According to a former contractor who spoke with The Guardian, the firm allowed workers to review both Cortana and Skype recordings from homes across Beijing while using a personal laptop. The contractor says they listened to "thousands" of interactions this way. Moreover, the Chrome web app they used to do their work required only a username and password to access. Additional security measures such as two-factor authentication weren't necessary when they worked from home.
"For ease of management," every new employee the third-party firm hired over a given year was provided with the same password. What's more, those passwords were emailed to new employees in plain text over email. The firm also reportedly did little to no vetting of potential hires to ensure they were fit to do the job.
"I heard all kinds of unusual conversations, including what could have been domestic violence," the contractor told the publication. "It sounds a bit crazy now, after educating myself on computer security, that they gave me the URL, a username and password sent over email."
Following the initial Vice report, Microsoft says it ended its Skype and Cortana for Xbox grading programs, as well as moved any remaining ones into "secure facilities." None of those facilities, according to the company, are in China anymore.
"This past summer we carefully reviewed both the process we use and the communications with customers," Microsoft told The Guardian. "As a result we updated our privacy statement to be even more clear about this work, and since then we've moved these reviews to secure facilities in a small number of countries. We will continue to take steps to give customers greater transparency and control over how we manage their data."