Should Internal Auditors Worry About Digital Spies in Our Midst?
Blogs Richard F. Chambers, CIA, QIAL, CGAP, CCSA, CRMA Aug 19, 2019
During one of the lighter moments of a recent meeting at IIA Global Headquarters, the following joke was shared:
Wife to husband: "Why are you always whispering in the house?"
Husband: "Because I'm afraid the government is listening."
Wife laughs. Husband laughs. Alexa laughs. Siri laughs.
I'm certain this joke is making the rounds, from boardrooms to bedrooms and across social media. But, as with many topics we joke about, the heart of the subject is not a laughing matter.
According to U.K.-based Juniper Research, there were 2.5 billion digital voice assistants, such as Alexa, Siri, and Google Assistant, in use as of the end of 2018. That figure is expected to triple to 8 billion by 2023. This means billions of people around the world already have — knowingly or not — traded in a bit of their privacy for convenience.
My first exposure to the power of these transformational tools occurred shortly after we added an Alexa in our house. We were all gathered around shouting commands to Alexa, to which she dutifully responded. Finally, my 3-year-old grandson shouted "Alexa — I want a Bumblebee." We all laughed. A short time later, I received a message from Amazon that a Bumblebee toy was on its way!
Digital assistants rely on passive listening technology that triggers or "wakes" the device once a recognized command is spoken, such as "Hey Siri." That means the device is always listening for those trigger phrases or commands. This raises a host of questions related to what these assistants may be hearing — and recording.
From a risk management perspective, organizations should understand what risks are associated with these "always on" devices. For example, it is not likely that digital assistants will become standard office equipment, though some employees have begun bringing them to work. There also is little doubt that employee mobile phones are passively listening all the time. Does Alexa or Siri in the workplace leave a company vulnerable to corporate espionage, cyberattacks, or even extortion? Could hackers design malware to surreptitiously engage and intercept a digital assistant and listen in on a corporate executive's life?
While that may seem far-fetched, the point is that there is limited information available to make an assessment of the associated risks.
Companies that offer digital assistant services, including Apple, Google, and Amazon, are among the largest in the world. And they invest heavily in advanced technologies designed to improve the customer experience. But at what cost?
According to privacy advocate Consumer Watchdog, patent applications for an algorithm would allow future versions of Amazon's Alexa to monitor conversations and target the speaker for advertising based on what was said. That raises significant ethical questions.
Earlier this year, Amazon provided a glimpse into its practices in response to questions from a member of the U.S. Senate. Amazon confirmed that its Alexa-enabled devices store user recordings indefinitely until customers choose to delete them. Amazon also explained it uses transcripts and recordings of customer conversations with Alexa to help improve the service's voice-recognition capabilities. And it shares records of Alexa's interactions with third-party service providers that may be contacted through Alexa, such as Uber or Domino's Pizza.
Amazon did confirm that Alexa stops the stream of information it is collecting "immediately once the user ends the conversation or if Alexa detects silence or speech that isn't intended for Alexa."
"We use the customer data we collect to provide Alexa service and improve the customer experience, and our customers know that their personal information is safe with us," according to the letter from Amazon's vice president of public policy.
But in light of the number of breaches of other high-profile companies, such as Yahoo, Equifax, and Capital One, Amazon's promise of safety is not reassuring.
It would be naïve to believe that the makers of digital assistants are the only service providers collecting and leveraging customer data. But an incident from 2012 provides an example of just how powerful such information can be.
A popular American retailer was widely criticized after a New York Times article exposed its practice of collecting and analyzing customer purchase histories to assign "pregnancy prediction" scores. The company's research indicated expectant mothers were more likely to become loyal customers if they were hooked early in their pregnancies.
The article related just how accurate the pregnancy prediction scores proved to be. One father confronted a store manager demanding to know why his 16-year-old daughter was receiving coupons related to pregnancy products — only to learn later that the teen was, indeed, pregnant.
At that time, Siri was the only digital assistant on the market. Since then, Alexa (Amazon), Alice (Russia), AliGenie (China), Bixby (Samsung), Clova (Android, iOS), Cortana (Windows), Google Now, Google Assistant, and Mycroft (Linux) have joined the always-listening virtual assistant market.
Data-driven new technology is a permanent feature in the modern economy. Internal audit must remain informed and vigilant as to how these new tools and technology will impact privacy, data protection, and risk.
As always, I look forward to your comments.