The Voice Privacy Problem
Voice-based technologies will continue to offer more individualized experiences as they better identify and differentiate users' voices. However, the threat to voice data privacy remains.
The tech companies’ collection and use of these vast amounts of voice data cause alarm for voice technology users. The security of voice data stored in the cloud also worries them.
Research shows that worldwide, 45% of smart speaker users are concerned about voice data privacy, and 42% worry about voice data hacking. In another survey, 59% of respondents said privacy is an important factor when using voice control devices.
In addition to the European Union’s (EU) General Data Privacy Regulations (GDPR) categorizing voice recordings as personal data and subject to protections, the European Digital Radio Alliance (EDRA) and the Association of European Radios (AER) have requested policymakers to apply the Digital Markets Act (DMA) regulation to voice assistants.
“A limited number of platform gatekeepers enjoy significant market power and can use this power to engage in anti-competitive practices such as self-preferencing, restricting access to data, using data from third-party services to develop their own services, and inserting publicity without permission,” a letter from EDRA and AER stated.
This article examines voice privacy concerns by consumers and enterprises and solutions to keeping voice data private and secure.
Risks of Voice Technology Use
Consumers and enterprises share a great deal of information with voice assistants, speech-to-text devices, and video and audio conferencing platforms.
Most voice recognition systems send and store recordings by users in the cloud to process and transmit responses back to the user. Many systems will also use this data to train algorithms to improve automatic speech recognition accuracy.
Some of the collected data may not be so critical to protect. But other information, such as classified company data or health and medical details recorded by a doctor's note-taking voice assistant, is considered sensitive.
Using cloud services in voice and language applications has significant disadvantages related to security, safety, and privacy concerns. Additionally, cloud-stored data is costly and can cause latency in data transmission from local apps and devices to the cloud and back.
The advanced developments in voice technology have brought more complexity and code, which has opened more avenues for hackers to break into devices and systems.
Voice data stored in the cloud poses risks where hackers can gain access, or the voice technology companies themselves may misuse it.
Once cybercriminals gain access to stored data on a device or cloud system, they can access recorded conversations and sensitive information. Additionally, criminals can use voice data used as a biometric identification factor against another person or organization.
Consumer Voice Privacy Issues
Voice-related information generated through voice recognition is biometric data that can identify a human being. This biometric information is personal information under various privacy and security laws.
Biometric data, when stored locally, may not pose a risk to user privacy. However, abuses can occur when the tech companies that offer voice recognition devices store this data in the cloud.
Case in point: Users filed thousands of complaints against Google, Amazon, and Apple for improperly recording and conducting analysis on voice recordings for targeted advertising or software improvement, which sometimes violates specific states’ wiretapping laws.
The voice data recorded reportedly involved working with these big corporations to analyze the voice snippets.
Some of these voice recordings also violated the EU’s GDPR.
Since then, Google suspended the transcriptions of recordings in Europe, and Apple apologized for allowing contractors to listen to voice recordings from Siri. In addition, Amazon removed its arbitration clause to allow users to sue the company for allowing its Alexa/Echo voice assistant to collect voice recordings improperly.
Google now sends emails to its Google Apps users with a link to opt-in for voice recordings to be saved. After complaints, Apple suspended its Siri voice grading program. But the company plans to relaunch it and give customers a choice to opt-in to have their voice recordings stored. Amazon now offers the option to delete voice recordings, but a user must actively log into the Alexa app or the Web platform to opt-out.
The Threat of Insecure Voice Data to Enterprises
Enterprise data is a privacy and safety priority, especially for confidential information. Therefore, it is essential to ensure competitors or other unwanted entities cannot access sensitive company information.
However, with COVID-19, which forced businesses and their employees worldwide to conduct most business online, voice data privacy reared its ugly head.
From video or audio conference offices and board meetings, where high-level exchanges of proprietary information occur, the possibility of sensitive voice recognition data stored and misused became a tremendous concern.
Zoom has been one of the most popular remote collaboration work tools since the pandemic hit. While it is not the only video conferencing platform available, its rapid user growth during shelter-in-place orders worldwide spurred controversies related to privacy and security.
