Transcription Site Rev Leaves Customer Data Out in the Open
Gig workers warn that more than 40,000 transcribers could access private customer information, including job details
Gig workers for Rev, a popular on-demand transcription service, recently reported that the company was slashing their pay. Now, some freelancers are warning of a security issue involving customer data on Rev’s platform.
When customers submit audio to the service, it goes into a database that is accessible to all of Rev’s 40,000 transcribers (or “Revvers,” as the company calls them). The database that Revvers use to select or “claim” jobs, screenshots of which were viewed by OneZero, lists full names and business titles for customers and permits any transcriber to listen to an audio or video file, so long as it is unclaimed. Though the company touts its “strict customer confidentiality policy” and claims “your files are private and protected from unauthorized access,” the reality is that your audio is essentially up for grabs during its time spent in Rev’s database.
Until a shift in security policy last year, Revvers could also claim and download files, then “unclaim” and return them to the queue. In October 2018, Rev emailed freelancers, saying it was removing the option to download files “due to recent breaches of our confidentiality agreement and an overall effort to bolster our efforts to protect the data and privacy of our customers.” These breaches were not publicly announced.
“Over the course of millions of projects, issues have been rare,” a spokesperson for Rev told OneZero when reached about this. “We respond quickly and decisively to any reports of breach.” The spokesperson added that due to the nature of Rev’s business, “Revvers have access to client information as they transcribe the media files provided,” and the company trusts its freelancers to be discreet.
Rev is billed as a premium, human-performed transcription service that is quick and affordable. According to its website, the company has worked with more than 100,000 customers, including Google, Amazon, and NBC, and contracts with “the largest network of professional transcriptionists in the U.S.”
Several Rev freelancers told OneZero they were concerned about the company’s security, requesting anonymity for fear of violating Rev’s nondisclosure and confidentiality agreements.
Rev freelancers reached by OneZero say they have worked on recordings that contained personal information and trade secrets.
Privacy experts say the platform needs significant restructuring to protect its users against malicious behavior, such as data scraping or the exploitation of personally identifiable information. “It’s not hard to find an automated means of scraping [Rev’s] files,” Jackie Singh, founder and CEO of Spyglass Security, a San Francisco-based cybersecurity advisory firm, told OneZero. “It doesn’t take a programming expert… If you’re interested in large text-based datasets, as would [be] any well-resourced government, transcription sites are certainly a target.”
Rev freelancers reached by OneZero say they have worked on recordings that contained personal information and trade secrets. Examples include “personal phone calls from inmates in at least one U.S. prison system,” according to one source. Another said they began a transcription of what seemed to be an unemployment compensation case. A third recalls an insurance company’s detailed conversation about a claims adjustment. Rev’s own blog includes a how-to for transcribing police body camera footage.
“They have some medical files,” one Revver says. “I’ve done interviews, too. My personal favorite [was when] a journalist recorded an interview with a prisoner in jail, using his name familiarly the entire time, and then saying that certain segments would be off-the-record or kept anonymous.”
Signing up to become a Rev freelancer requires only basic personal information and a grammar and transcription test. Rev does not require freelancers to undergo criminal background checks, as some other transcription companies do. The company advertises that it will accept or reject applicants within 48 hours, though reviews say it can take longer, and it’s unclear how Rev decides whether to reject a person. A spokesperson for Rev did not immediately respond to a request for comment about the company’s hiring process.
Because Rev touts its usefulness in legal and medical matters, its customers may assume that it has a more rigorous screening policy. Net Transcripts, a firm that specializes in police transcriptions, for instance, requires freelancers to complete an assessment, a background check, fingerprinting, a scan of their driver’s license, and procure an Employer Identification Number (EIN) for their business.
Rev notes in its FAQ that it is not compliant with HIPAA, a federal law that safeguards patient health information. Freelancers sign a confidentiality agreement, which OneZero reviewed, that prohibits them from contacting customers or talking about their work outside of Rev. The company also shows Revvers a monthly pop-up window that OneZero also reviewed, which requires them to type, “I agree to the Confidentiality Agreement…” in order to proceed. The box states that violating these terms may subject a freelancer to legal action. Rev’s website also states that the company encrypts all of its customers’ recordings, and that “it would take a supercomputer 13.75 billion years to break this encryption and compromise our security.”
“Storing it in an encrypted way is good, but that doesn’t change the fact that a transcriptionist currently has far more access than needed,” Singh says.
Beyond listing identifying information for customers, which Rev says helps transcribers with spelling and attribution, some files are given topic icons such as an ambulance or courthouse. Transcribers may also favorite subjects and clients, and filter future jobs according to their preferences. Rev adds that it accounts for everyone who interacts with a file.
Rev has never announced a leak of customer data, and its FAQ states that customers can request their files be permanently deleted. Other transcription platforms — such as the medical transcription service MEDantex, which inadvertently exposed the patient records of thousands of physicians last year — have experienced breaches, however.
“It’s much simpler as a developer to build without consideration for gates between people and data stores,” Singh says, “but it’s becoming clear that companies who don’t invest in security will find themselves in difficult situations down the line.”
Update: An earlier version of this article incorrectly stated the location of Spyglass Security. It is based in San Francisco.