Voice assistants (whether in smart speakers or in our phones or other devices) can help us accomplish many tasks very quickly with a simple voice command. The assistant listens for its ‘wake word’ and then records the following command and processes the action required (whether that be setting an alarm or ordering a takeaway, or any one of a wide range of ‘skills’ that can be purchased or programmed). However, various news reports over the last year have uncovered some controversial features and pointed to privacy concerns not only for device owners, but for visitors to homes or offices with those devices.
Firstly, in April 2019, Amazon confirmed that the recordings of the voice commands were reviewed by humans and not just by the voice recognition algorithm. This human review is used to check and improve the software, but it does mean that whatever is recorded could be overhead by an actual person. The risks that result from this became very clear in July 2019 when Google investigated the leak of over 1000 voice recordings by one of its human reviewers. These recordings included both the short excerpts that may be expected when giving commands to the device and, more worryingly, longer recordings where no ‘wake word’ had been heard. These longer recordings included whole conversations.
Some providers anonymise information before it is sent away from the device so that if it is listened to, it does not connect that information to the person that recorded it. However, this doesn’t guarantee that there is nothing identifiable on the recording. Whilst there may be options about how the data is used, it may not be possible to opt out of humans reviewing the recordings altogether.
The privacy and confidentiality implications of this are unclear. It is therefore perhaps not surprising that in October 2019, Google’s SVP, Devices and Services, Rick Osterloh, said he would tell visitors to his house that there was a smart speaker operating in the background.
Whilst it is up to each individual whether the potential privacy issues are outweighed by the benefits of the voice assistant, employers need to be aware of the risk that work conversations could be overheard and accidentally recorded, and indeed listened to by a human. This risk is triggered by having mobile phones present in meetings or just picking up sounds around them in the workplace, but also by smart speakers and other devices that may be in the homes of employees when they are working away from the office. The increase in jobs where employees can work from home mean this is an issue with ever increasing importance.
There is also a further risk that smart assistants can be affected by apps known as ‘smart spies’. An app that has been modified to provide extended listening, such as a horoscope or random number generation application. These apps are downloaded on to the device but then try to extract additional data from users, typically by continuing to listen and record even after the application has finished its stated interaction, or by prompting the user to say their password. Many smart speakers have a visual signal for when the device is listening and recording, so this may help the user identify any such apps but companies are improving the application on-boarding process to prevent similar apps from getting into their stores.
What do employers need to consider?
If all of this has led to you wanting to retrieve your old fashioned ‘dumb speaker’ from the back of the cupboard, don't panic, there are steps you can take to remain more in control of how the data is used.
- Ensure that your employees understand how and when voice assistants and smart speakers work so that they can be confident that confidential conversations are not being recorded because the device is either muted, disabled or is not listening at the relevant time.
- Encourage employees to review and delete what has been recorded by the device (albeit this is not a service offered by all providers).
- Introduce and keep updated sections of your IT and Home Working policies relating to smart speakers and voice assistants and keep your privacy policies updated to take account of these and other developments in technology.
- If employees use their own devices for work purposes, ensure you have adopted appropriate technical and organisational measures to ensure work communications are kept secure and confidential, and that you maintain a ‘bring your own device’ policy. Employees should also be made aware of the consequences of using their own devices for work matters, including situations where the employer may need the right to access information contained on an employee’s personal device.
- Keep employees updated about new types of scams and dangerous apps that could be used to extract data.
- Keep devices updated and ask if any new updates are available.
Technology undoubtedly has much to offer in terms of assisting individuals and employees, but the powers and weaknesses of these products need to be understood so that individuals and employers can protect their data. Whatever your view on this matter, now is a good time to commit to keeping on top of developments and continually address security measures to protect your data and confidential information, and that of your clients.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.