Seamless always-on voice control of our devices is the consistent indicator of a technologically advanced culture in TV shows and movies. From “The Jetsons” and “Star Trek” to “Ex Machina,” the demonstrated interactions and communications with computers showed us what a Utopian life with machines could be like. However, the reality of that vision means releasing more of our personal data to third parties.
Voice-enabled applications have reached a critical mass, as they are now essential components of all major computing platforms and literally in the hands of hundreds of millions of people through mobile devices. The technologies enabling voice interactions with our devices include:
>> Apple Siri.
>> Microsoft Cortana.
>> Amazon Echo and
Alexa.
In general, these technologies translate voice commands into something a device can interpret in the same way. First, the device is designed to begin recording audio when it is “woken up” by a signal, such as by pressing a button on a remote control or by a special voice command. For example, “Hey Siri,” “Hey Cortana” and “Alexa” wake up the Apple, Microsoft and Amazon devices respectively.
Once the device is activated to record audio, the user’s voice utterances are saved and, in most cases, transmitted to cloud data centers with the computing power to translate, execute the command and return the result. There are definite benefits and conveniences to voice-enabled features. However, there are some privacy and security concerns to consider.
>> How and when is your voice recorded? Any device that listens for a wake-up command to start recording audio essentially has its microphone on at all times.
>> What if the software managing the listening capability is compromised, and a hacker leverages that functionality to listen to your conversations? Software companies are implementing measures to protect against that, including the ability to verify the owner’s voice, and some data will not be accessible via voice command until the device is unlocked with password or fingerprint.
>> How much and where is voice data stored? The answer varies by service provider. Apple does not associate voice-command data with a user’s account. However, Amazon’s Alexa and Echo services maintain a history of a user’s voice and the translated text as part of the user’s account, so previous requests can be analyzed to improve service quality. Users can manually delete the history as they wish. These are two different approaches to balancing a superior voice-enabled service against privacy interests.
>> How long is it stored and what is it used for? Google’s policy on voice-enabled search simply states, “We keep utterances to improve our services, including to train the system to better recognize the correct search query.” Voice data that exist unnecessarily are always at risk of compromise. Creative hackers could figure out how to leverage voice data to commit fraud or other damaging, unauthorized acts. The technology is not perfect, and users must determine for themselves the level of personal risk — and whether that risk is worth the reward of convenience. We don’t buy cars without seat belts. What will our security requirements for voice-controlled services be before we’re comfortable using them in our daily lives?
Michael Miranda, director of information security at Hawaiian Telcom, holds current Global Information Assurance Certification (GIAC) and is a Systems and Network Auditor (GSNA), a Certified Intrusion Analyst (GCIA) and Certified Forensic Analyst (GCFA). Reach him at michael.miranda@hawaiiantel.com.
