About a month ago my wife broke her pixel phone. It couldn't be turned on so we couldn't wipe it.
We contact Google and used the device care to get an RMA.
Today someone posted nude pictures of my wife and I to her social media accounts. They accessed her Google account and tried to lock us out. They used her PayPal to send someone $5 (a test probably).
How could this happen? Well Facebook and Instagram show logins from Texas. The old phone still showed on our find my phone app and it was in Texas. Guess where we sent the phone for RMA? The last ping from the old phone (which was today) was the same as the place we shipped it. The exact location down to the very building. Clearly they fixed the old phone and since it wasn't wiped, was still logged into her Google account.
I called Google and they basically said "woah that's fucked up we'll get back to you". We filed a police report but I don't expect they will do anything.
What are my options here for sueing Google? I know that sounds insane but this breach of trust and privacy is egregious. Hundreds of people have now seen my penis including our friends kids. It's really fucked up.
Any advice on what to do here?"
my big question is whether this phone is password enabled. also this stinks because i know the first comment is "well do a factory reset" but if the phone doesn't turn on, etc. then i don't believe that is possible (short of possibly ADP which is out of the reach of 99% of people)
As someone on Twitter replied to a similar comment [0]: "Phones are cheap, just buy another" WOW the privilege.
[0] https://mobile.twitter.com/mojonojo3/status/1467453133538611...
https://support.google.com/pixelphone/gethelp
(In french and probably most other languages.
If the phone doesn't turn on you can still queue up a wipe from Find My Device which would've prevented this.
And no, it was clearly not "password enabled".
That's assuming that a competent technician couldn't disable that feature. For example, it's hard to ensure that some software issue (eg: software/hardware interaction) has been resolved if you just wipe the device!
I read all the comments before it was deleted. In one of the replies the OP stated the phone had a smashed screen and would not turn on*, but had no screen lock/password
*his words not mine, it is unclear if he knew the distinction between zero display output and not turning on
Everyone made assumptions that the process for developing photos was anonymous and private - you dropped off a canister, and picked up photos and negatives in a clean, sealed envelope a few days later.
How wrong we were.
The process was semi-automated using these gargantuan machines in a back room, but the staff usually looked at each frame as went through the process. They made extra copies of spicy ones which went straight into a special binder kept on a nearby shelf. This shop had two or three of these binders.
Some years later I was in another country and photographed violent demonstrations right outside the hostel where I was staying. When I went to pick up the photos, the staff made it clear that they had seen the images. They were supportive (they wanted to get the word out internationally) but what if copies had been sent to the local intelligence services instead?
Nowadays the tech is different, but when there are no barriers to viewing private information, we see similar types of behavior.
And it was an utter shock. Not only the fact that the photo shop employees had a window into our private lives and were saving copies for future reference, but what other people's private lives were like. "Spicy" ran the gamut from wife nudes to borderline Blue Velvet.
It was one of those 10-minute experiences that totally shifts one's understanding of the world.
Keeping a spank bank isn't permitted but you should never assume your film will be private if it's being processed by a lab.
[0] Code Warriors, Stephen Budiansky (https://www.penguinrandomhouse.com/books/236807/code-warrior...).
Certainly not state secrets. But they do need to know trade secrets. For example: exact (official) replacement products, procedures, and documentation steps in order to ensure the device doesn't show up as "this is fraudulent or pirated or hacked or modified or whatever the fuck the copyright overlords demand can't be done".
I wish phones could boot into some kind of field tech/diagnostics mode where all aspects of hardware could be tested as thoroughly as needed. Maybe there exists one and I’m just ignorant?
If the phone didn't even turn on enough to go into some DFU mode, I guess I'd be just as fucked.
Just had an idea to get a burner phone, fill it with my own nudes and give it to repair. Let the perverts have nightmares for a while.
That says it all. You can't expect them to try 24/7 until they get a confirmation. In addition, I doubt that they would have included the SIM card in the RMA, which means that the device would not be online through mobile, and there's no reason for the repair shop to connect the device to the WiFi as the first step, so that any erase-request can come through.
You either trust the RMA process or you burn your phone.
But since the old phone was still on OP's "Find My Phone" account, and was successfully pinging the service, clearly it had been connected to WiFi, so a queued remote wipe should have worked.
