Microsoft and some contractors listen to Skype calls but that shouldn’t be a surprise to anyone. And Microsoft’s response was quite typical – they refuse to stop. Microsoft can and does let it’s ‘associates’ listen and read from Office documents and voice data.
Word, PowerPoint and Outlook users are also likely spied upon. The choice from Microsoft is either to use the affected feature with the possibility of someone listening or not use the features at all. Unlike other parts of Office, there’s no choice to not share personal/business data for analysis. Anything sent to the cloud is ‘fair game’.
What it means for Office users and especially Office 365
The leaked information was about Cortana and Skype’s translation service but there’s also a big concern for Microsoft Office users.
Many parts of modern Office are connected to Microsoft’s servers. Parts of all of documents, worksheets, presentations and emails are sent to Microsoft.
Skype Translation uses the same underlying technology that powers these Office features:
- Translation in all Office programs
- PowerPoint live captions and subtitles.
We’ve mentioned this many times in Office-Watch.com. Most people might not worry. After all, if Microsoft wants to read a book report or obscure sales figures, who cares?
However, the recent leak itself confirms there’s plenty to worry about. Even if an organization trusts Microsoft with their data, any company with confidential information could be breaking the law or contract by unwittingly sharing customer data with Microsoft’s servers, staff and more broadly.
Whatever information you have, not only can Microsoft staff read it, but people not employed by Microsoft can too. The only protection is an FAQ promise.
Joseph Cox at Motherboard received a trove of docs, images and audio files showing that Skype calls, using the Translator feature, are being distributed to Microsoft staff and people working for outside contractors.
“The Skype audio obtained by Motherboard includes conversations from people talking intimately to loved ones, some chatting about personal issues such as their weight loss, and others seemingly discussing relationship problems. Other files obtained by Motherboard show that Microsoft contractors are also listening to voice commands that users speak to Cortana, the company’s voice assistant.”
Microsoft hasn’t denied the story, far from it. They ‘doubled-down’ by refusing to stop the practice and continuing the let staff and contactors listen to private conversations direct or transcripts.
Apple and Google recently said they’d stop human access to Siri and Assistant voice information, but not Microsoft.
Not just Microsoft is listening
When it wishes, Microsoft can boast about the vetting they do on staff who have access to customer files and information.
What Microsoft doesn’t say is that customer file and data access can extend beyond their direct employees. Employees for other companies that may not be as secure and as well vetted as Microsoft’s own staff.
The leak to Motherboard proves there’s a security problem. Someone leaked the Skype calls etc to the media despite talk about customer privacy and non-disclosure agreements. Chances are the leak was from a contractor rather than a ‘Softie because Microsoft’s own staff tend to be loyal and scared of losing their valuable job.
Microsoft’s (non) response
As we said, Microsoft has refused to stop listening to customers calls.
They treat the security breach as a misunderstanding that’s solved by a small rewording of their FAQ.
The relevant part of the FAQ did say:
“Skype collects and uses your conversation to help improve Microsoft products and services. To help the translation and speech recognition technology learn and grow, sentences and automatic transcripts are analyzed and any corrections are entered into our system, to build more performant services.”
After the leak of Skype calls, all Microsoft did was add another sentence to the FAQ:
“This may include transcription of audio recordings by Microsoft employees and vendors, subject to procedures designed to protect users’ privacy, including taking steps to de-identify data, requiring non-disclosure agreements with vendors and their employees, and requiring that vendors meet the high privacy standards set out in European law and elsewhere.”
So that’s all right then, add a sentence and the problem goes away. No change in Microsoft’s treatment of customers data.
De-identifying or anonymizing data sounds great, however many times researchers have shown that supposedly ‘anonymous’ data can be traced back to individuals by matching it with other information.
Ignore the FAQ … it means nothing
The Microsoft FAQ is NOT legally binding and really means nothing. It’s a marketing ‘fig leaf’ and PR cover but carries no legal or binding weight.