Computer services company accesses customer’s laptop remotely during help desk call without seeking customer’s express consent

PIPEDA Findings #2021-007

March 24, 2021

Complaint under the Personal Information Protection and Electronic Documents Act (the “Act”)

Description

The complainant claimed that during a help desk service call, a computer services company’s technician accessed his laptop remotely, without his express consent. We found that the respondent was unable to provide evidence to show that it had obtained meaningful express consent to access the complainant’s computer, or customers’ computers in general, when using remote access software. We further found that the respondent did not have appropriate safeguard measures in place to prevent unauthorized access to customers’ computers, consistent with the sensitivity of the customer information at risk.

Takeaways

Organizations using remote access software to provide IT help desk services should be open with their customers about such software’s existence, how it works and how consent for its use is obtained.
Individuals’ computers can hold sensitive personal information, like passwords, financial account information, and intimate communications or images.
Organizations wishing to gain access to an individual’s computer must generally:
- obtain express consent to do so;
- be able to demonstrate that the customer provided their consent; and
- implement robust safeguards to adequately protect against employees gaining unauthorized access.

Tips for Individuals

While our office found no indication in this case that the remote access tool had been used for malicious purposes, in the past we have seen examples of malicious actors leveraging personal information that was provided to service providers as an attack vector.
For more information on how to identify a technical support scam and what to do in those situations, please consult our Office’s blog: Remote access: Opening the door to your personal information.

Report of findings

Overview

The complainant bought a new laptop from a computer service company (the “respondent”) via an electronics retailer’s website (the “retail website”). A help desk service came as part of a special offer bundled with the laptop.

During an appointment with the respondent’s help desk service, the complainant alleged that a technician used pre-installed remote access software to access his laptop without his consent.

The respondent asserted that it did not record copies of customers’ computer screens viewed by its technicians, or otherwise collect any personal information (documents, photographs, etc.) from customers’ computers, while providing its help desk service. Specifically, it did not extract any of the complainant’s information from his laptop.

In our view, remote access could allow technicians to view personal information stored by the user on their computer, potentially including sensitive, and valuable, information (such as financial information, medical information, private documents, photos and user credentials), such that the respondent should have obtained express opt-in consent for such access.

The respondent claimed that its technician obtained the complainant’s express oral consent for use of the remote access software during the call. However, the complainant contested this. Furthermore, the respondent was unable to provide evidence to demonstrate that it had obtained meaningful express consent to remotely access the complainant’s computer, or customers’ computers in general, via the software.

The complainant also questioned whether the respondent adequately protected his and other customers’ personal information from unauthorized access and monitoring by its staff using remote access software.

The respondent pointed to the following security measures in place. Certain of our commentary on the measures is also included:

Access to the software in question was limited to a small number of the respondent’s employee technicians, through a web portal that required two-factor authentication, and was logged and monitored by the software provider.
Remote access required the use of a unique customer ID, provided to the technician by the customer. However, that ID was originally provided by the respondent. Further, the number was static. As such, the same number could be used by technicians to gain access to the customer’s computer on multiple occasions.
Technicians could not access the customer’s computer unless it was turned on, and connected to the internet. Further, it would have been visually apparent to a user sitting in front of their computer when their device was being remotely accessed. However, we note that individuals will sometimes leave their computer on and connected when they are not sitting in front of their device, in which case, they would not witness the unauthorized access.
The software did not allow users to copy or record client personal information during remote access sessions. This would not, however, preclude a technician from copying information via other means (for example, by using a cellphone, camera or pen and paper).

Certain other remote access tools require real-time intervention by the computer user, on their device (e.g., by clicking on a consent box, or entering a code), to confirm that they are aware of, and consent to, third-party access. Such tools also allow the user to end a remote access session, unilaterally at any time (e.g., by clicking on a box on their screen). Contrarily, the respondent relied upon oral consent obtained by its technicians, pursuant to undocumented protocols, such that it was unable to demonstrate that technicians actually obtained required consent before accessing the customer’s device.

