Microsoft is said to have evaluated data such as audio recordings from Cortana and Skype for years by homeworkers in China, the British daily reports The Guardian and refers to a British working in China, who claims to have analyzed the recordings for a company on behalf of Microsoft.
A research by the Canadian lifestyle magazine had already been carried out in summer 2019 Vice show that Microsoft also had audio data evaluated. The Redmond company then praised the improvement and promised that the analysis would only be carried out at a few, separately secured locations.
We review short snippets of de-identified voice data from a small percentage of customers to help improve voice-enabled features, and we sometimes engage partner companies in this work.
This past summer we carefully reviewed both the process we use and the communications with customers. As a result we updated our privacy statement to be even more clear about this work, and since then we’ve moved these reviews to secure facilities in a small number of countries.
The British citizen living in Beijing wants to get through one of these Vice magazine have made publicly available programs for transcribing and checking audio recordings from Skype and Cortana and have personally analyzed the data over a period of two years at home. According to the Briton, there was no data protection and there was also no employee review.
However, the Brit was not directly with Microsoft, but with a third-party company, so that the failures must primarily be blamed on the Chinese contractor.
The findings are not new, rather they give an insight into the work of third-party companies and the sometimes dubious handling of sometimes very sensitive user data such as audio recordings.
No verification when hiring
The man states that he was asked neither for his personal information nor for his background when he was hired, only his bank account was relevant for the payment.
There were no security measures, I don’t even remember them doing proper KYC [know your customer] on me. I think they just took my Chinese bank account details.
He received no support on data protection and security, for example to protect the data from criminal or state access. In fact, he and his colleagues were even instructed to do their jobs using different Microsoft accounts and the same password to simplify administration.
Access to the audio recordings of real customers
The man claims to have evaluated audio recordings of real customers – both intentional and inadvertent activations – from the Cortana voice assistant and individual Skype calls, which should have been sent to his personal laptop via a web app in the Chrome browser. In addition, he claims that based on his origin and mother tongue, he primarily analyzed English-language conversations and audio data from British customers. He did not know whether these customers lived in Great Britain or also in China.
I judged British English (because I’m British), so I listened to people who had their Microsoft device set to British English, and I had access to all of this from my home laptop with a simple username and password login.
User names and passwords in plain text
The man, who, according to his own account, had already worked as a student for the Chinese contractor, also reported that the access data and passwords were sent by email and that they were available in plain text. In the course of his two years, he has witnessed quite unusual conversations and even suspected domestic violence.
They just give me a login over email and I will then have access to Cortana recordings. I could then hypothetically share this login with anyone. I heard all kinds of unusual conversations, including what could have been domestic violence.
In an interview with the Guardian, he did not comment on whether the Briton is currently employed by the Chinese contractor and whether he is still receiving orders from Microsoft. The exact period of his work is also not clear from the conversation with the daily newspaper. This leaves it open whether he only had to do the work before or even after Microsoft had promised improvement.