A Belgian news outlet was able to identify people from their leaked Google Assistant and Home audio recordings

A Google Assistant billboard ad. (Wikimedia)

A Google contractor in Belgium has leaked 1,000 Google Assistant and Google Home audio clips to the news outlet VRТ. VRT has been able to identify the people in the recordings:

VRT NWS was able to listen to more than a thousand excerpts recorded via Google Assistant. In these recordings we could clearly hear addresses and other sensitive information. This made it easy for us to find the people involved and confront them with the audio recordings.

VRT claims that over 150 of the recordings were accidental, meaning that the person being recorded didn't invoke Google Assistant.

Google responded to VRT by acknowledging the practice of using contractors to review and improve its audio services:

In a reaction on the VRT's report, Google admits that it works with language experts worldwide to improve speech technology. "This happens by making transcripts of of a small number of audio files", Google's spokesman for Belgium says. He adds that "this work is of crucial importance to develop technologies sustaining products such as the Google Assistant." Google states that their language experts only judge "about 0.2 percent of all audio fragments". These are not linked to any personal or identifiable information, the company adds.

In a recent blog post, David Monsees, Googles Product Manager for Search, responded to the leak:

Language experts only review around 0.2 percent of all audio snippets. Audio snippets are not associated with user accounts as part of the review process, and reviewers are directed not to transcribe background conversations or other noises, and only to transcribe snippets that are directed to Google.

Whether this is in violation of EU's General Data Protection Regulation (GDPR) is unclear. In an interview with Wired, Michael Vale, a researcher at the Alan Turing Institute in London, stressed that Google Home's current privacy policy is not explicit enough:

The group of national data protection regulators in charge of applying GDPR has said companies must be transparent about data they collect and how it is processed. “You have to be very specific on what you’re implementing and how,” Veale says. “I think Google hasn’t done that because it would look creepy.”