Keyboarding is so last century. Whether we’re asking Amazon Echo how long it’ll take us to get to work, telling the TV to change channels or directing Siri summon a cab late on a Saturday night, voice control has made interacting with our devices a lot easier.

As with all tech advances, however, those benefits are balanced out by some cons, which include, first and foremost, personal privacy concerns. When voice control and the enterprise intersect, these concerns could have serious business impact.

Voice Privacy: A New Frontier

Since voice control is fairly new, there aren’t many known best practices for voice privacy. Although many well-known security concerns come into play, including the classic confidentially, integrity and availability (CIA) triumvirate, how to build and implement those controls in a voice-activated world is nontrivial.

Seeing a need for guidance, security industry thought leader Lynn Terwoerds founded the Executive Women’s Forum (EWF) Voice Privacy Alliance in 2016 to “provide industry with usable security and privacy guidance for voice enabled technology.”

“The Executive Women’s Forum began talking about this in 2015,” said Terwoerds, “and one thing we agreed on was the need for an industry voice of reason. The industry needs guardrails, but we can’t stymie innovation or add to the FUD (fear, uncertainty and doubt).”

The alliance has formed working groups in the following areas:

  • Voice Privacy Innovation Toolkit — Guidance and tools for developers to embed security and privacy principles into products early in the development life cycle;
  • Consumer Awareness — Educate customers in language that is accessible and clear to help them make informed decisions about voice-enabled technologies; and
  • Legal Working Group — Address legal and policy concerns with voice-enabled technology, focusing on potential legal challenges, policy and regulation.

Developer Innovation Toolkit

At Black Hat USA in August 2016, the alliance released the first version of the “Developer Innovation Toolkit for Voice Enabled Tech,” a series of Agile security stories that help builders of voice-activated technology understand unique security considerations and innovate ways to build in protections. Companies are encouraged to bring the toolkit in house and customize it for their own development environments and needs.

“I feel strongly that the developer toolkit sends a clear message to industry that the Voice Privacy Alliance will help build solutions and not just point out problems from a distance,” said Terwoerds. “We’ve received great feedback and we’re very pleased to see an appetite for practical, hands-on guidance.”

Already the document has shown how useful the guidance can be. According to Security Story No. 42, for example, consumers “don’t want to bring devices into their homes which can communicate with them and potentially their children in inappropriate ways.” It advises developers to create “use case scenarios where certain input causes inappropriate system response” to prevent misuse and unwanted responses.

Modeling misuse cases according to the toolkit may have helped prevent the Alexa dollhouse purchasing incident and the very NSFW response a toddler received from an Echo device late last year.

Are You Listening?

Terwoerds encouraged “everyone who works in the areas of cybersecurity and privacy to think seriously about the privilege and significance of giving back through industry groups. It’s vital that those of us with hands-on experience interact and exchange ideas. Please lend your voice to the Voice Privacy Alliance.”

Interested in having a voice in voice privacy? Please join Terwoerds, Jim Routh and me at RSA 2017 for our panel discussion, “Voice Privacy in the Enterprise: Are You Listening?” Even if you aren’t going to RSA, you can still get involved as a volunteer! Read more about the Voice Privacy Alliance or send an email to [email protected] for more information.

Reserve a seat in the Feb. 15 RSA session to learn more

more from Intelligence & Analytics

CISA Certification: What You Need to Know

The globally-recognized Certified Information Systems Auditor (CISA) certification shows knowledge of IT and auditing, security, governance, control and assurance to assess potential threats. As you can imagine, it’s very much in demand. It can also be confusing.  Is CISA Certification Related to the Cybersecurity and Infrastructure Security Agency? CISA, the certification, is related to CISA, the federal agency, right?  Wrong.…

Raspberry Robin and Dridex: Two Birds of a Feather

IBM Security Managed Detection and Response (MDR) observations coupled with IBM Security X-Force malware research sheds additional light on the mysterious objectives of the operators behind the Raspberry Robin worm. Based on a comparative analysis between a downloaded Raspberry Robin DLL and a Dridex malware loader, the results show that they are similar in structure and functionality. Thus, IBM Security…