Microsoft is in damage control after former employee has claimed that contractors in China reviewed audio recordings from Skype calls over the open internet, with zero security measures, no vetting, and one shared password.
Cybersecurity was nonexistent in Microsoft’s audio transcription and rating program, according to a former contractor who spoke to the Guardian on Friday. The company sent contractors a username and password in plaintext, unencrypted email, using the same password for everyone who joined in a given year. They also neglected to vet workers, the ex-contractor said, adding that they merely took his bank account details when he was hired.
Other than the popular VoIP and messaging service, the Cortana voice assistant is also claimed to have been affected.
Theoretically, any contractor could access the account of any other, allowing one “bad apple” to wreak immense havoc on the system while covering their tracks.Nor were there any security measures in place to protect the recordings contractors listened to, the ex-employee said.
These were accessed over the open internet in China, where the companies Microsoft outsourced to were located. This, the report emphasizes, means users’ data could be pilfered or otherwise misused not only by a rogue contractor, but also by the Chinese government.
What it does not mention is that the American government has had access to Microsoft users’ data at least since the company became the first tech firm to join the NSA’s PRISM program in 2007, or that Microsoft actually helped the NSA penetrate its encryption.
While it’s now common (if controversial) knowledge that AI voice assistants like Cortana, Apple’s Siri and Amazon’s Alexa have human “helpers” rating their performance by listening to snippets of recordings, Microsoft extended the practice to Skype calls that used its real-time AI translation feature.
Like Apple and Google before it, Microsoft now claims it has ended its human grading program for Skype and Cortana for Xbox. The remaining audio reviewers have been relocated to “secure facilities,” which Microsoft was careful to point out are not located in China.
“We review short snippets of de-identified voice data from a small percentage of customers to help improve voice-enabled features,” Microsoft said in a statement in defense of its practices, acknowledging that “we sometimes engage partner companies in this work.” The snippets, it maintained, are “typically fewer than ten seconds long” and not linked to longer conversations.
The massive security lapse doesn’t speak well of Microsoft’s security software, particularly the Pentagon-backed “ElectionGuard” that will supposedly be guarding Americans’ votes from malicious interference in November.
Like this story? Share it with a friend!