According to Zoom CEO Eric Yuan, millions of people used the platform in several unexpected ways. It presented challenges they did not expect when they conceived the video conference platform in 2011, mainly for enterprises.
While Zoom purportedly offered end-to-end encryption, considered the most private and secure form of Internet communication, the company still had access to users’ video and audio recordings.
Contrary to its claim of end-to-end encryption, Zoom uses TLS encryption, which is used for most types of Internet connections. This type of encryption keeps audio and video private from anyone trying to access your information, but the company could still access Zoom meetings' encrypted video and audio content.
Besides tech companies having access to user content, cyber threats to the cloud allow criminals to access voice data stored by audio and video technology companies.
Smart voice assistants used by employees in a corporate environment can also pose risks. For example, many voice-enabled devices have a microphone that is always on, leaving room for accidental recordings sent to the cloud.
Another challenge to enterprises comes from the European Union’s GDPR, which implements strict rules regarding EU citizens’ personal data, including accidental or criminal breaches and loss.
While a company may focus on protecting traditional data, voice data also falls under the regulations. Violation of the GDPR rules can result in fines of up to 20 million euros ($23 million U.S.).
Is the Cloud Secure Enough?
Businesses have considered cloud computing specifically for its security benefits. However, there are several ways cybercriminals can attack cloud computing systems. Some of the most common cyber security threats to cloud computing include data breaches, insider threats, and hijacked accounts.
In data breaches, cybercriminals gain unauthorized access to view, copy, and transmit data, including voice data. Losing data could cause heavy penalties and the trust of customers.
Recent statistics show that 60% of data breaches are insider attacks from privileged IT users, managers with access to sensitive information, contractors and consultants, and employees. While fraud and monetary gain are the primary motivations of insider attacks, other threats to cloud-stored data come from human error or negligence.
Outside threats to enterprise data come from cybercriminals who can access a cloud computing system through a staff account or by cracking passwords and phishing emails.
In keeping up with the demand for technology, cyber security is the most critical challenge companies face. Once cybercriminals gain access to a system, they can steal sensitive information or completely paralyze a computing system.
Voice-related data stored in a central location poses considerable risks. Voice is a uniquely human characteristic that could be misused to reveal personal information, perform commercial transactions, or commit identity fraud.
Solving the Voice Privacy Problem
While the cloud offers many benefits, implementing security and other measures is essential to keeping user data private and secure.
Companies should use multifactor authentication instead of relying only on voice to avoid voice spoofing.
Another biometric can be used as a backup for identity verification. If the information is highly sensitive, enterprises should use several verification methods.
Following guidelines by the Voice Privacy Alliance can also help enterprises protect voice data.
For example, the VPA recommends that companies clearly state the purposes of voice data collection and allow opting out of sharing such information. The group also advises assigning personnel to oversee data privacy collection and monitoring.
Voice AI Comes Down from the Cloud to The Edge
While the previous recommendations are helpful, the ultimate solution may rely on recording and processing voice data locally or on the edge.
The edge refers to data processing closer to the devices where it’s collected rather than sending it to a central location thousands of miles away.
Besides addressing the latency issues with cloud processed data, it keeps the data more secure.
Google has been quietly working with local AI to speed up neural networks directly on IoT devices. However, industry proliferation of tiny processors will take time, despite high AI performance, and will not likely replace the cloud.
Amazon has recently taken it a step further with its latest generation of Echo products. Its smart speaker and display screens offer local recording of voice commands rather than sending the recordings to the cloud. The company claims it is the first technology company to provide this privacy-first option for smart speakers.
Kardome has developed a spatial voice technology that offers better speech recognition, identifies the speaker, and tracks users’ locations directly on edge devices. This technology will enable enterprises and private users to use voice-enabled devices without connectivity to the cloud. All voice data is processed locally and remains confidential.
Voice-based technologies will continue to offer more individualized experiences as they better identify and differentiate users' voices. However, the threat to voice privacy remains.
Computing voice commands locally, with on-the-edge Voice-AI, resolves any identity and other privacy risks. Service providers can eliminate privacy and compliance issues by not sending users’ voices to the cloud, which cybercriminals can use as a personal identifier.