A Brit working in China has with the Guardian talked about how the analysis of audio recordings worked at Microsoft. He has revealed blatant violations of even minimal data protection standards. The employee was not checked during the employment – the Microsoft employees were basically only interested in his account details.
In order to get access to the audio data recorded by real customers in their everyday life, he was sent a completely normal email, in which the access data including the password had been in plain text. So he could use an app in Chrome. For the sake of simplicity, the access data was used for all employees who examined voice recordings.
He then listened to the recordings first in an office in Beijing, later also at home. There were no data security measures. If, for example, Chinese government agencies were also interested in the audio recordings, they would obviously have had no problem accessing them.
Because the employee is British, he heard conversations from users who spoke British English themselves. He did not know whether they also lived in China. In that case, however, they might have been of particular interest to the Chinese authorities and could have been in serious trouble.
In his work, the British witnessed alleged domestic violence, among other things, and followed all kinds of unusual conversations – the Guardian does not give any further details.
It has been known since summer 2019 that Microsoft, as well as Amazon, Apple and Google, have the audio files recorded by voice assistance systems analyzed by human employees. The companies say that the functionality of the devices should be improved or the machine-based translation should be optimized.
However, the information provided by the Guardian shows that, at least in the case described, there was no serious data protection – and that in a country like China, where statements made in private could have serious consequences if they fall into the wrong hands.
Microsoft says that since the reports in the summer, the audio files have only been analyzed in secure environments – none of them are in China. In addition, only a very small percentage of customers are affected at all, and the audio recordings are only a few seconds long.