Siri still a privacy worry despite Apple spelling out policy

Apple's Siri personal assistant in the iPhone and iPad remains a risk to businesses, despite the company's disclosure that it anonymizes voice clips and deletes the data within two years, experts say.

Without advocating a ban on the use of Siri for employees who bring their own mobile devices to work, experts say companies have to weigh the risks carefully.

"Organizations need to consider Siri within the broader context of their corporate security and compliance guidelines," said Tyler Lessard, chief marketing officer for mobile security company Fixmo. "In short, there is no simple answer to suggest whether a company should, or should not, ban Siri."

Apple told Wired last week that it keeps Siri voice clips for up to two years. In addition, a random number is attached to the user, so the information is anonymized. The disclosure stemmed from an interview that followed an article in which Wired reported that parts of Siri's privacy policy were "fuzzy," and did not say how long the company kept the data.

Apple did not respond to CSO's request for comment.

Siri has always been a concern for organizations, because voice clips from employees using the service in business-related tasks would be stored on Apple's servers. Organizations have no way on their own to track or archive the data or to ensure it remains private.

In 2012, IBM banned employees from using Siri as part of a new set of bring-your-own-device (BYOD) policies. The company feared that conversations with Siri could include confidential information that should not be forwarded to Apple.

While draconian, Dimitri Sirota, co-founder and chief strategy officer for Layer 7, said IBM's approach was the right one, once the company decided that Siri was out. "In an age of BYOD, the only sure fire way companies will be able to prevent leakage of confidential information is through policy and some kind of liability in case of deliberate leakage," Sirota said.

In some ways, Siri is similar to other cloud services that people use for work, oftentimes without the knowledge of their employers. Such services would include Web mail, social networks, such as LinkedIn, and document-sharing services, including Box, Dropbox and SugarSync.

[Also see: Avoiding basic BYOD blunders]

While mobile device management software can limit how corporate applications use cloud services, including Siri, a clever employee can always find workarounds.

"For integrated services like Siri, the best policy is to verify the security policies of the cloud provider, but there will be no way around some level of trust," Sirota said.

The number of companies that allow employees to use their own devices has jumped from 10% in 2008 to 80% last year, according to a survey by Aberdeen. Companies like the productivity benefits of mobile technology and the reduced cost of not having to buy the hardware.

However, organizations today are increasingly placing limits on their use on corporate networks, and are deploying technology to separate business data from personal information.

Read more about data privacy in CSOonline's Data Privacy section.

Tags: applications, Fixmo, data privacy, software, data protection, IT management, Siri, Data Protection | Data Privacy, BYOD, consumerization of IT, Apple

Confirmed: hackers can use Heartbleed to steal private SSL keys

READ THIS ARTICLE
DO NOT SHOW THIS BOX AGAIN [ x ]
Comments are now closed.
CSO Corporate Partners
  • Webroot
  • Trend Micro
  • NetIQ
rhs_login_lockGet exclusive access to CSO, invitation only events, reports & analysis.
CSO Directory

Sophos SafeGuard Enterprise

Your central key for data protection

Latest Jobs
Security Awareness Tip

Incident handling is a vast topic, but here are a few tips for you to consider in your incident response. I hope you never have to use them, but the odds are at some point you will and I hope being ready saves you pain (or your job!).


  1. Have an incident response plan.

  2. Pre-define your incident response team 

  3. Define your approach: watch and learn or contain and recover.

  4. Pre-distribute call cards.

  5. Forensic and incident response data capture.

  6. Get your users on-side.

  7. Know how to report crimes and engage law enforcement. 

  8. Practice makes perfect.

For the full breakdown on this article

Security ABC Guides

Warning: Tips for secure mobile holiday shopping

I’m dating myself, but I remember when holiday shopping involved pouring through ads in the Sunday paper, placing actual phone calls from tethered land lines to research product stock and availability, and actually driving places to pick things up. Now, holiday shoppers can do all of that from a smartphone or tablet in a few seconds, but there are some security pitfalls to be aware of.