Sure, this won't catch all cases, but if you are unable to factory-reset a broken phone before sending it in, it would be useful to instruct the customer to queue a wipe online instead. Not perfect, but better than nothing.
Though, this apparently didn't save apple in at least one recent case: https://www.theverge.com/2021/6/7/22522560/apple-repair-mult...
I can't imagine it would. It isn't a contract, just a best practices guide. Apple and Google are still ultimately responsible for what their employees do on the job.
I'd assume it can be done on some device id basis, so 1) Check in phone 2) Initiate wipe 3) put in service tech queue
After that life lession, I always made sure to have a veracrypt partition for this stuff. But a separate, offline device is better of course.
Unable to help me with my problem at first (we eventually figured it out), they felt they hit a dead end and said: "ok, just send us your wallet.dat, we'll fix it".
I know those guy were the real deal. I knew they would not try to steal the money I had on this wallet, because it was so little it was not even worth the time.
Yet, the fact they asked that proves how much support can badly educate their users.
Of course, I didn't send my wallet, and found another solution since I'm tech saavy. But still...
I just used VeraCrypt instead.
I am always worried someone will fix and misuse my old phone.
Both iPhones and Android will HEAVILY complain in your setup process if you refuse to secure them with a PIN or a password.
- Queue up a wipe remotely which will take place as soon as the phone is turned on.
- keep it but mind the battery as it can expand over time
- fix it to the point where you can access then properly wipe the storage with given options on the OS
- if you're ultra paranoid, find software that'll write over the storage, like Dban (i don't have any in mind right now) but if you're already here you might as well destroy the storage physically (see below)
- look into tear down instructions and find where the storage is. Remove and destroy the storage.
Once in fastboot mode, you can connect to pc or another android device to boot to recovery and factory reset/wipe data. It won't be any three letter agency safe, but most data should be lost for any common tech person.
https://developer.android.com/studio/command-line/adb
My phone has a button combination to hold when powering on to get into a recovery mode, then you can wipe it with adb.
And wipe commands that one can send to flash memory chips are sometimes broken too (they might be implemented as no-ops).
Edit: Also, even if you tell it to write zeros everywhere, it might not delete the content, because there is hidden extra memory on flash memory chips.
If you're worried about a state removing the flash chips to recover data from dead/used cells, you don't send your phone in for repair. You secure the data with a drill before disposing of it. That clearly wasn't the owner's concern. They wanted a method for securing the device, but couldn't due to the screen. This is in no way the owner's fault. I can't say I blame them wanting to have a working phone and not a very expensive paper weight.
A better method for securely erasing data from a phone before service is in everyone's best interests. The customer's data isn't at risk, the manufacturer has significantly reduced liability, and the vendor doing the work doesn't have to worry about employees doing something stupid like this and risking their contract with Google. You really just have to make the process of getting the data off the phone slightly more difficult to avoid casual theft (infringement? -- I don't know the right word here).
I usually terminate truly obsolete gadgets that could still contain recoverable login information etc. by physically destroying the motherboard, e.g. by drilling into it or prying off the flash chip. But for non-removable battery types that's iffy; what if you short out the battery and cause it to catch fire? I've just recently found a usable charge a 2012 vintage LiPo battery that came with a robot kit that hadn't been built in all those years.
1. Remove phone case. 2. Desolder eMMC chip after looking it up which one it is online. 3. Put eMMC in old coffee grinder, grind away. 4. Buy new phone.
From a thread about a similar incident on Twitter: https://mobile.twitter.com/mojonojo3/status/1467453133538611...
Can't just tell people 'do not put nudes on your phone' because while it's good advice, it misses the point.
And, of course, whoever does something like this should be strung up by their toenails in the public square.
If that were possible, the FBI would shut it down.
We need to punish the evil behavior. Like you said in your last sentence.
We do punish the evil behavior. And yet this still allegedly occurred. So perhaps the solution is making sure the evil behavior isn't possible in the first place? Just maybe?
I personally didn't reset it when I sent my Pixel 3 to fix the charging port because my Pixel was fully encrypted.
All Pixels are encrypted by default as long as you have any kind of lock method enabled (PIN, password, shape...).
I don't really understand how this person got his files in cleartext and accessible.
> About a month ago my wife broke her pixel phone. It couldn't be turned on so
> we couldn't wipe it. We contact Google and used the device care to get an RMA.Edit: I mean how did they bypass the lock screen?
No lock method?
That said, I’m wondering if Google didn’t farm out their repair work to a 3rd party, leading to this situation.
They almost certainly did, since a large portion of Google's offices are staffed by contractors as well. There is no way they're paying Google salaries and benefits to the guys handling RMA phones.
And that's part of the problem. You send the phone to Google, a company you (very mistakenly) trust, and they immediately hand it over to a lowest bidder shady shop. These services should definitely be letting you know your phone is actually going to AAABob's Phone Repair Shop, and not some magical Google factory center.
I have done the same with old or failed hard drives for decades.
The difference being, I didn't want these devices back. I never intended to use them again. This person obviously wanted an unbootable phone fixed, and the repair drones 'had fun with it'. Someone (Google) is going to have to pay damages, and also chase down and take down copies of those photos forever. What a mess.
I had a friend that worked at an independent film/photo processor back in the early 1970s. The walls in the process area were papered with printed nudes. Floor to ceiling. Of course, in the pre-digital era, those elicit copies never saw wide distribution, but they were there.
Someone can be less than perfect and that can cause them to be victimized.
We should be able to talk about both aspects of this story, perhaps independently.
Some people want to discuss how the offender should be punished, and other people want to discuss how we can behave to prevent being victimized ourselves.
I don't think it's valid to argue that people discussing how to prevent victimization, are somehow "victim blaming".
"They deserved it for sending in an unwiped phone" is victim blaming.
"If you need to send in your phone, you can do X and Y to protect yourself" is absolutely NOT victim blaming.
I cannot wrap my mind around why people would have a problem with the second statement.
Weird also, that talking about preventative measures is only considered "victim blaming" when it comes to certain specific topics. If you say it's a good idea to wear a seat belt or helmet in your car or motorcycle, it's not victim blaming. If you say people ought to lock their doors at night, it's not victim blaming. We tell our kids not to get into strangers' cars--not victim blaming. What is it about this topic that always seems to set off the alarms?
I used to really over-share online, and reading stories like these over the years has helped a great deal to educate me about good online OpSec and privacy best practices. I have data sharing/storage habits to this very day that stem from good advice received from others.
Or more precisely, in written words. And we dont seems to have a decent solution.
But it's a fundamentally bad way to approach analyzing safety issues. For those who really want to dig in on the topic, I strongly recommend Dekker's "A Field Guide to Understanding 'Human Error'": https://www.amazon.com/gp/product/B00Q8XCSFI/ref=dbs_a_def_r...
It's nominally about examining airplane crashes. But he breaks down into great detail why the default analytical model is entirely inappropriate in ways that makes real safety improvement impossible. And it's the same set of analytical mistakes you see in a lot of blame-related behavior.
We can design devices and operating systems to be safe by default in the same way we are now designing programming languages to be safe by default. There's no reason why the data should have been recoverable from a bricked phone without the user's authentication.
We really can have our cake and eat it too - we can have devices that you can freely store nudes on without risking that some rando with a USB cord and physical access can just make off with the data, bricked device or otherwise!
Yes, non-smokers can get lung cancer, too. But at a far lower frequency.
While, ironically, simultaneously demonstrating the opposite.
I don't take nudes but I tend to use my phone as an impromptu photocopier for stuff like bills and receipts, so the photos are full of private info such as account numbers. I worry about that sometimes. For photos that have to be treated with real security (typically the screen of recovery codes when enrolling a 2FA token), I use my old dedicated digital camera which has an SD card, no network connection, and never leaves my bedroom.
Most folks are just going to take nudes and not strategize much and expect them to remain private as part of the typical photo taking and sharing workflow.
As an older person, I find this observation very interesting.
Today, I would consider people in general to be much more technically knowledgeable compared to people 20+ years ago. And yet, 20 years ago, removable storage was quite common, and probably expected of most devices.
What's so tech about removing a physical piece that has data? It's an action pretty much everyone can understand intuitively - "this is where your pictures are, if you remove it they stay yours".
But (short) pin probably isn't enough, because that means the key is still on the phone.. I'd want an extra password.
What we need, to fix this, is to enforce felony charges against the kind of fuckers who do this, and put them in prison for 20 years, and stop victim-blaming, and stop the insane medieval attitudes about nudity, and slap every single fucking person who espouses this kind of bullshit upside the head, daily, every single day, until society is finally purged of their bullshit, and we don't need anything. fucking. else.
