Microsoft reportedly ran a transcription and vetting programme for its Skype internet calling service and the Cortana digital assistant for years, with “no security measures”. The information comes via a report by The Guardian, and follows up on a report by Vice in August 2019 that revealed that Microsoft was engaging human contractors to review collected audio snippets, thereby allowing third parties to listen in on potentially sensitive content without any clear disclosure of the same. The Guardian’s report explains the severity of this transgression even further, quoting an ex-contractor who claims to have worked on the project.
According to the contractor, he was assigned a URL, username and password, all written in plain text and with no encryption whatsoever, by his employer in order to access audio snippets collected intentionally or accidentally from Microsoft’s digital AI assistant service, Cortana. He further goes on to reveal that while he was initially required to execute the project from an office (that belonged to the third party service provider contracted by Microsoft), he was subsequently allowed to work on it from his home. Alarmingly, he could continue to access these audio recordings from his home laptop by simply signing in to the given URL.
What makes this incident alarming is that the usernames and passwords assigned to the contractors also did not follow any recommended cybersecurity practice. According to The Guardian’s source, the usernames were all assigned serially, and the same password was used to log in to any of these contractor accounts, “for ease of management”. Since the said URL could be logged in to from any device, this raises the potential security threat of any contractor willingly sharing their login credentials with non-contractors, and even logging in to accounts of other contractors as well. They could technically also save these recordings to their personal laptops.
The contractor has further revealed that he was based in Beijing, China when he undertook this project. This makes the matter worse, since the Chinese internet is known to be closely monitored by Chinese government authorities. As a result, any Chinese entity could technically tap into this data, and without any encryption or cybersecurity practice at hand, listen in on Microsoft’s audio snippets from Skype and Cortana as well. The contractor further revealed that he was not even required to fulfill any identification criteria by his employer, which raises the possibility of anyone (including threat actors with malicious intent) gaining access to potentially sensitive data.
Microsoft seemingly does not disclose to its users that their voice data may be collected and handed over to third party human contractors for analysis and service improvement purposes. While Microsoft seemingly updated its end-user agreement post Vice’s report, The Guardian further found that Microsoft does not list China as one of the registered nations for third party contractors to operate the vetting service. Microsoft has maintained that no audio clips are more than a few seconds long, and are anonymised to protect the identity of their owners. It further claimed that it has moved all contract-based vetting work to “secure locations”, and its practices are in compliance with “the highest privacy standards set out in laws like Europe’s GDPR”.
However, the recent report does not appear to fall in line with being particularly ‘secure’. While it is not quite clear if Microsoft continues the contractor programme even today for at least some of its services, the report underlines the increasing amount of privacy violation that Big Tech firms such as Amazon, Apple, Google and Microsoft itself regularly undertake, until tracked down. It also throws light on the compromised state that cyber security is in today, and raises the need for governments across the world to adopt far stronger data protection and privacy laws that all tech firms should be mandated to follow without exception.