“Shh” seems to be the operative word these days at Big Tech. Earlier this year, ConsumerAffairs reported on Amazon employees eavesdropping on consumer’s interplay with their Echo Dot (“Alexa”) devices and Apple being caught red-eared when it was discovered that its employees had the ability to listen in on Siri voice recordings.
“The Skype audio obtained by Motherboard includes conversations from people talking intimately to loved ones, some chatting about personal issues such as their weight loss, and others seemingly discussing relationship problems,” the publication said. It also referenced internal documents, screenshots, and audio recordings that it obtained from Microsoft contractors.
Yes, I know I clicked “agree,” but…
That aside, many of the things said in chats and video calls are personal and private.
"People use Skype to call their lovers, interview for jobs, or connect with their families abroad,” Frederike Kaltheuner, data exploitation program lead at activist group Privacy International, said in an online chat with Vice.
“Companies should be 100% transparent about the ways people's conversations are recorded and how these recordings are being used. And if a sample of your voice is going to human review (for whatever reason) the system should ask them whether you are ok with that, or at least give you the option to opt out.”
ConsumerAffairs reached out to Microsoft for comment and received the following statement from a Microsoft spokesperson:
“Microsoft collects voice data to provide and improve voice-enabled services like search, voice commands, dictation or translation services. We strive to be transparent about our collection and use of voice data to ensure customers can make informed choices about when and how their voice data is used. Microsoft gets customers’ permission before collecting and using their voice data.”
“We also put in place several procedures designed to prioritize users’ privacy before sharing this data with our vendors, including de-identifying data, requiring non-disclosure agreements with vendors and their employees, and requiring that vendors meet the high privacy standards set out in European law. We continue to review the way we handle voice data to ensure we make options as clear as possible to customers and provide strong privacy protections.”
Microsoft also offered the following information regarding collection and utilization of user data:
Microsoft gets users’ consent on an opt-in basis to collect and use voice data in Skype Translator and Cortana.
We also provide customers with a voice section of our privacy dashboard where they can view and delete stored audio data connected to their Microsoft account. An FAQ on managing voice data in our privacy dashboard is here.
Further, our voice-activated products incorporate visual and/or audio signals to let users know when our speech platform is collecting audio, e.g., lights on when speech is on or the mic indicates it is activated.
Our privacy statement explains that we share PII with vendors working on our behalf. It says: “We also share data with Microsoft-controlled affiliates and subsidiaries; with vendors working on our behalf; when required by law or to respond to legal process; to protect our customers; to protect lives; to maintain the security of our products; and to protect the rights and property of Microsoft and its customers.”
Microsoft limits the access to voice data to approved vendors who have agreed to our terms, and all vendors accessing speech data have been certified as compliant in accordance with Microsoft’s Supplier Security Privacy Assurance program. Accordingly, all vendors agree to maintain confidentiality, comply with all applicable laws, and pass through the non-disclosure requirements to their employees. Our terms also give Microsoft audit rights to ensure compliance.
To protect users’ privacy, vendors and their employees can only access these samples through a secure Microsoft-controlled portal. Microsoft takes steps to de-identify this voice data, such as removing any user or device IDs, to ensure it cannot be used to single out any individual user or tied back to any device.