This isn't a product design issue. It's a punish evil people issue.
Laws discourage certain behaviours. It doesn't stop them.
Regarding victim blaming, obviously this person isn't to blame, but it seems that even suggestions to be cautious are seen as "victim blaming".
When you tell a kid to look to both sides when crossing the road even if it's green, you're not blaming them for a possible accident. It's just that sometimes people ignore traffic lights. And when you tell someone not to give their pin or send a device with sensitive content for repair, you're not blaming them. You're just telling them to be careful because sometimes stuff like this happens.
One, the correlation between "do a crime" and "do the time" is quite low. Look at the stats for sexual assault (0.25%), robbery (0.2%), and assault and battery (0.3%): https://www.rainn.org/statistics/criminal-justice-system
Even for murder, the US's clearance rate is only about half.
But even if the correlation were somehow perfect, it still wouldn't eliminate it. People just have a hard time believing in the consequences of actions until they experience them. I couldn't count the number of times I've gone through the "ooh fire pretty" -> " ow fire hot" loop in various ways.
So this is thing where we need defense in depth. We need solutions in criminal law and civil law and provider regulation and product design and user education and culture shifting. Each one of those will be fallible, but each one will bring the rate down. With enough work we can at least make the bad outcomes rare.
It is both. A secure design would not allow this to happen. But when it does, the perpetrator should be punished severely.
It's fairly simple to use, and if you sometime give your phone to other people / kids / etc ... It quickly becomes absolutely necessary.
Need to remember to use the "secure folder" camera though, if you merely take the pic THEN move to secure folder, while it's super quick and easy it's usually too late as google photos, dropbox, whatever else will already have duped it.
Pixel with the latest Android should have that ("Move to Locked Folder" [1]), though as with all security things it is annoying to use in a lot of ways. Doesn't work for SMS images or Whatsapp (Signal is much nicer on this front, but images on Signal get lost if a phone is bricked - the account backup/transfer method sucks a bit).
[1] - https://support.google.com/photos/answer/10694388?hl=en
Nothing nefarious. I'm just not very trusting with my data, and not going to just hand it over like that.
And if it's damaged a reset or wipe may be impossible for the end user.
I hear you, and agree wholeheartedly that there is "absolutely nothing wrong with this", but maybe if the topic keeps coming up, people should have less trust in the companies (and their respective flawed human supply chains) that keep our information.... and act accordingly. Unfortunately that's easier said than done these days.
If you had highly sensitive info of a non-sexual nature on Google Drive that was going to have a massive negative impact on your life if it got leaked, half of this site would still be saying "that's awful, but you can't trust Google" if that happened.
No you would hear the exact same thing. My sensitive data on the cloud is all encrypted. Have you ever seen anyone suggesting to do backup on any cloud platform in any other way than encrypted? That's because the data is sensitive and you can't trust whoever store it for you.
> Why do we tend to treat people like they’re asking for it when their nudes get compromised?
We do that over anything that is sensitive. It's just that nowadays, people no longer consider much of their things sensitive... except nudity.
I agree entirely that we should be able to trust companies and I agree completely that the biggest issue is on them, but the thing is, we will never be able to trust them fully, there's just too much to handle. I'm not saying not to push the responsibility on them, for sure we need to do that or it's gonna be even worse, but we also need to remind people to consider their data security and how they handle it. Both are essentials if we want to lower the number of instance of theses happenings.
I'm curious, if I upload nude picture on my Google Drive and with the password "potato", and then my picture were published by someone that guessed my password. Wouldn't you suggest a stronger password? Still a victim, but still good to suggest ways to avoid it in the future.
Because nudity is akin to sex and sexual ways, which are taboo in many societies. Upstanding citizens do not have nudes, in general. Especially women or nudes hinting at same-sex romance.
It isn't right, but it is.
Edit: I'm not saying I agree with this. But it doesn't take much to see folks putting others down for nudity. YMMV depending on where you live in the US. There is a reason most politicians (in the US) wouldn't get caught with nudes and I'm guessing that in some areas of the world, it would be even more detrimental to your life. It is the same line of thinking that punishes women for being "sluts" but are OK with men having a series of one night stands.
Unfortunately with snooping, we have little to no such protection, in which to many (in US) is a major erosion of constitutional rights.
