Microsoft had “no security measures” on a program that had humans transcribe user voice recordings from its Skype video calling service and Cortana assistant, the Guardian reported on Friday, even when those workers were located in China.
The recordings consisted of clips of “deliberately and accidentally invoked activations” of the semi-defunct Cortana assistant (which is intended to start upon hearing the phrase “Hey Cortana”), as well as Skype conversations. According to the Guardian, workers who were tasked with transcribing and vetting these clips in order to improve Microsoft’s voice-recognition technology were given no cybersecurity support to keep the recordings from theft or seizure by governments. A contractor on the project, who was based out of Beijing, told the paper that new hires gaining access to the recordings were told to create accounts with the same password for convenience, and were put to work without basic vetting to ensure they were trustworthy.
“There were no security measures,” that contractor, who was based out of Beijing, told the Guardian. “I don’t even remember them doing proper KYC [know your customer] on me. I think they just took my Chinese bank account details.”
While that contractor worked out of the office initially, he told the Guardian that Microsoft “after a while allowed me to do it from home in Beijing. I judged British English (because I’m British), so I listened to people who had their Microsoft device set to British English, and I had access to all of this from my home laptop with a simple username and password login... They just give me a login over email and I will then have access to Cortana recordings. I could then hypothetically share this login with anyone.”
The program was part of Microsoft’s effort to improve voice recognition and, in particular, a real-time translation feature that relied on human data processing to increase service quality. As with similar programs run by Apple, Amazon, Facebook, and Google, the recordings sometimes captured intimate, embarrassing, or potentially compromising situations ranging from phone sex and pornographic search queries to what the contractor told the Guardian was possible domestic violence. As the paper noted, while users were informed audio could be captured for analysis, Microsoft did not disclose that actual human beings were listening to the audio.
The lax security measures are particularly concerning because the Chinese government is a mass surveillance state that tightly controls and monitors online communications. Freedom House ranks it as “the world’s worst abuser of internet freedom for the fourth consecutive year,” a situation Chinese security services “pushed to unprecedented extremes as the government enhanced its information controls” in 2019.
“Direct surveillance of internet and mobile phone communications is pervasive and highly sophisticated, while privacy protections under Chinese law are minimal,” Freedom House wrote.
In a statement to Gizmodo, Microsoft characterised the information as typically involving only short lengths of audio that had been “de-identified” to prevent tracing it back to its source. The work is now carried out by facilities outside of China. However, Microsoft did not address questions about whether personnel other than reviewers based out of China had access to more extensive voice recordings or whether the information was stripped of identifying information before or after it arrived in the country.
“We review short snippets of de-identified voice data from a small percentage of customers to help improve voice-enabled features, and we sometimes engage partner companies in this work,” a Microsoft spokesperson told Gizmodo via email. “Review snippets are typically fewer than ten seconds long and no one reviewing these snippets would have access to longer conversations. We’ve always disclosed this to customers and operate to the highest privacy standards set out in laws like Europe’s GDPR.”
“This past summer we carefully reviewed both the process we use and the communications with customers,” the spokesperson added. “As a result we updated our privacy statement to be even more clear about this work, and since then we’ve significantly enhanced the process including by moving these reviews to secure facilities in a small number of countries. We will continue to take steps to give customers greater transparency and control over how we manage their data.”
“Living in China, working in China, you’re already compromised with nearly everything,” the contractor told the Guardian. “I never really thought about it.”