February 7, 2017 By Diana Kelley 3 min read

Keyboarding is so last century. Whether we’re asking Amazon Echo how long it’ll take us to get to work, telling the TV to change channels or directing Siri summon a cab late on a Saturday night, voice control has made interacting with our devices a lot easier.

As with all tech advances, however, those benefits are balanced out by some cons, which include, first and foremost, personal privacy concerns. When voice control and the enterprise intersect, these concerns could have serious business impact.

Voice Privacy: A New Frontier

Since voice control is fairly new, there aren’t many known best practices for voice privacy. Although many well-known security concerns come into play, including the classic confidentially, integrity and availability (CIA) triumvirate, how to build and implement those controls in a voice-activated world is nontrivial.

Seeing a need for guidance, security industry thought leader Lynn Terwoerds founded the Executive Women’s Forum (EWF) Voice Privacy Alliance in 2016 to “provide industry with usable security and privacy guidance for voice enabled technology.”

“The Executive Women’s Forum began talking about this in 2015,” said Terwoerds, “and one thing we agreed on was the need for an industry voice of reason. The industry needs guardrails, but we can’t stymie innovation or add to the FUD (fear, uncertainty and doubt).”

The alliance has formed working groups in the following areas:

  • Voice Privacy Innovation Toolkit — Guidance and tools for developers to embed security and privacy principles into products early in the development life cycle;
  • Consumer Awareness — Educate customers in language that is accessible and clear to help them make informed decisions about voice-enabled technologies; and
  • Legal Working Group — Address legal and policy concerns with voice-enabled technology, focusing on potential legal challenges, policy and regulation.

Developer Innovation Toolkit

At Black Hat USA in August 2016, the alliance released the first version of the “Developer Innovation Toolkit for Voice Enabled Tech,” a series of Agile security stories that help builders of voice-activated technology understand unique security considerations and innovate ways to build in protections. Companies are encouraged to bring the toolkit in house and customize it for their own development environments and needs.

“I feel strongly that the developer toolkit sends a clear message to industry that the Voice Privacy Alliance will help build solutions and not just point out problems from a distance,” said Terwoerds. “We’ve received great feedback and we’re very pleased to see an appetite for practical, hands-on guidance.”

Already the document has shown how useful the guidance can be. According to Security Story No. 42, for example, consumers “don’t want to bring devices into their homes which can communicate with them and potentially their children in inappropriate ways.” It advises developers to create “use case scenarios where certain input causes inappropriate system response” to prevent misuse and unwanted responses.

Modeling misuse cases according to the toolkit may have helped prevent the Alexa dollhouse purchasing incident and the very NSFW response a toddler received from an Echo device late last year.

Are You Listening?

Terwoerds encouraged “everyone who works in the areas of cybersecurity and privacy to think seriously about the privilege and significance of giving back through industry groups. It’s vital that those of us with hands-on experience interact and exchange ideas. Please lend your voice to the Voice Privacy Alliance.”

Interested in having a voice in voice privacy? Please join Terwoerds, Jim Routh and me at RSA 2017 for our panel discussion, “Voice Privacy in the Enterprise: Are You Listening?” Even if you aren’t going to RSA, you can still get involved as a volunteer! Read more about the Voice Privacy Alliance or send an email to [email protected] for more information.

Reserve a seat in the Feb. 15 RSA session to learn more

More from Intelligence & Analytics

New report shows ongoing gender pay gap in cybersecurity

3 min read - The gender gap in cybersecurity isn’t a new issue. The lack of women in cybersecurity and IT has been making headlines for years — even decades. While progress has been made, there is still significant work to do, especially regarding salary.The recent  ISC2 Cybersecurity Workforce Study highlighted numerous cybersecurity issues regarding women in the field. In fact, only 17% of the 14,865 respondents to the survey were women.Pay gap between men and womenOne of the most concerning disparities revealed by…

Protecting your data and environment from unknown external risks

3 min read - Cybersecurity professionals always keep their eye out for trends and patterns to stay one step ahead of cyber criminals. The IBM X-Force does the same when working with customers. Over the past few years, clients have often asked the team about threats outside their internal environment, such as data leakage, brand impersonation, stolen credentials and phishing sites. To help customers overcome these often unknown and unexpected risks that are often outside of their control, the team created Cyber Exposure Insights…

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today