A transcription program that Microsoft used to vet audio from its Skype and Cortana services allegedly operated for years with no security measures.
A former contractor is making the claim, saying that he listened in on thousands of recordings from his personal laptop in Beijing.
If true, the news highlights a major privacy violation at one of the biggest tech companies in the world. Here’s exactly what we know about the situation, and how Microsoft is responding.
Former Microsoft Contractor Speaks Out
The whistle-blowing contractor worked at the position for two years, initially coming into an office but eventually simply working from home, where he used his personal laptop over the Chinese internet.
According to the former contractor, he and other Microsoft workers just used a web app and Google’s Chrome browser to access the audio, with no additional layers of protection.
In addition to this lack of security, the employees themselves were barely vetted, the contractor said.
“There were no security measures, I don’t even remember them doing proper KYC [know your customer] on me. I think they just took my Chinese bank account details,” he told the Guardian, which broke the story.
On top of this, workers were instructed to use the same password across multiple new Microsoft accounts for ease of management, the contractor alleged, meaning that the login information could potentially have been shared and accessible to anyone.
“Living in China, working in China, you’re already compromised with nearly everything,” the contractor said. “I never really thought about it.”
Skype and Cortana Records Compromised
The data accessed included both intentional and accidental activations of Microsoft’s voice assistant Cortana, as well as some Skype call audio. The contractor, who is British, was assigned British English recording to vet. In some cases, the audio was from sensitive conversations.
“I heard all kinds of unusual conversations, including what could have been domestic violence,” the contractor stated.
As Vice reported last August, these audio transcriptions are likely to come as a surprise to users of Skype and Cortana — While Microsoft does tell these users that it may “analyze” the audio, it had not disclosed that human workers would be listening to it.
Microsoft has since changed its policy to stop this practice.
Microsoft’s Statement and Change of Practice
Following Vice’s article, Microsoft stated that it has both ended some of these practices, and has moved any human analysis to secure facilities (and out of China entirely).
“We review short snippets of de-identified voice data from a small percentage of customers to help improve voice-enabled features, and we sometimes engage partner companies in this work,” the company told The Guardian. “Review snippets are typically fewer than ten seconds long and no one reviewing these snippets would have access to longer conversations. We’ve always disclosed this to customers and operate to the highest privacy standards set out in laws like Europe’s GDPR.”
“This past summer we carefully reviewed both the process we use and the communications with customers. As a result we updated our privacy statement to be even more clear about this work, and since then we’ve moved these reviews to secure facilities in a small number of countries.”
The company also pledged to “take steps” towards giving customers more control over how their data is used.
Hopefully in 2020, Microsoft and every other large tech company with access to sensitive private data will continue taking every precaution when processing it. If they don’t, we’ll likely continue hearing disturbing insider stories just like this one.