Sure, it's lurid in this case because it was nudes, but this could have just as easily been identity theft or something more mundane but equally wrong for Google to access.
No, this is what we have laws for. What Google did is wrong and if the person responsible cannot be criminally prosecuted, we should seek legislative changes to enable prosecution in cases like this in the future. This is not merely a matter of individuals trusting Google too much. The individuals don't have much choice; that's where the law can step in.
Say I have a bedside table that needs repairs. I send it to a carpenter. If I am fool enough to leave my nude photos in the drawer then I should fully expect the carpenter to have seen them. I'm the fool, he's innocent.
If, however, he takes those photos and sends them to a tabloid, now he's the asshole.
Or in the phone case: if the phone/screen dies, how can you do anything with it before sending to repair?
Might seem weird, but if you explain to the person doing the work that you have sensitive data on the device they'd probably understand the precautions.
The world contains bad actors, and we should be having conversations about what are the reasonable steps people should take to protect themselves. The fact that this happened, and that it could easily happen again, suggests that we should take additional care with sensitive data on our phones. Maybe an app for encrypting sensitive photos and that requires a password to access?
Yes, people should feel safe in their tech. People should also feel safe in their homes, but most everyone still have locks, and many people additional layers of security.
I can never tell whether I'm paranoid, or worried for good reasons, but cases like these + mass leaks which happen occasionally are basically the reason why I don't have this secure feeling at all for anything which isn't on an offline device which is in my hands or device-side encypted then put online (but to a lesser extent). And I'm afraid nothing is ever going to be able to fix that feeling anymore, it just seems to late for that, and I feel like people who do feel secure lost touch with reality somewhat.
On devices I trust less, like my android phone, I feel better than default (but not perfectly comfortable) about open source encryption software and the stuff stored there.
Still shouldn't have to feel that way.
This also brings an important aspect of repairability, I've been paying for extended warranty and discount on battery replacement for years to an android manufacturer and when the time arrived(during lockdown) they wanted my device sent to the repair-center as there was no policy to send the parts to the consumer's place.
Although I don't believe for a moment that Apple is pro-repair now, I hope them sending parts directly to the consumer would be followed by android manufacturers as well.
Unless I missed something, I believe that you currently have the only top-level comment to mention victim blaming. There's one other, but it's dead, which means the HN "immune system" (as dang calls it) worked.
You're not wrong, but for future reference, there is a way to stop such a reboot loop; I did it just yesterday with my wife's phone. (Of course, it was a Pixel, so it might not be on every phone.) You do it by holding power and down volume until it says "Command not found", then you hold power and volume up until you get a menu. One of the items should be "Power off". Another one is "Factory reset" or something like it.
Once my wife's phone was off, I left it off for a couple of hours to let it cool. Then I booted it again, and all was well.
We're still getting her a new phone though.
I don't like seeing "don't victim blame" taken as gospel. Blame isn't a simple binary thing. Every time a company is hacked we don't line up to defend their shoddy security practices even though they are a victim.
Resorting to “do not do X if you don’t want Y to happen” is a cop out and demonstrates a fundamental failure of technology doing what it says on the box.
They don't say that when it's not encrypted it will remain secure.
Nudes are very rarely encrypted.
Even HN won't let you delete your personal comments.
Gah, what a sad, terrible world we have built.
Look, face it, actions have consequences.
My money is on nope, however.
When I have done this in the past, we did it the old fashioned way -- took the pics with a non-connected digital camera, printed the ones we liked, then kept the rest on an encrypted USB drive. Even this has the risk of leaking your photos to the cloud if your computer is set up for cloud backup.
Being able to trust your hardware/software is important, but also knowing why you can't (for now, maybe not ever) trust your hardware is also important - maybe more important.
It doesn't have to be "wrong" for it to be stupid, and trusting your private life to a device you literally do not own is. This isn't victim blaming, this is recognizing the fallacious logic that most people have when approaching this subject. Call it tech illiteracy if you want to be nice, but I'll just call it "dumb".
They are dumb, precisely because the risk is unquantifiable to them until realized, then it's too late to act.
And unfortunately, a lot of people in society don't expect this type of intrusion by a company they trust. But they should. And I don't think you can blame Google for any of this.
Irrelevant
However, most people wouldn't knowingly leave nude images of their spouse on the car's back seat when getting the car serviced. In many ways this is similar.
