Was IBM Right? Is Siri A Threat To Businesses? [Feature]

Was IBM Right? Is Siri A Threat To Businesses? [Feature]

IBM bans Siri use on the iPhones of its employees

Apple has gotten a fair amount of flack over Siri – most of it relating to Siri not recognizing words or phrases, misinterpreting requests, or providing incomplete or inaccurate answers. Apple is even facing a class action lawsuit over Siri not working as promised by iPhone 4S ads.

For IBM, however, the concern isn’t that Siri won’t work as advertised. Big blue is worried that Siri will work exactly as advertised and that confidential and sensitive information will leak outside IBM’s network as a result. For those reasons, the company disables Siri on the iPhones of its employees.

IBM has a very active BYOD program in which thousands of its employees are encouraged to use their iPhones, iPads, Android handsets, and other devices. Around 80,000 of the company’s workers have signed onto the BYOD program and the program is intended to reach all 440,000 IBM staffers at some point.

As we reported in March, IBM is particularly strict about its BYOD program. The company blocks access to any cloud services (including iCloud and Dropbox) other than its internal MyMobileHub cloud. Users are also told that their devices will be completely wiped when they leave the company regardless of whether they’re fired, laid off, quit, or retire – an interesting point of irony given that IBM’s mobile management software is designed to allow selective wipe of business data on a device while leaving personal content untouched.

When it comes to Siri, IBM leverages the mobile device management (MDM) framework that Apple has built into iOS to disable Siri on every iPhone 4S. The move is consistent with blocking mobile devices from accessing non-IBM networks and cloud services.

If Siri is set to activate by raising the phone to your face, it can unintentionally activate, record a snippet of conversation, and try to interpret it.

IBM’s fear is centered around the fact that Siri is a cloud-based and crowd-sourced solution. The iPhone 4S sends voice data to Apple for speech recognition and interpretation (the new iPad does the same with its Siri-like dictation feature). Siri also requires access to personal information on an iPhone 4S like contacts and the relationships between an iPhone 4S user and his or her contacts. Siri also gets access to your location data. That’s a lot of information being sent to Apple’s servers – servers that IBM has no control over.

That means that it’s quite possible that an IBM employee using an iPhone 4S might speak sensitive information while using Siri – composing an email or message to coworkers, adding or rearranging meetings and events, setting reminders, and using location services to find specific businesses and get directions are all common tasks that could reference or contain sensitive information. If Siri is set to activate by raising the phone to your face, it can unintentionally activate, record a snippet of conversation, and try to interpret it.

A bigger concern is Siri-related dictation, which can be used in most apps that support text input. The chances of sensitive information being gleaned by asking Siri to move a meeting, send a text, or add a reminder are pretty small. Someone dictating text into a productivity app like Pages or Quickoffice or even into an internal line of business app is much more likely to mention some sensitive information.

Beyond data reaching Apple’s servers, the question is one of data retention. Apple’s terms do indicate that the company may retain some Siri queries as a crowd-sourcing mechanism but will anonymize them if it does.

It is possible that Siri or iOS dictation could lead to sensitive information being stored in an Apple data center.

That means that it is possible that Siri or iOS dictation could lead to sensitive information being stored in an Apple data center. And it isn’t beyond the realm of possibility that such information could be extracted. Is it likely that Apple or someone within Apple could search out that information, analyze it, and use it as actionable data – publish it, commit a crime, use it as insider information against IBM – probably not. The chain of events would be pretty dramatic and probably very difficult to pull off effectively – but that series of events is theoretically possible.

Perhaps the biggest privacy concern around Siri isn’t a technical one. It’s the behavior of the person using Siri. If you’re dictating an email, rearranging your schedule, or setting reminders using Siri, you’re speaking and can be overheard. If you listen to the interactions people have with Siri, there are subtle differences in speaking rhythm and phrasing than what’s typical of most conversations. Even if you don’t hear Siri’s signature beep or responses because someone’s using a headset, you can usually tell that that person is talking to Siri or a similar service. That opens up the possibility of someone on the train with you or behind you in a coffee shop or next to you in a company cafeteria will overhear details that you might not share in a real conversation.

Is IBM being overcautious when it comes to Siri? To some extent. That isn’t really a surprise given the lengths the company is going to in preventing data leaks in other areas of its BYOD requirements. Does every business need to disable Siri? Probably not, but ensuring that everyone understands the concerns around Siri and dictation is a good idea for any company. As with many mobile and cloud technologies, companies in regulated industries like healthcare and finance should follow IBM’s lead and be particularly cautious and even err on the side of caution unless a technology can be shown to comply with regional or national privacy regulations.

  • joewaylo

    I think it’s warranted but not limited to Apple. Given that you would use an iPad 3 or 4S and use Siri or Dictation to write a memo to your official business members, you would use third party software not on your official business servers as well.

    For example if IBM has dictation, you would be sending your dictation to IBM’s servers. Nuance, Dragon, VLingo, Google, Palm, and more send your dictations to each party’s servers, translates them to text, then send them back to you. Who’s to say they don’t store your dictations on their servers?

  • Dylan Balarezo

  • jfalkingham

    This pretty much holds true with most ‘free’ services. The part I get is that you really can’t trust what is happening with the data once its left the device to be analyzed, however is this really different than email? We put more controls on systems and no matter what we do to protect, there is always a common weak spot, ourselves. Do we know better than to send confidential data in an email outside of the company? I think so, but a user can type away, hit send and you’ve lost control. What about a text message, or sharing of a file? This feels like the early days of instant messaging, what happens to the data in the message? Does the server keep a copy? Companies blocked the service, and slowly, the blocks were removed and we moved forward. I know it is still common practice to block in certain industries, but not like it was when AIM was all the rage. 

About the author

Ryan FaasRyan Faas is a technology journalist and consultant living in upstate New York who has written extensively about Apple, business and enterprise IT, and the mobile industry. In addition to writing for Cult of Mac, he is a contributor to Computerworld, InformIT, and Peachpit Press. In a previous existence he was a healthcare IT director as well as a systems and network administrator. Follow Ryan on Twitter and Google +

(sorry, you need Javascript to see this e-mail address)| Read more posts by .

Posted in Featured stories, News, Top stories | Tagged: , , , , , , , , , , |