minutes after obtaining the password, rummaged through the computer he was supposed to only fix for intimate photos. Therry first saw this because the man left a tab open in Google Chrome that she never visited: Google Photos.
“As soon as I opened my browser, I saw that there was an open tab of a page that I don’t visit. Then I looked at the browser history and saw that everything was erased. He tried to hide his activity, masking the attacks.”
Soon after discovering the activity, she opened the notebook’s File Manager, and found that the technician had entered several personal files, not just those of an intimate nature.
“My first concern was to log out of all social networks and change my passwords for any service I subscribe to. I even changed my registration at Enel (electricity company). Someone had the chance to mess with everything in my life, because it was all there.”
Attacker tried to access cloud and social networks
The designer managed to recover the browser’s history through a mistake by the attacker: he used her profile to browse the internet. When this happens, all logins are registered in My Activity on Google, tab within the Chrome settings. However, this feature may be disabled for some users; this was not the case with Therry.
The designer saw all the terms entered by the technician in the search engine. Words like “Google Drive”, “iCloud”, “One Drive” — the tech was looking for more intimate photos in cloud apps, where Therry could have accounts. Lucky for her, none of them had automatic login, a practice that is contraindicated by experts in digital security.
Therry tells the Techblog that the technician tried to access their social networks:
“The attacker tried to log into my Facebook. I think he wanted to look for conversations where I could potentially have sent nudes, or other types of sensitive content. He also tried to access my WhatsApp Web. Since I was screenless, and didn’t have a monitor to plug in, he must have thought I still had my messenger open. But I deactivated my account on my cell phone.”
Finally, using Windows Device Manager, Therry discovered that the attacker may have reaped loot. The notebook registered that a USB mass storage device was inserted, which indicates the use of a hard drive or USB stick to copy files from one device to another. One of the intimate photos was discovered in another folder called Downloads. Therry did not have a repository by that name before the notebook went for review.
After performing a thorough analysis that proves the technician’s access to personal files and folders on her computer, Therry felt devastated. She went to Twitter to tell the case, but did not reveal the name of the company or the professional:
“The first two days were terrible. I cried until my soul left my body. I paid the person to do a deal and was completely cheated. Basically, I paid to be hacked. I’m afraid to report the technician because he has my address, he knows where I live — if I reveal the culprit’s name, I’m afraid of being sued for libel and defamation.”
Police officer told the victim that “it was better to wait”
The same day she received the notebook back, Therry filed a police report (BO) online at the Electronic Police Department of the Public Security Secretariat (SSP) in São Paulo. The document states that the crime was categorized as “invasion of a computer device”.
Not satisfied with registering the incident online, the designer went to the nearest police station. There, she sought out a woman’s police station in the same building, but was discouraged by a police officer.
The agent told Therry that if she provided the computer password, there was no crime. “He didn’t hack your device because he had password permission.” She should wait for the invader’s next steps, or “wait for him to release the photos or blackmail them.”
It is stated in the BO that the young woman must file a complaint against the technician within a period of 6 months, appearing at the nearest police station where she ordered her notebook to be repaired. It takes more than two hours to cross the city by car, which discourages the young woman from proceeding with the complaint.
Expert says there may be qualified theft
In fact, the law on computer device hacking does not mention cases where the victim gives the password voluntarily. It is stated in the article that the crime only occurs when the invasion does not have “the express or tacit authorization of the user”.
In 2012, the National Congress approved Law No. 12,737, a device that typifies the crime of breaking into cell phones, computers and other personal devices. This year, President Jair Bolsonaro toughened the penalty provided for those who violate computer equipment through a presidential decree. Before, those who committed the crime could spend from 3 months to 1 year in prison, in addition to paying a fine. Now, the criminal can serve from 1 to 4 years in prison.
But criminal lawyer Carol Carvalho de Oliveira is not in favor of Therry sitting idly by, “waiting for the guy to disclose,” as the policeman said. For the professional, the young woman must continue with the complaint to find out if there was a different type of crime. The technician, possibly copying intimate photos, may have committed theft through an electronic device:
“What the technician did: he tricked her into giving him the password so he could get private photos. If it’s possible to prove that the technician took files and photos from her notebook, we could classify him as an aggravated theft. It is already proven by her that he entered the computer. We can’t imagine that the guy can go unpunished for lack of proof. There should be an investigation, an investigation opening to investigate the theft of personal information.”
Carol Carvalho warns that Therry’s position was delicate, because if she didn’t give the password, maybe the technician would do something worse with the girl’s own device. “The victim was induced to error. You shouldn’t blame yourself for being deceived. But it serves as a learning curve: whenever you provide your password — whatever it may be — you are letting your guard down”, says the professional from Campos e Antonioli Advogados Associados to Techblog.
“Women should not deprive themselves of having photos”, says IT technician
It’s true passing a keyword to someone is always risky and a big gamble on that person’s trust. But no woman should deprive herself of having personal files or photos on devices in constant fear of being invaded. This is the assessment of Viviane Cardial, IT technician at Info Preta, a company specialized in repairing and repairing devices for black women and low-income people.
We women cannot deprive ourselves of any document or file thinking that it will invade the device. But in case of submission, it would be interesting to remove this type of content, sign a confidentiality agreement and demand that this term not be copied. It is also recommended not to leave passwords saved on the computer. Ideally, the person knows what is in the machine. Know what was done before and after handling these items.
Choosing a technical review should be a trustworthy process, Viviane tells Techblog. But the decision must be made with caution; like any other product or service, you have to go after evaluations, three different opinions from those who went through the same review, go after the technical assistance social networks.
“Another very important thing is the price and the time needed to complete a service: if it comes out very cheap compared to the rest of the market, and compared to the price of the parts that must be exchanged, be suspicious. Same thing if it’s a job done in a short time — the technician can take too long for the wrong reasons.”
In Therry’s case, it was not necessary to give the man the password. But it depends on the review: if it’s something related to the operating system, like a Windows loading bug, or some machine backup problem, the professional benefits from access to the device. “In that case it might be possible to create a separate admin account with limited settings. This way, the review gets access to the device, but the personal files remain under a different username”, completes Viviane.
But the invasion was traumatic for Therry. She from now on will depend much more on your incessant curiosity. “I’ll fix everything myself now. As I told you, I already have experience and I will avoid technical assistance, unless they are done by women”.