Ultimately, in light of the above, we found that the respondent did not implement appropriate safeguard measures under PIPEDA, commensurate to the sensitivity of the information at risk.

During the course of our investigation, the respondent underwent corporate restructuring, which included the cessation of its Personal Help Desk service to individual customers and the termination of its use of the remote access software it had installed on certain customers’ computers.

We therefore found, that the consent and safeguards matters were well-founded and resolved.

Background and complaint

The complainant alleged that during a help desk service call, the respondent accessed his laptop without his consent, by activating and using remote access software that they had pre-installed on the device. The complainant further questioned how the respondent protected his and other customers’ personal information from unauthorized access and monitoring by its personnel through the use of such software.

About the respondent and its services

The respondent sells computers to small business clients and individual customers via its business premises, website, and third-party retail websites.
The respondent offered managed IT services to individual customers via its “Personal Help Desk” service. During the course of our investigation, the respondent ceased to offer these help desk services^{Footnote 1}.
During our investigation, the respondent indicated that it had over 530 business clients and individual customers subscribing to the two help desk services.
The service relied primarily on remote access, i.e., an individual customer would contact the relevant respondent help desk service via email or telephone. The respondent’s help desk technicians would then use pre-installed remote access software to access a customer’s computer, troubleshoot their problem and fix it.
Customers could also subscribe to the respondent’s additional security and patch management service, whereby the technicians would ensure that customers’ computers were kept up to date with the latest updates and security patches via remote means.
The respondent explained that its Personal Help Desk service was bundled with laptops sold online through a retail website^{Footnote 2} during January and February 2019. This service required the pre-installation of remote access software on customers’ computers^{Footnote 3}.

Complainant’s interactions with the respondent

In February 2019, the complainant purchased a laptop through a retail website. The respondent was a pre-approved third-party vendor on the website and fulfilled the complainant’s order.
The complainant transferred his and his family’s personal information into the new laptop immediately upon receipt. In doing so, he was unable to install the anti-virus software he normally used, as the respondent had already pre-installed different anti-virus software on the laptop. The complainant contacted the Personal Help Desk via email about removing the anti-virus software. In doing so, he provided the Help Desk with the unique customer ID number supplied to him by the respondent, per the respondent’s instructions in documentation provided along with the laptop.
The Personal Help Desk subsequently sent an uninstall command to the complainant’s laptop which triggered removal of the pre-installed anti-virus software. No remote access to the complainant’s laptop was required.
The complainant then encountered a recurring request for a password linked to an office suite program also pre-installed by the respondent on his laptop. The complainant contacted the Personal Help Desk to resolve this matter, again providing his customer ID number.
On March 25, 2019, a technician arranged an appointment with the complainant stating “[the work] will take about 10 minutes and will be done remotely… Your computer must be turned on and be connected to the Internet during the appointment.”
The complainant agreed to the Personal Help Desk appointment, which took place later that day. During the appointment, the complainant asked the technician to uninstall the office suite program. The complainant claimed that he was surprised when the technician immediately started moving his mouse cursor around his laptop, without warning, or obtaining his express consent beforehand^{Footnote 4}. He wondered how the respondent had such access to his laptop.
The technician removed the office suite software. The complainant then asked the technician if the respondent had pre-installed any other software on his laptop. The technician stated that the respondent had pre-installed a “remote access agent” program. The complainant asked for its removal and the technician complied with the request immediately.

Complainant’s complaint to the electronics retailer

Concerned by what had happened, the complainant escalated the matter to the electronics retailer, operator of the retail website, which in turn raised the complainant’s concerns with the respondent.
The electronics retailer asked the respondent if it had obtained express consent from the complainant via his computer screen, before accessing his laptop remotely. If it did not, the retailer asked if the respondent could provide a recording of its call with the complainant to verify that its technician had obtained his oral consent before accessing his laptop.
In its response, the respondent did not provide evidence of the complainant’s consent. It confirmed that the complainant’s laptop came with its “[OPC: name redacted]” special offer (the “special offer”), which consisted of one-year anti-virus, office suite and Personal Help Desk subscriptions. This required the installation of additional software programs on the laptop before it was shipped to the complainant.
The respondent explained that any time its technicians provided remote support to a customer, the customer would always be notified and involved in the remote access process. In this case, its technician was on the phone with the complainant for the request to uninstall the software in question. The respondent added that the remote access software was not meant to make a customer feel unsafe and that it removed it promptly from the complainant’s laptop at his request.
Later, the respondent offered a full refund to the complainant, contingent upon his return of the laptop back to the company. The complainant declined the offer and then submitted a complaint to our Office about the privacy practices of the respondent.

The electronics retailer’s submission

During the investigation, we sought information from the electronics retailer. The retailer responded to our technical questions, and provided us with a copy of its retail website agreement and associated documents.
The retailer confirmed that the respondent was an approved third-party vendor of computers on its website. Per its agreement with the retailer, the respondent was required to comply with its privacy and legal obligations.
The retailer confirmed that it had not received any other customer inquiries about the respondent regarding the issue of remote access.
Subsequent to engaging with our Office, the electronics retailer amended its retail website agreement to explicitly prohibit third-party vendors from pre-installing remote log-in software or code, as well as spyware and trackware, on computers or other devices sold on its site.

Analysis

Issue 1: Whether the respondent obtained meaningful consent prior to remotely accessing laptops?

Principle 4.3 of Schedule 1 of PIPEDA states that the knowledge and consent of the individual are required for the collection, use or disclosure of personal information.
In our view, the respondent failed to demonstrate that it obtained valid consent prior to accessing the complainant’s laptop, and other customers’ computers, and the potentially sensitive information thereon, during Personal Help Desk service calls.

Respondent’s position

The company denied remotely accessing the complainant’s laptop without consent. It explained that its Personal Help desk technician engaged in a mutually agreed service call with the complainant to resolve a technical problem with his laptop. It pointed to the invitation sent by email to the complainant, where the technician indicated that he would resolve the complainant’s problem “remotely”, and needed the complainant to have his laptop on and connected to the Internet. It also pointed to the complainant’s agreement to the call.
The respondent confirmed that its Help Desk technicians did not present a check box or button to Help Desk customers to click and consent to the remote access of their computer.
Rather, the respondent asserted that its technicians sought express oral consent from Personal Help Desk customers before initiating remote access sessions. The respondent further represented that it asked each customer for their customer ID number to initiate access via the software, using text along the lines of “Can I have your ID for the purpose of taking remote control, so I can see your screen and take control of your computer.” The respondent added that before initiating the remote access session on the complainant’s computer, the technician asked the complainant for verbal consent to do so.
The respondent added that when its technicians remotely access a customer’s computer, they could see the customer’s computer desktop and any open windows or files. The customer’s computer screen visibly changed to indicate a remote access session was underway and the customer could see exactly what the technician is doing on their computer in real-time.
The respondent stressed that it did not collect or use the complainant’s personal information via its Help Desk service. Nor did it monitor, copy or retrieve any of the complainant’s personal information from his laptop while the remote access software was installed on it.

Assessment

The respondent claimed that its Personal Help Desk technician obtained the oral express consent of the complainant, before accessing his computer.
In our view, express consent would be appropriate for remote access, which could allow technicians to view sensitive personal information stored by the user on their computer (such as financial information, medical information, private documents, photos and user credentials).^{Footnote 5}
The complainant alleged, however, that the respondent did not obtain his express oral consent, and that he only learned of the remote access after the technician had taken control of his computer.
The respondent was unable to provide our Office with any evidence (e.g., a recording of the call) to demonstrate that the complainant actually provided his express oral consent.
PIPEDA further requires that consent be meaningful.^{Footnote 6}
The respondent was unable to provide any evidence, to establish what technicians would have told customers in seeking their consent for remote access (e.g., internal guidelines or a consent script used by its technicians), again noting that it did not have a recording of its call with the complainant.
We also examined how the respondent sought to describe its Personal Help Desk service to customers via other methods. Neither the respondent’s website, nor its privacy policy, nor the documents issued to the complainant and other retail website customers who purchased laptops, explained the way in which technicians would remotely access customers’ computers for purposes of providing the service. Nor did we receive any evidence that the respondent had informed its Personal Help Desk customers that their customer ID number operated as a “key” to allow its technicians to access their computer remotely.
In our view, in light of the above, the respondent failed to demonstrate that its technicians obtained meaningful express consent to access the complainant’s computer, or customers’ computers in general, via its remote-access software.
Finally, the respondent claimed the functionality, and its use, of the remote access software in question, was no different from Microsoft’s Quick Assist, found on computers with the Windows 10 operating system. Although we did not evaluate the compliance of Quick Assist with PIPEDA, which was not under investigation in this case, we note that it functioned very differently from the process used by the respondent.^{Footnote 7}

