According to data protection specialists, a Microsoft program to transcribe audio samples from Skype and Cortana users has been operating for years without sufficient security measures. A former contractor even claims that he reviewed thousands of recordings of potentially sensitive content from his location in Beijing, China.
In testimony to The Guardian, the former contractor claims that Microsoft workers have accessed Cortana and Skype recordings, as well as both delivered and unintentional activations of the voice assistant. For this, a web application was used that runs in the Chrome browser using the Chinese Internet.
This is a serious problem, as users did not have help or advice on data protection of any kind, so their data was completely exposed to the reach of any criminal or even state actor: “Employees did not even have to authenticate to access these conversations, even after a while I started working from home,” says the former contractor.
Continuing his testimonial, the informant added: “The company only gave me a login via email, so I gained access to Cortana recordings; if I wanted to, I would have been able to share that material with anyone, even criminal groups.” The informant claims to have heard all kinds of conversations during his work with the Chinese company.
The data protection experts mention that, in the area of the many risks that these practices entail, there is the dishonest use of user data, access to voice recordings on a compromised device, permission to external contractors for the purpose of without forgetting the potential criminal use of sensitive information. If that were not enough, the risk increases in the case of a Chinese contractor, so the information of thousands, or even millions of employees.
On the other hand, Microsoft released a statement regarding the report: “During the last summer we finished the qualification programs for Skype and Cortana for Xbox, moving the rest of human evaluation to secure facilities; none of these facilities are in China.”
The International Cyber Security Institute (IICS) mentions that companies collect this kind of information by arguing for quality monitoring and service improvement purposes, although these pieces of information could be really useful for purposes which makes them the target of advertisers and cybercriminals.
He is a well-known expert in mobile security and malware analysis. He studied Computer Science at NYU and started working as a cyber security analyst in 2003. He is actively working as an anti-malware expert. He also worked for security companies like Kaspersky Lab. His everyday job includes researching about new malware and cyber security incidents. Also he has deep level of knowledge in mobile security and mobile vulnerabilities.
