Siri still a privacy worry, despite Apple spelling out policy

Antone Gonsalves
23 April, 2013
View more articles fromthe author

Apple has admitted that it keeps anonymous Siri data for two years, but that has not quelled fears about corporate data privacy

Apple’s Siri personal assistant in the iPhone and iPad remains a risk to businesses, despite the company’s disclosure that it anonymises voice clips and deletes the data within two years, experts say.

Without advocating a ban on the use of Siri for employees who bring their own mobile devices to work, experts say companies have to weigh the risks carefully.

“Organisations need to consider Siri within the broader context of their corporate security and compliance guidelines,” said Tyler Lessard, chief marketing officer for mobile security company Fixmo. “In short, there is no simple answer to suggest whether a company should, or should not, ban Siri.”

Apple told Wired magazine last week that it keeps Siri voice clips for up to two years. In addition, a random number is attached to the user, so the information is anonymised. The disclosure stemmed from an interview that followed an article in which Wired reported that parts of Siri’s privacy policy were ‘fuzzy’ and did not say how long the company kept the data.

Apple did not respond to CSO’s request for comment.

Siri has always been a concern for organisations, because voice clips from employees using the service in business-related tasks would be stored on Apple’s servers. Organisations have no way on their own to track or archive the data or to ensure it remains private.

In 2012, IBM banned employees from using Siri as part of a new set of bring-your-own-device (BYOD) policies. The company feared that conversations with Siri could include confidential information that should not be forwarded to Apple.
While draconian, Dimitri Sirota, co-founder and chief strategy officer for Layer 7, said IBM’s approach was the right one, once the company decided that Siri was out. “In an age of BYOD, the only sure fire way companies will be able to prevent leakage of confidential information is through policy and some kind of liability in case of deliberate leakage,” Sirota said.

In some ways, Siri is similar to other cloud services that people use for work, often without the knowledge of their employers. Such services would include web mail, social networks, such as LinkedIn, and document-sharing services, including Box, Dropbox and SugarSync.

While mobile device management software can limit how corporate applications use cloud services, including Siri, a clever employee can always find ways to work around this.

“For integrated services like Siri, the best policy is to verify the security policies of the cloud provider, but there will be no way around some level of trust,” Sirota said.

The number of companies that allow employees to use their own devices has jumped from 10 percent in 2008 to 80 percent last year, according to a survey by Aberdeen. Companies like the productivity benefits of mobile technology and the reduced cost of not having to buy the hardware.

However, organisations today are increasingly placing limits on their use on corporate networks, and are deploying technology to separate business data from personal information.

by Antone Gonsalves, CSO (US)

Leave a Comment

Please keep your comments friendly on the topic.

Contact us