Microsoft-contracted transcriptionists reportedly failed to properly secure Cortana, Skype voice recordings

By Cohen Coberly for TechSpot

(Lack of) privacy: In late 2019, the world learned that Microsoft had been allowing both third-party contractors and employees to listen to and transcribe user Cortana and Skype voice recordings. Though the news was troubling for privacy activists, at the time, Microsoft made it clear that it would not be ending the practice.

However, it seems Microsoft recently changed its mind, and has chosen to end those “grading” programs after all. Unfortunately, a recent report from the Guardian suggests the damage may have already been done.

One Chinese transcription firm, which Microsoft allegedly contracted for several years to handle Cortana and Skype recordings, failed to implement meaningful security measures to protect the data in its care.

Indeed, a former employee of this firm who spoke to The Guardian said he was barely vetted before being hired. “There were no security measures, I don’t even remember them doing proper KYC on me,” he stated, referring to the “Know Your Customer” identity verification tactics often implemented by businesses. “I think they just took my Chinese bank account details.”

Of course, sub-par hiring practices alone wouldn’t necessarily be cause for concern, provided the company’s other security practices were up to scratch. Sadly, they were not, according to the individual. He says login credentials, as well as a link to access voice recordings, were sent in plaintext over email. Security methods such as two-factor authentication were not required, and every employee hired used the same password to login (usernames followed a “simple schema”).

Further, after some time in a more secure office environment, the individual (and, presumably, other employees) was allowed to work from the comfort of their home, using their own personal, unsecured laptop.

To be clear, we aren’t saying these security failures are entirely Microsoft’s fault — the company was not the one directly handling this data, after all. However, one would hope a giant tech corporation would take greater care to vet the security of the firms it chooses to partner with (if voice recordings must be transcribed in the first place).

With that said, we should note that Microsoft is no longer partnered with this transcription firm or any others based out of China. Furthermore, the tech giant says whatever grading programs that still remain (unrelated to Skype or Cortana) have been moved to a small number of “secure facilities.”

Hopefully, this means there won’t be a need for articles like this one in the future, but only time will tell. If there’s one thing tech companies have proven over the years, it’s that they are often woefully unprepared to handle the massive amount of data that has been entrusted to them.