Issue 2: Whether the respondent had adequate safeguards to prevent unauthorized access to customers’ personal information by its personnel?

Principle 4.7 of Schedule 1 of PIPEDA states that personal information shall be protected by security safeguards appropriate to the sensitivity of the information. Principle 4.7.1 states that the security safeguards shall protect personal information against loss or theft, as well as unauthorized access, disclosure, copying, use or modification. Organizations shall protect personal information regardless of the format in which it is held. Principle 4.7.3 adds that the methods of protection should include: (a) physical measures; (b) organizational measures; and (c) technological measures.
In our view, the respondent relied predominantly on protocols precluding its technicians’ access to the remote access software, and logs or complaints to identify if unauthorized access to a customer’s computer had occurred. This was not, in our view, commensurate with the volume and sensitivity of information stored in individuals’ computers, which could be of great value to malicious actors (e.g., with a view to perpetrating fraud or identity theft).

The respondent’s safeguards

The respondent claimed that it took security seriously when providing help desk services to its customers and implemented appropriate safeguard measures to ensure that it did not compromise customer personal information through such sessions.
The respondent asserted that it did not record copies of customers’ computer screens viewed by its technicians, or otherwise collect any personal information (documents, photographs, etc.) from customers’ computers as part of providing its Personal Help Desk service. Specifically, it did not extract any of the complainant’s information from his laptop.
The respondent accepted that it was theoretically possible for a technician to access a customer’s computer without permission, if the remote access software was set up on the computer and remote access enabled. However, it claimed that there were safeguards that would make it likely for a technician activating a remote access session without authorization to be caught.
The respondent explained that to gain remote access, the technician would first have to log in to it’s internal “Members App”. Client information, including a “master list” of customer ID numbers required to open a remote access session, was held in this app. Access to the app was limited to internal personnel, and required signing in to a company-associated Microsoft account requiring two-factor authentication. Access was logged and viewable by the respondent’s administrators.
Furthermore, after logging into the app, a technician would have to sign into the remote access software provider’s web portal to open a remote access session. Only the company technicians had portal accounts. Access was again subject to two-factor authentication, and the software provider logged and monitored all portal activity.
The respondent explained that technicians would only then be able to remotely access a customer’s computer, provided the customer’s computer was turned on and connected to the Internet.
The computer screen would visibly change to indicate to a customer when a remote access session was underway. The respondent asserted that if a customer saw this, and the access was unexpected, they could report the occurrence to it.
However, we note that many individuals leave their computers turned on and connected to the Internet, even while they are not sitting in front of the device. In such circumstances, a customer would not be present to witness unauthorized activity.
The software did not allow users to copy or record client personal information during remote access sessions. We observe however, that this would not preclude a technician from copying information via other means (for example, by using a cellphone, camera or pen and paper).
Additionally, the customer ID number, employed by the respondent as a “key” or password, is a static, one-time, safeguard measure. It would not, in our view, be sufficient to protect against unauthorized remote access to customers’ computers, particularly where a master list of such numbers was retained and accessible to technicians.
By way of example, the complainant initially provided his customer ID number to the respondent’s Personal Help Desk via email the day he received the laptop. Separate from the master list, the initial technician (or anyone else they chose to tell) would have been aware of the complainant’s customer ID number from the day he received the laptop, and able to access his computer when it was turned on and connected to the Internet (even when he was not using it).
We note that certain other remote access tools (like that cited by the respondent) require real-time intervention by the computer user, on their device (e.g., by clicking on a consent box, or entering a code), to confirm that they are aware of, and consent to third-party access. Such tools also allow the user to end a remote access session, unilaterally at any time (e.g., by clicking on a box on their screen). The respondent relied, on the other hand, upon oral consent obtained by its technicians, pursuant to undocumented protocols, such that it was unable to demonstrate that technicians actually obtained such consent.
In light of the above, in our view, the respondent did not implement appropriate safeguards commensurate to the sensitivity of the information at risk, in contravention of Principle 4.7, 4.7.1 and 4.7.3 of Schedule 1 of PIPEDA.

