Siri still a privacy worry despite Apple spelling out policy

Apple's Siri personal assistant in the iPhone and iPad remains a risk to businesses, despite the company's disclosure that it anonymizes voice clips and deletes the data within two years, experts say.

Without advocating a ban on the use of Siri for employees who bring their own mobile devices to work, experts say companies have to weigh the risks carefully.

"Organizations need to consider Siri within the broader context of their corporate security and compliance guidelines," said Tyler Lessard, chief marketing officer for mobile security company Fixmo. "In short, there is no simple answer to suggest whether a company should, or should not, ban Siri."

Apple told Wired last week that it keeps Siri voice clips for up to two years. In addition, a random number is attached to the user, so the information is anonymized. The disclosure stemmed from an interview that followed an article in which Wired reported that parts of Siri's privacy policy were "fuzzy," and did not say how long the company kept the data.

Apple did not respond to CSO's request for comment.

Siri has always been a concern for organizations, because voice clips from employees using the service in business-related tasks would be stored on Apple's servers. Organizations have no way on their own to track or archive the data or to ensure it remains private.

In 2012, IBM banned employees from using Siri as part of a new set of bring-your-own-device (BYOD) policies. The company feared that conversations with Siri could include confidential information that should not be forwarded to Apple.

While draconian, Dimitri Sirota, co-founder and chief strategy officer for Layer 7, said IBM's approach was the right one, once the company decided that Siri was out. "In an age of BYOD, the only sure fire way companies will be able to prevent leakage of confidential information is through policy and some kind of liability in case of deliberate leakage," Sirota said.

In some ways, Siri is similar to other cloud services that people use for work, oftentimes without the knowledge of their employers. Such services would include Web mail, social networks, such as LinkedIn, and document-sharing services, including Box, Dropbox and SugarSync.

[Also see: Avoiding basic BYOD blunders]

While mobile device management software can limit how corporate applications use cloud services, including Siri, a clever employee can always find workarounds.

"For integrated services like Siri, the best policy is to verify the security policies of the cloud provider, but there will be no way around some level of trust," Sirota said.

The number of companies that allow employees to use their own devices has jumped from 10% in 2008 to 80% last year, according to a survey by Aberdeen. Companies like the productivity benefits of mobile technology and the reduced cost of not having to buy the hardware.

However, organizations today are increasingly placing limits on their use on corporate networks, and are deploying technology to separate business data from personal information.

Read more about data privacy in CSOonline's Data Privacy section.

Join the CSO newsletter!

Error: Please check your email address.

Tags applicationsdata privacyFixmosoftwareIT managementdata protectionData Protection | Data PrivacySiriconsumerization of ITBYODApple

More about AppleApple.CSODropboxIBM AustraliaSugarSync

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts