Hacker News new | past | comments | ask | show | jobs | submit login
Microsoft Contractors Are Listening to Some Skype Calls (vice.com)
178 points by djug 72 days ago | hide | past | web | favorite | 75 comments

>Although Skype's website says that the company may analyze audio of phone calls that a user wants to translate in order to improve the chat platform's services, it does not say some of this analysis will be done by humans.

I'm sorry, but isn't this just nitpicking? Just because they don't say how it's analyzed doesn't make this a scandal.

Well, going back to the origins of skype it was advertised as encryption that not even employees can read or listen to your calls. I know that broke around (or probably before) MS purchased it - but I just find it funny how much humanity is willing to let things slide. So much so that we go from the most secure peer to peer architecture ever to - oh yeah contractors are listening to skype calls.

You know what I guess I am corrected - they said "employees couldn't read or listen". It's a contractor loophole!!! -/sarcasm

Yes and no. I think as techies we think "of course". Because we know how you would go about analyzing that information. I don't think the average person does (anyone in the bay is likely not your average person in this context). Analyze could be a whole lot of things. It doesn't mean that a human is listening in.

So yes, I think to us this is nit picking. But to the general public this is news.

I still remember a few years back having conversations with people about how companies like Google, Apple, and whatever hire people to listen to your recordings when you use services like Ok Google and Siri. Of course no techies bat an eye at this talk. But people in the general populous called me a conspiracy theorist.

I don't think we realize the technical literacy divide that exists.

It’s an ambiguity that tech companies love to take advantage of.

For instance, Google will say that they analyze your Gmail to improve the service etc, but that no human will ever read your email.

How is the average person expected to keep track?

It's not nitpicking. If the word "analyze" was chosen because the word "eavesdrop" would result in users leaving the platform, and eavesdropping is what they're actually doing, then they're obscuring their actions with a euphemism.

Well, eavesdrop means secretly listening to a conversation. If they communicate it in a reasonable way, it's not eavesdropping.

Well, since they don't communicate it in a reasonable way it is eavesdropping then.

If they communicate that they're eavesdropping, which is what was proposed here, it seems excessive to then claim that they're not communicating this monitoring or listening of calls in a reasonable way which would mean it's not eavesdropping.

Yes. In fact, I think it would be hard to classify a totally automated mechanism as "analysis".

"Shall we make it clear that no humans listened, and that 'analyze' meant via algorithms?"

"No, leave it as it is; nobody's that concerned about their privacy being violated by other people listening to recordings captured by Alexa, Siri etc."

I think we have to assume at this point that all online communication tools owned by for-profit mega-corps are compromised and that they can and do listen/analyse everything.

I have long assumed that with Whatsapp... I honestly don't believe that it's as secure as it used to be: Facebook'a raison d'etre is all about data gathering.

Also, when I read a WhatsApp message on my phone, it's unencrypted as I see it on the screen, it kind of has to be... what stops FB (or anyone for that matter) from reading it too at that point.

Sorry, I went on a tangent a bit there but I feel it was relevant.

Specifically, you should realize anything that companies say is done with "AI" is probably in some part done by poorly paid contractors. And not always on the analysis end, for example: https://www.forbes.com/sites/johanmoreno/2019/05/28/25-of-go...

There's something incredibly dystopian by using humans as part of a process you literally tell people is entirely machines.

Haha, I never realised it was that immature.

As an aside: Being a tech I have been asked numerous times by non-techs "What actually is AI?"

I usually answer "a lot of if-statements" :)

AI researcher here. While industry doesn't usually find the need for huge complex models, I don't think your statement is fair, nor accurate. Can you provide some examples of AI tech that in your opinion is "a lot of if statements"?

How do you expect someone to justify a statement that's not true? I suppose you could say that it's a fair characterization of a basic decision tree but that doesn't describe modern ML methods.

The commenter is just referring to the nature of neural networks, a pile of weights and thresholds that you could conceivably write out as a maniacal mess of deeply nested if-statements.

If you're meaning me, I probably should've ended my comment with /s

I was making a joke :)

That's not a fair characterization. These contractors are mostly used for quality assurance. Once you've trained your model (which is not just if statements), you might you send a few thousand examples to raters to judge the true quality of your model.

It is probably something akin to "a lot of if-statements generated by an automated system that we neither understand nor can explain, which seems to more or less output results we wanted".

This reminds me of the great first novel of Russian author Victor Pelevin, Omon Ra. The protagonist joins the Soviet space program (fully automated moon exploration!) and

[spoilers ahead]

learns that the full automation is physical labor by cosmonauts at every stage of the process. No spoilers about the end, it's even better.

Compromised by what? Whom? Listening / analyzing for what?

These stories are really overblown. All these companies are doing it in order to make voice recognition better. It’s simply not possible to do with some QA... you have to know what people are actually saying vs what the system recognized.

I have nothing to back this statement up...

I am sure they are "training" their AI. I don't doubt it but they have access to masses of data. Some mega-personal I would imagine and also some that can provide insight into other businesses and markets and so on.

The temptation to "use" that data would be absolutely enormous and the financial pressures to use it to provide whatever advantage would be equally enormous.

I recall years ago reading about the FB app spying on users' usage of other apps on phones (My Google-fu is broken right now but I'll keep looking for it and update if I find it).

Imagine if <insert mega-corp> has data from one purpose/system that could provide a massive leg-up to them. Do you think they would ignore it? Perhaps in regulated industries like finance (I happen to work in finance and we have systems and procedures in place for this kind of thing) they may have to destroy it once it's been used for a very specific purpose but we're talking about Skype.

The best scenario is if the data doesn't exist or can't be read... it removes the possibility of temptation and financial pressures to use it.

I don’t think there’s as much pressing financial advantage in a 10 second clip of a couple fighting as you seem to think.

FB knowing what apps people use makes a lot of sense because it tells them how they’re doing relative to others. You’re not getting such information in the home.

Slate and Forbes wrote an article about this in 2012 when it was noticed Microsoft had filed a patent for this.. although nobody from Microsoft would publicly comment on the issue.

This has likely been going on for some time.


Nitpicking, but "Forbes" didn't write that article as much as "Medium" or "Blogger" wrote any article you see hosted on those sites.

Notice that the article you linked is hosted on forbes.com/sites/ericjackson...

Some guy named Eric Jackson (https://twitter.com/ericjackson) - who appears to be a PE investor wrote that article.

Forbes is a content farm that hosts opinion posts: https://en.wikipedia.org/wiki/Forbes#Forbes.com

Forbes.com uses a "contributor model" in which a wide network of "contributors" writes and publishes articles directly on the website. Contributors are paid based on traffic to their respective Forbes.com pages; the site has received contributions from over 2,500 individuals, and some contributors have earned over US$100,000, according to the company. Forbes currently allows advertisers to publish blog posts on its website alongside regular editorial content through a program called BrandVoice, which accounts for more than 10 percent of its digital revenue.

So the gist of this unsuprising discovery is that Microsoft's translator 'AI' is actually supervised by contractors who listen to users voice data to correct their requests.

I'm very skeptical of these privacy claims. The fact that my voice commands are being sent to a random person on one end listening to them at home makes me reconsider the real purpose of these 'Smart Assistants' in general. If Microsoft thinks that the contractor can only access it via a 'secure portal' means that they are respecting your privacy, then the security is as a good as it being compromised and contradicts their end-to-end encryption claims.

To these companies, 'privacy' is just another buzzword used to keep us using their services. I think it would take something far worse than this to break the social inertia around these services and for us to reconsider using them.

If it's not end to end encrypted--and by that I mean using audited, open source cryptography--you should assume that the full contents may be made public at any time. And you should basically assume that metadata will be made public no matter what you do.

And if it IS end-to-end encrypted, you should assume that the full contents may be made public at any time. Companies don't only record contents of communications over the wire you know, eventually they have to be decrypted on the end points.

I do remember how Skype used to be end-to-end encrypted.

I don’t know much about how it worked but I’ve heard it described more like obfuscation than encryption. It also used to be P2P but that ended under Microsoft’s ownership.

Funny enough, at one point Microsoft basically merged Skype and MSN, and the text chat parts of Skype started using “MSNP24”, a couple version numbers up from the latest MSN protocol, MSNP22. I never dug in to see how much it was really like MSNP from MSN because I lost interest in Skype not long after.

Once they ditched p2p the quality derailed. The worst thing was the Skype mobile app trying to sync on my phone. It never seemed to cache convos well enough, it also would not sync properly between devices in regards to notifications. Also Skype would try to pull in my entire history. I feel like some P2P concepts stuck deeply within Skype and thats what left it so awkward.

The mobile app is probably why they ditched P2P. As much as I love old Skype, it existed in a pre-mobile world, and never translated well to phones... and in fact, most P2P platforms won't translate well to phones, since you at least need centralization for the push notifications. Such is life.

Though to be clear, yeah, it didn't really fix the mobile app. It felt just as broken up to the moment I uninstalled Skype.

>most P2P platforms won't translate well to phones, since you at least need centralization for the push notifications. Such is life

This isn't a fact of life, this is a flaw in the API of most popular mobile OSes. Open source comunnity maintaned operating systems have solved the problem of providing a network service for handling push notifications (local or not) multiple times now and these companies have refused to implement them because it makes it much easier to create an ecosystem around their crap.

This gives them controll and controll can be traded for money, it has aboslutely nothing to do with technology. That's just life

I work for Google and use an iPhone so I can’t claim to be unbiased. (My eyes have been on the Librem phone, with some skepticism and lately mostly excitement, but I’m just not quite sold on it as a daily driver.)

However, even if you allow apps to run in the background basically indefinitely as Android once did (there were IRC clients that Worked, using only the phone,) it simply is bad for battery life. Having multiple push services that are blessed to run periodically is also just not good for battery life. The proof is in the pudding; I switched to IRCCloud for IRC on the go after noticing what a terrible battery drain it was.

Now, third party push services can certainly do better than IRC, but they’re still centralized. Decentralized networks are just not power efficient. It requires always on machines to be effective.

I’m not saying I love the status quo, but it’s unclear how to do better.

(Obligatory legal line noise: these are my own opinions and not those of my employer.)

If you need push notification, yes, it is going to cost (if its an Electron app, it'll cost you also RAM). Google provides such already, via GCM/Firebase.

I mean, you could just run IRC in a TUI (e.g. Irssi or WeeChat) and connect to that via Mosh plus Tmux. You'd have low latency, 24/7 uptime, resuming, low resource usage... but no push notifications.

Well, the way the chat history worked: it downloaded it from other devices. But it felt like it didn't cache it, and it tried to download your entire chat history. The mobile client would lag for a good minute as a result. Help you if you scrolled up.

P2P was really the key to Skype's privacy protections, AFAIK. I remember a lot of insanity in the P2P days, even when they had a bunch of their own supernodes holding everything together. Like photo shares and file sends not working if the person who posted them was offline when you finally saw them, which was especially annoying in group chat contexts. Skype's model was built really well for the world where everyone had a persistently-internet-connected desktop. But it's P2P nature was incredibly terrible once mobile became the norm.

Mind that this - as I understand it - about cases where the automatic translation is being used in Skype (while I wonder how "sexy" phone sex via automatic translation might be ... In my imagination (you want to hear about that, right?) these could be people trying "funny" things with the translation ... or I underestimate the quality.

And yes, doesn't mean MSFT doesn't have access to other communication and doesn't mean other cases aren't serious leaks of information to arbitrary contractors.

I always thought some three lettered agency must have encouraged MS to buy Skype from its foreign owners for precisely that reason. The first 10 years at least MS did absolutely nothing with the company, as if it never really wanted to buy it.

Of course they did! NSA issued an RFP for Skype intercept in 2009 [1] and everyone assumed that MS took them up on it:

>An industry source disclosed that America's supersecret National Security Agency (NSA) is offering "billions" to any firm which can offer reliable eavesdropping on Skype IM and voice traffic.

And then Snowden revelations confirmed that MS was intercepting Skype [2]:

>Microsoft has collaborated closely with US intelligence services to allow users' communications to be intercepted, including helping the National Security Agency to circumvent the company's own encryption, according to top-secret documents obtained by the Guardian.

