Consumer Rights Wiki

Verizon demo phone MDM data wipe: Difference between revisions

Newer edit →
VisualWikitext
fixed the references so citations display; added source screenshots
Tag: Recreated
 
No edit summary
Tags: Reverted Mobile edit Mobile web edit Visual edit
Line 14: Line 14:
}}
}}


In February 2026, Verizon sent longtime customer Tom Collery a replacement Samsung Galaxy Z Flip7 that was an unwiped store demonstration unit still enrolled in Verizon's mobile device management (MDM) system.<ref name="ars">{{Cite web |last=Brodkin |first=Jon |title=Verizon sent man a refurbished phone with MDM, then deleted his data remotely |work=Ars Technica |date=2026-06-12 |url=https://arstechnica.com/tech-policy/2026/06/verizon-sent-man-a-refurbished-phone-with-mdm-then-deleted-his-data-remotely/ |access-date=2026-06-13}}</ref> About two weeks later the phone reset itself remotely, erasing everything Collery had moved onto it, including contacts, messages, photos, documents, healthcare information he used for work, & the last video he had of his grandmother before she died.<ref name="ars" /> When he asked Verizon what the management software had recorded & which account issued the command to wipe his device, an executive-relations representative told him the company would require a legal order before disclosing any details.<ref name="ars" /> Verizon gave him a $400 credit, sent a second refurbished phone without the management profile, & told the [[Federal Communications Commission]] it considered the case resolved.<ref name="ars" />
everyone is overreacting to this


== Background ==
==Background==


Collery, who lives in San Francisco & works in healthcare, says he had been a [[Verizon]] customer for 22 years.<ref name="ars" /> In February 2026 he called the carrier about network problems including dropped calls, & Verizon shipped him a replacement for his phone, a [[Samsung]] Galaxy Z Flip7.<ref name="ars" /> Instead of a new device or a properly reset refurbished one, the phone he received was a store demo unit that had not been wiped before shipping. It carried the same kind of software that company IT departments use to monitor & control phones issued to employees.<ref name="ars" />
Collery, who lives in San Francisco & works in healthcare, says he had been a [[Verizon]] customer for 22 years.<ref name="ars">{{Cite web |last=Brodkin |first=Jon |date=2026-06-12 |title=Verizon sent man a refurbished phone with MDM, then deleted his data remotely |url=https://arstechnica.com/tech-policy/2026/06/verizon-sent-man-a-refurbished-phone-with-mdm-then-deleted-his-data-remotely/ |access-date=2026-06-13 |work=Ars Technica}}</ref> In February 2026 he called the carrier about network problems including dropped calls, & Verizon shipped him a replacement for his phone, a [[Samsung]] Galaxy Z Flip7.<ref name="ars" /> Instead of a new device or a properly reset refurbished one, the phone he received was a store demo unit that had not been wiped before shipping. It carried the same kind of software that company IT departments use to monitor & control phones issued to employees.<ref name="ars" />


After the device later reset, on-screen messages made its status explicit. One read ''This device is managed. Property of Verizon has configured this device to be fully managed.'' Others said ''Device owned by Verizon'' & ''Protected with BricTECH.''<ref name="ars" /> BricTECH is a retail security & device-management product made by Sennco Solutions, an InVue company; Sennco markets it for managing company-owned devices & securing store display phones, & states that it supports Android.<ref name="sennco-brictech">{{Cite web |title=BricTECH |work=Sennco Solutions |url=https://sennco.com/product/brictech/ |access-date=2026-06-13}}</ref> Sennco's privacy policy for the BricTECH retail app describes an automatic reset routine for demonstration devices:
After the device later reset, on-screen messages made its status explicit. One read ''This device is managed. Property of Verizon has configured this device to be fully managed.'' Others said ''Device owned by Verizon'' & ''Protected with BricTECH.''<ref name="ars" /> BricTECH is a retail security & device-management product made by Sennco Solutions, an InVue company; Sennco markets it for managing company-owned devices & securing store display phones, & states that it supports Android.<ref name="sennco-brictech">{{Cite web |title=BricTECH |work=Sennco Solutions |url=https://sennco.com/product/brictech/ |access-date=2026-06-13}}</ref> Sennco's privacy policy for the BricTECH retail app describes an automatic reset routine for demonstration devices:
Line 32: Line 32:
[[File:Verizon-mdm-android-management-deprovision-wipe.png|thumb|center|upright=2.4|Google's Android Management API documents that the WIPE command triggers a factory reset on a company-owned device.]]
[[File:Verizon-mdm-android-management-deprovision-wipe.png|thumb|center|upright=2.4|Google's Android Management API documents that the WIPE command triggers a factory reset on a company-owned device.]]


== Remote factory reset & data loss ==
==Remote factory reset & data loss==


The demo unit did not fix Collery's network problems, but it worked at first. He transferred his data to it & returned his original phone.<ref name="ars" /> After about ten days the phone began repeatedly installing security updates & restarting, & within a few more days it restarted as though it had been factory reset.<ref name="ars" /> Collery could no longer sign in to his Google or Samsung accounts; the device told him he did not have permission & to contact his IT administrator.<ref name="ars" />
The demo unit did not fix Collery's network problems, but it worked at first. He transferred his data to it & returned his original phone.<ref name="ars" /> After about ten days the phone began repeatedly installing security updates & restarting, & within a few more days it restarted as though it had been factory reset.<ref name="ars" /> Collery could no longer sign in to his Google or Samsung accounts; the device told him he did not have permission & to contact his IT administrator.<ref name="ars" />
Line 41: Line 41:
Cooper Quintin, a security researcher & senior technologist at the Electronic Frontier Foundation, told Ars Technica that the restarts & reset were consistent with Verizon pushing instructions to a group of managed devices at once. He said that with a fleet of demo phones under MDM, ''you're just sending instructions to all the phones,'' & that if Verizon wipes demo units on a schedule, the timing may have been the policy taking effect.<ref name="ars" /> Verizon advised Collery to take the phone to a uBreakiFix store, but a technician there could not recover any data because of the management profile.<ref name="ars" />
Cooper Quintin, a security researcher & senior technologist at the Electronic Frontier Foundation, told Ars Technica that the restarts & reset were consistent with Verizon pushing instructions to a group of managed devices at once. He said that with a fleet of demo phones under MDM, ''you're just sending instructions to all the phones,'' & that if Verizon wipes demo units on a schedule, the timing may have been the policy taking effect.<ref name="ars" /> Verizon advised Collery to take the phone to a uBreakiFix store, but a technician there could not recover any data because of the management profile.<ref name="ars" />


== Verizon's response ==
==Verizon's response==


=== Letter to the FCC ===
===Letter to the FCC===


After Collery complained to the FCC, Verizon's executive relations department sent the agency a letter dated April 2, 2026, which he shared with Ars Technica. The letter acknowledged the mistake:
After Collery complained to the FCC, Verizon's executive relations department sent the agency a letter dated April 2, 2026, which he shared with Ars Technica. The letter acknowledged the mistake:
Line 51: Line 51:
<blockquote>''The Executive Office has advised that all Certified devices originate directly from the manufacturer and are designed to meet stringent quality assurance standards.''</blockquote><ref name="ars" /> The letter said Collery had received compensation exceeding $400 before he filed the complaint, that no further credits would be issued, & that the executive office ''considers this case as resolved.''<ref name="ars" /> Verizon's only statement to Ars Technica, in the seven weeks after it was contacted, was that it was ''aware of this customer's concern'' & working to address it.<ref name="ars" /> The carrier did not say who handles its phone refurbishment or how the management profile survived its inspection process.<ref name="ars" />
<blockquote>''The Executive Office has advised that all Certified devices originate directly from the manufacturer and are designed to meet stringent quality assurance standards.''</blockquote><ref name="ars" /> The letter said Collery had received compensation exceeding $400 before he filed the complaint, that no further credits would be issued, & that the executive office ''considers this case as resolved.''<ref name="ars" /> Verizon's only statement to Ars Technica, in the seven weeks after it was contacted, was that it was ''aware of this customer's concern'' & working to address it.<ref name="ars" /> The carrier did not say who handles its phone refurbishment or how the management profile survived its inspection process.<ref name="ars" />


=== Refusal to disclose MDM records ===
===Refusal to disclose MDM records===


Collery asked Verizon for records of what personal information the MDM software had recorded & what commands had been sent to the device. A Verizon executive-relations representative answered by email on May 12, 2026:
Collery asked Verizon for records of what personal information the MDM software had recorded & what commands had been sent to the device. A Verizon executive-relations representative answered by email on May 12, 2026:
Line 63: Line 63:
</gallery>
</gallery>


== Consumer response ==
==Consumer response==


Verizon offered to waive Collery's remaining device payments to end the dispute, & a representative asked whether that would be enough for him to walk away.<ref name="ars" /> He declined. He sent Verizon a formal request for his data under the CCPA, submitted a notice of dispute as a prerequisite to arbitration, & said he was weighing a small-claims case, telling Verizon it was hard to negotiate while the company refused to confirm what information had left his device or who ordered it deleted.<ref name="ars" /> The network problems that started the dispute were never fixed. ''My service is still abysmal,'' Collery said. ''I can't even get a GPS signal in front of my building.''<ref name="ars" />
Verizon offered to waive Collery's remaining device payments to end the dispute, & a representative asked whether that would be enough for him to walk away.<ref name="ars" /> He declined. He sent Verizon a formal request for his data under the CCPA, submitted a notice of dispute as a prerequisite to arbitration, & said he was weighing a small-claims case, telling Verizon it was hard to negotiate while the company refused to confirm what information had left his device or who ordered it deleted.<ref name="ars" /> The network problems that started the dispute were never fixed. ''My service is still abysmal,'' Collery said. ''I can't even get a GPS signal in front of my building.''<ref name="ars" />


== See also ==
==See also==
* [[Right to Repair]]
*[[Right to Repair]]


== References ==
==References==
{{reflist}}
{{reflist}}


[[Category:Verizon]]
[[Category:Verizon]]
[[Category:Privacy]]
[[Category:Privacy]]
Retrieved from "https://consumerrights.wiki/w/Verizon_demo_phone_MDM_data_wipe"