Change in corporate structure and practices

During the course of our investigation, the respondent informed us that it had changed its corporate structure and operations, and ceased offering personal help desk services.
The respondent split into two separate companies: the renamed respondent and Company A [OPC: name of company redacted] The two companies are now separate legal entities and have no cross-ownership.^{Footnote 8}
The renamed respondent relocated to another city. It remains a vendor of laptops, desktops and accessories, principally through online channels such as the electronics retailer’s website. However, the respondent no longer provides managed IT services. As a result, the respondent ceased its subscription to the remote access software and web portal, and no longer employs any of the technicians or support staff who provided services via that software.
The new company, Company A, operates the website [OPC: website name and link redacted] and provides a range of managed IT services. However, such services are now provided exclusively to small businesses.

Conclusion

Given that the respondent has restructured and no longer operates a personal help desk service as described above, or uses remote access software on customer laptops, we find this matter to be well-founded and resolved.
Should the respondent decide to provide such a service again in the future, we would expect it to implement measures to be able to demonstrate that users are aware of, and consent to remote access. This could be accomplished, for example, through a mechanism that: (i) requires real-time intervention of the computer user, on their device (e.g., by clicking on a consent box and/or entering a code); and (ii) allows the user to end the remote access, unilaterally at any time (e.g., by clicking on a box on their screen).

Footnotes

Footnote 1

See the “Change in corporate structure and practices” section of this report for further information.

Return to footnote 1

Footnote 2

[OPC: link to retail website redacted]

Return to footnote 2

Footnote 3

SolarWinds Remote Monitoring and Management remote access software

Return to footnote 3

Footnote 4

For example, by asking the complainant to click on an “accept” button in a pop-up window, granting the technician remote access rights to his laptop.

Return to footnote 4

Footnote 5

Principle 4.3.4 provides, in part, that the form of the consent sought by the organization may vary, depending upon the circumstances and the type of information. In determining the form of consent to use, organizations shall take into account the sensitivity of the information. Principle 4.3.6 further states, in part, that an organization should generally seek express consent when the information is likely to be considered sensitive.

Return to footnote 5

Footnote 6

Principle 4.3.2 requires both knowledge and consent. Organizations shall make a reasonable effort to ensure that the individual is advised of the purposes for which the information will be used. To make the consent meaningful, the purposes must be stated in such a manner that the individual can reasonably understand how the information will be used or disclosed. Subsection 6.1 of PIPEDA adds that the consent of an individual is only valid if it is reasonable to expect that an individual to whom the organization’s activities are directed would understand the nature, purpose and consequences of the collection, use or disclosure of the personal information to which they are consenting

Return to footnote 6

Footnote 7

In particular, we note that to facilitate remote connection via Quick Assist, the “sharer” must input, in a dialog box displayed on their screen, a one-off time-limited six-digit code generated by Microsoft. Then, the sharer receives a dialog box asking for permission to show the helper their screen or allow access. The sharer gives permission by selecting an “Allow” button. In addition, the sharer can terminate the remote connection unilaterally at any time, by clicking an “x” on the screen: Use Quick Assist to help users and Get help remotely with Quick Assist in Windows 10.

Return to footnote 7

Footnote 8

The respondent confirmed in writing that there were no common directors, shareholdings, funding, operations or staff between the two companies.

Return to footnote 8

Date modified:: 2021-12-09

Language selection

Search and menus

Search