A new report from the Guardian accuses Microsoft of using Chinese workers to transcribe and grade Skype and Cortana audio with “no security measures”. The information comes from a former Beijing contractor who said he performed the work on his personal laptop from his home over a period of two years.
A VICE report previously revealed that human contractors listen in on private Skype conversations. While Microsoft’s privacy policy admitted conversations were analyzed at the time, many were unaware this was by a human contractor. At the time, the company said it requires non-disclosure agreements with vendors and employees and ensures that vendors meet high privacy standards.
However, while user account information is removed from the samples, the audio itself can naturally contain identifiers. Further, the contractor describes an experience that didn’t meet high standards at all, with poor security practices.
“There were no security measures, I don’t even remember them doing proper KYC [know your customer] on me,” he said. “I think they just took my Chinese bank account details.”
Plaintext Passwords
Both accidental and deliberate audio samples were reviewed by workers via a web app, some containing potentially sensitive information. Login details were reportedly sent to contactors via a plaintext email. The contractor said he heard instances of potential domestic violence and worries that the security compromise of workers could lead to information becoming available to the Chinese government.
Microsoft says that since Vice’s report, it has ended its grading programs for Skype, Cortana, and Xbox, and moved them from China to secure facilities.
“This past summer we carefully reviewed both the process we use and the communications with customers,” it said. “As a result we updated our privacy statement to be even more clear about this work, and since then we’ve moved these reviews to secure facilities in a small number of countries. We will continue to take steps to give customers greater transparency and control over how we manage their data.”
It emphasized that audio snippets are “typically” shorter than ten seconds and none of its workers have access to longer conversations. Even so, users won’t be happy to hear that their personal audio was handled so poorly.