Edit: For people who think I'm blaming the victim, I am not. I thought that was clear, since I blamed the thief/poster of the photos! This is in many ways similar to leaving photos in a car. That is not to say that the person with the phone is at fault, but that this also happens in many other cases. If this happened to me (which it has), I'd do something else instead of sending my phone for repair by an unknown person.
I love car analogies (who doesn't), I think this is more like your car being on fire and asking a firefighter to put it out, while hoping they won't find and share any documents they find in the back seat.
Now, I don't store nudes on my phone. That said, it was recently suggested to me, here on HN, to use a scanner app in lieu of a flatbed scanner for all my scanning needs (primarily documents around tax time). Not so sure that's a good idea versus this.
Granted, this may be the best reason I've heard yet for why removing the option to have an SD card is bad...
I think you are asking the wrong question. It's more useful to ask how to initially safeguard the pictures instead of how to remove them after something broke. If the pictures were encrypted, then it doesn't matter who has possession of the phone.
https://www.reveddit.com/v/legaladvice/comments/r632w5/sent_...
I had to send the computer across the country for corporate IT to wipe it before getting it serviced, for a battery replacement..
This is one of the big reasons why.
Apple repair nude will get you there
If your "friend" refuses to log out and re-reset it then the correct thing to do here is to report it to your homeowners insurance. Your friend basically stole your phone. Insurance should pay for it and then they can go after your friend to get their money back.
It is good fodder for a security discussion, though. The merits will have to be decided in a court of law.
There's a few things that make this pretty unlikely. Google doesn't triage or repair the phones themselves, they contract it out just like everyone else. And the people they contract it out to almost certainly have procedures in place which are meant to ensure that neither the devices themselves nor the data on them get out.
I'm not saying it's false, but I would definitely take it with a grain of salt.
That said, before you send any devices in for repair, you should wipe them to the best of your ability. Also, you should set a secure password (PIN, pattern, etc) - even if you set your device to not lock, you can encrypt/require password on startup, which would prevent the repairperson from seeing the photos much less posting them.
T-Mobile for example had a major device theft issue with their mailed in device place for the upgrade program they used to run. No surprise, the process was to unlock phone, turn of find my iphone and send in the phone WITHOUT TRACKING to this random low bidder.
This was early in program, you couldn't turn device in at store (I tried). So I filmed myself mailing the device, because without a tracking number on the pre-printed label and an unlocked phone - 100% for sure these were getting jacked along the way.
If you use a brain dead process like this, you have to be bulletproof every step (mail pickup, sort, deliver, warehouse workers handing $1K+ devices etc).
Of course, the phone was reported as never having been received. Tired of the runaround and with the video I had I simply said, fair enough, I will persue this legally and part of that is going to be asking how many complaints you've received like mine (phone reported not turned in). Bamm, 2 days later I had my money.
Thankfully they then let you turn in at a store and I think started sticking at least tracking numbers on things so they'd have SOME sense of what was supposed to be coming in.
I never said it wasn't possible. But getting the lynching party out is a bit premature. Just because someone says something on the Internet does not make it true. Bet y'all still think Trump is still gonna magically become president and kill the elite pedophile cannibal cabal, huh?
Never said the processes they have in place were perfect. But being smart enough to exploit a hole in the process, and dumb enough to then make illegal posts on social media with location and all - are kinda at odds with each other.
Until you can show me any evidence that this case is real - which, of course, you can't for the next ~years because the only place that evidence should show up is in court - you can take your "False." and stick it somewhere.
I think your impression of what phone repair places are like may not match reality. The industry is far more ad-hoc and margin chasing than the rows of immaculate benches staffed by well paid professionals in a brightly lit facility like they might show in a brochure.
[0] https://www.theverge.com/2021/6/7/22522560/apple-repair-mult...
Snowden and Manning smuggled out top secret information; it seems a bit much to assume that the low bidder on a phone repair contract has leak-proof security.
1. Use a password and encryption 2. If you can still turn on the device, wipe it before you send it off for an RMA. 3. If you can't access the device, login to your account online and remove access to it. You should do this even after you wipe it. 4. Save everything sensitive on removable storage medium by default.
Also the photos were in the google account so none of this advice would have mattered anyway aside from the advice #4 about not doing it, which is moot. They and many people probably auto backup all photos on the device to the google account. Not sure if there is a way to distinguish which photos are too sensitive for online backup with that service.