A former contractor is making the claim, saying that he listened in on thousands of recordings from his personal laptop in Beijing. If true, the news highlights a major privacy violation at one of the biggest tech companies in the world. Here’s exactly what we know about the situation, and how Microsoft is responding.

Former Microsoft Contractor Speaks Out

The whistle-blowing contractor worked at the position for two years, initially coming into an office but eventually simply working from home, where he used his personal laptop over the Chinese internet. According to the former contractor, he and other Microsoft workers just used a web app and Google’s Chrome browser to access the audio, with no additional layers of protection. In addition to this lack of security, the employees themselves were barely vetted, the contractor said. On top of this, workers were instructed to use the same password across multiple new Microsoft accounts for ease of management, the contractor alleged, meaning that the login information could potentially have been shared and accessible to anyone.

Skype and Cortana Records Compromised

The data accessed included both intentional and accidental activations of Microsoft’s voice assistant Cortana, as well as some Skype call audio. The contractor, who is British, was assigned British English recording to vet. In some cases, the audio was from sensitive conversations. As Vice reported last August, these audio transcriptions are likely to come as a surprise to users of Skype and Cortana — While Microsoft does tell these users that it may “analyze” the audio, it had not disclosed that human workers would be listening to it. Microsoft has since changed its policy to stop this practice.

Microsoft’s Statement and Change of Practice

Following Vice’s article, Microsoft stated that it has both ended some of these practices, and has moved any human analysis to secure facilities (and out of China entirely). The company also pledged to “take steps” towards giving customers more control over how their data is used. “This past summer we carefully reviewed both the process we use and the communications with customers. As a result we updated our privacy statement to be even more clear about this work, and since then we’ve moved these reviews to secure facilities in a small number of countries.” Hopefully in 2020, Microsoft and every other large tech company with access to sensitive private data will continue taking every precaution when processing it. If they don’t, we’ll likely continue hearing disturbing insider stories just like this one.