>In July last year, nine months after Microsoft bought Skype, the NSA boasted that a new capability had tripled the amount of Skype video calls being collected through Prism;

[1] https://www.theregister.co.uk/2009/02/12/nsa_offers_billions...

[2] https://www.theguardian.com/world/2013/jul/11/microsoft-nsa-...

That’s pretty silly. For one thing, it was already owned domestically before MS bought it. Second, you think MS spends 8.5 billion plus untild engineering resources and overhead as a favor to the US government?

Why not?

That was immediately before O365, and at that point BPOS/Exchange online was starting to get traction with some governments. Microsoft was also ramping their OCS/VoIP business.

Government is a huge market for O365, they were able to get ATOs and go conquer most states and federal agencies. They also bought a huge VoIP play, learned how to operationalize it, quickly spun it into a service component that serves >100M people.

I don’t expect to change your mind, but this just isn’t how things work. MS are not a front for the government. Also, you are giving the government far too much credit in terms of how they are organized to even dream that a deal like that could work. Not to mention it would be a massive scandal when it inevitably leaked. This is the same company that famously refused to backdoor bitlocker and fairly recently has been suing the US government to fight against court orders to ha d over data. I suppose you think that’s all a charade to trick the public though...

I just said it was plausible.

Microsoft, like any company, isn’t good or evil, but will do whatever is in the company’s best interests, and they’ll act appropriately when their interests align with the government.

It's unlikely, while the US government had real leverage via contract negotiations, Anti trust issues, etc.

Skype looked like a solid investment at the time. Microsoft makes a lot of money from corporate clients so it's probably just another strategic acquisition that they did not know what to do with.

That relates to court orders, which have been served on every company. It was also horribly misreported, with every affected company saying pretty publicly that this wasn’t accurate.

There is a difference between being compelled to spend billions on a company just to provide wiretapping for feds, and buying a company with a wildly successful product then being asked to handle wiretaps after the fact. One of those is ridiculous, the other is expected.

Obsolutely! At this point its just a matter of how big is government contract regarding scooping into Skype content. I could bet the billions MS soend have been easily recouped in first 2 years.

So does Twillio... not surprising at all when there's no encryption and they need to debug real phone calls routed all over the world which is not an easy task.

As long as they're only spot checking and not browsing through any one persons calls for no reason I don't see why it's a big deal. It's mostly business lines anyway.

That said, they should have some protocols and controls in place for listening to any calls, with solid paper trails. Every company like that should have a privacy manager to direct and monitor these measures. They could even document/blog about their work on privacy for marketing purposes (assuming the executives are aware of just how in-demand privacy has become these days).

> As long as they're only spot checking and not browsing through any one persons calls for no reason I don't see why it's a big deal.

Go back 50 years and apply this same logic to AT&T instead of Skype to see how far our expectations of privacy have degraded.

I thought 50+ years ago you had operators punching in and out of calls on as as needed basis....

I assume the period after switch boards was much the same... but an even harder problem to solve.

I'm talking about engineers accessing it anyway.

I really don't have a problem with that and I'm pretty hardcore into privacy. I assume all Skype calls are 100% tapped, auto-translated, and data-mined available for any agency who wants it.

That's kind of the point, the upper class is at war with the masses, hear it in their own words:

Zbigniew Brezinski, former national security advisor of the United states:


"The technetronic era involves the gradual appearance of a more controlled society. Such a society would be dominated by an elite, unrestrained by traditional values. Soon it will be possible to assert almost continuous surveillance over every citizen and maintain up-to-date complete files containing even the most personal information about the citizen. These files will be subject to instantaneous retrieval by the authorities."


Book - governments not to work for the people:


Can anyone recommend a good open-source chat and call solution? I'm looking for something I can run on my own server to support friends and family, with an iOS and Android app. It doesn't have to support more than one or two video calls at a time. I figure this is sadly the long term solution.

I use jit.si as replacement for Skype. It's in browser, encrypted, p2p and EFF approved.

I don't know if they have apps, but as far as I know their server code is on github.

Note that jit.si is only encrypted in the sense that Skype is encrypted, aka transport stream encrypted. The server needs access to the decrypted video stream so that it can do split screen. See this thread for details: https://github.com/jitsi/jitsi-meet/issues/409

I personally use jitsi because it is FLOSS software and it's less likely to send conversation contents to the NSA or other dragnet surveillance entities. But it's not end to end encrypted.

Aha, I did not know that! On the plus side, you could set up your own server, having the guarantee.

Thanks, looks like this is: https://github.com/jitsi/jitsi-meet

I use Riot - matrix-based chat client, has group video calls, and also offers end-to-end encryption.

I may be misinformed, but when those Estonian programmers wrote Skype it was at the time both decentrialised and encrypted by default. Is that not the case anymore? A pre-emtive apology if I remember the story incorrectly.

> I may be misinformed, but when those Estonian programmers wrote Skype it was at the time both decentrialised and encrypted by default. Is that not the case anymore?

That is indeed not the case anymore, as per the PRISM program, which was leaked during the Snowden leaks of 2013.

From Wikipedia [1] the following three quotes:

"The documents identified several technology companies as participants in the PRISM program, including Microsoft in 2007, Yahoo! in 2008, Google in 2009, Facebook in 2009, Paltalk in 2009, YouTube in 2010, AOL in 2011, Skype in 2011 and Apple in 2012"

"Internal NSA presentation slides included in the various media disclosures show that the NSA could unilaterally access data and perform "extensive, in-depth surveillance on live communications and stored information" with examples including email, video and voice chat, videos, photos, voice-over-IP chats (such as Skype), file transfers, and social networking details."

"According to The Guardian, NSA had access to chats and emails on Hotmail.com and Skype because Microsoft had "developed a surveillance capability to deal" with the interception of chats, and "for Prism collection against Microsoft email services will be unaffected because Prism collects this data prior to encryption.""

Regarding that last quote, Wikipedia mentions these sources [2] [3] [4]

[1] https://en.wikipedia.org/wiki/PRISM_%28surveillance_program%...

[2] https://www.theguardian.com/world/2013/jul/11/microsoft-nsa-...

[3] https://www.rt.com/usa/microsoft-nsa-snowden-leak-971/

[4] https://www.theguardian.com/us-news/the-nsa-files

I remember when Skype debuted and after only crackly POTS calls as a reference point, the clarity whilst speaking from the USA to a friend in Berlin was AMAZING. I am not sure of dates but at some point it started to decline not just in call quality but UI and everything really, I assume this is when it was sold but cannot be sure. I had hoped Wire would fill that void for me PLUS add encryption, since some original Skypers were involved, but it seems to be fading as well on the Personal side.

Switching from P2P to centralised servers might be when things went south. Quality got much worse then it seems. Nowadays Skype's totally lost most of its gamer/techie audience to Discord because they actually are aware of what their customers want.

“"Some stuff I've heard could clearly be described as phone sex. I've heard people entering full addresses in Cortana commands, or asking Cortana to provide search returns on pornography queries. While I don't know exactly what one could do with this information, it seems odd to me that it isn't being handled in a more controlled environment," the contractor said.

I'm not sure how this is anything new. Phone company employees sometimes listened to phone calls. Unless your communication is encrypted somehow you have to assume that at least some employees of the service may have access (which is probably detailed somewhere in a user agreement).

Not surprised at all. I worked with DialogFlow (building a Google Assistant app) for a major retailer. I had easy access to everything that anyone had ever said while interacting with our app; we saved it all in Elasticsearch.

From the creators of Skype: Wire provides E2E encrypted text and high-quality audio, has an open-source server and client, does not mandate disclosure of phone number or contacts, and is moving towards the IETF MLS protocol for E2E encrypted messaging.

If only we had a network where end users could exchange data without a middleman.

Skype until relatively recently was a fully peer-to-peer end-to-end encrypted messaging (voice and text) platform, as part of Microsofts purchase and development of the platform rebuilt it as a centralised service.

I hope they hear me complaining about how poorly Skype works.

I remember a change to the ToS that said they might listen in for quality purposes... pretty sure I read it here on HN. Anyone remember that?

Gotta love Big Corp poetry with their "some", "a few", "a small number" verses.

Does Microsoft Teams piggyback off the Skype protocol and servers or is that a separate service?

when oh when will enough be enough


Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact