According to data protection specialists, a Microsoft program to transcribe audio samples from Skype and Cortana users has been operating for years without sufficient security measures. A former contractor even claims that he reviewed thousands of recordings of potentially sensitive content from his location in Beijing, China.
In testimony to The
Guardian, the former contractor claims that Microsoft workers have
accessed Cortana and Skype recordings, as well as both delivered and
unintentional activations of the voice assistant. For this, a web application
was used that runs in the Chrome browser using the Chinese Internet.
This is a serious problem, as users did not
have help or advice on data protection of any kind, so their data was
completely exposed to the reach of any criminal or even state actor:
“Employees did not even have to authenticate to access these conversations,
even after a while I started working from home,” says the former
Continuing his testimonial, the informant
added: “The company only gave me a login via email, so I gained access to
Cortana recordings; if I wanted to, I would have been able to share that
material with anyone, even criminal groups.” The informant claims to have
heard all kinds of conversations during his work with the Chinese company.
The data protection experts mention that, in
the area of the many risks that these practices entail, there is the dishonest
use of user data, access to voice recordings on a compromised device,
permission to external contractors for the purpose of without forgetting the
potential criminal use of sensitive information. If that were not enough, the risk
increases in the case of a Chinese contractor, so the information of thousands,
or even millions of employees.
On the other hand, Microsoft
released a statement regarding the report: “During the last summer we
finished the qualification programs for Skype and Cortana for Xbox, moving the
rest of human evaluation to secure facilities; none of these facilities are in
The International Cyber Security Institute
(IICS) mentions that companies collect this kind of information by arguing for
quality monitoring and service improvement purposes, although these pieces of
information could be really useful for purposes which makes them the target of
advertisers and cybercriminals.