Privacy Implications of Voice Assistants for Faculty and Staff

Last updated: March 3, 2025
Privacy Implications of Voice Assistants for Faculty and Staff

Voice assistants, such as Amazon Alexa, Google Assistant, and Apple Siri, have become increasingly popular, offering convenient hands-free control over various tasks. However, the rise of these technologies raises significant privacy concerns for faculty and staff at UBC.

Data Collection Practices of Voice Assistants

Voice assistants operate by continuously listening for trigger words or phrases, such as "Hey Siri" or "OK Google." This "always-on" functionality raises concerns about the potential for unintended data collection. While voice AI companies claim that audio data is transmitted only after a wake word is detected, there have been instances where audio snippets were accidentally recorded and leaked. This underscores the risk of sensitive conversations being captured without users' knowledge or consent.

Beyond voice recordings, voice AI systems gather a wide range of personal information, including:

  • Usage patterns
  • User preferences
  • Location data

This data can be used to create detailed user profiles, which may be exploited for targeted advertising or other commercial purposes without explicit consent. Such practices raise questions about the transparency and ethical implications of voice AI data collection.

Security Vulnerabilities and Potential Risks

The interconnected nature of voice assistants and other smart devices creates a network known as the Internet of Things (IoT). While convenient, this connectivity introduces security vulnerabilities, making these devices potential targets for cyberattacks.

Threat actors can exploit vulnerabilities in digital assistants to:

  • Access personal information and conversation history
  • Eavesdrop on sensitive conversations
  • Gain access to other IoT devices on the network, potentially compromising security systems or other connected devices

Attack methods include "dolphin attacks" that use inaudible ultrasonic frequencies to trigger recording features and malware that infects devices through disguised downloads.

UBC Policies and Guidelines for IoT Devices

UBC's Information Security Standard U11 specifically addresses the security of IoT devices, including voice assistants. The standard emphasizes a risk-based approach, requiring users to assess the potential risks associated with these devices and take appropriate security measures.

Key considerations include:

  • The type of information collected, accessed, or stored by the device
  • The devices and systems connected to the IoT device
  • The physical location of the device

Specific guidelines for mitigating risks associated with voice assistants at UBC:

  • Minimizing data capture: Faculty and staff are encouraged to configure voice assistants to capture the least amount of data required for their operation. For example, limiting the field of view of connected cameras or disabling audio recording when not needed.
  • Secure physical storage: Unattended IoT devices, including voice assistants, should be stored in a secured location, such as a locked room or cabinet, to prevent unauthorized access or theft.
  • Strong passwords and authentication: Using strong passwords and enabling multi-factor authentication are essential to prevent unauthorized access to voice assistants and associated accounts.
  • Regular updates and patching: Keeping the operating system, firmware, and software of voice assistants up to date is crucial to address security vulnerabilities.
  • Network security: Connecting voice assistants to a secure network or isolating them on a guest network can reduce security risks.
  • Data destruction upon decommissioning: Before discarding or repurposing voice assistants, faculty and staff must ensure the destruction or sanitization of any UBC Electronic Information stored on the device.

Recommendations for Faculty and Staff

To mitigate privacy risks associated with voice assistants, faculty and staff at UBC should:

  • Review and adjust privacy settings: Carefully review and customize privacy settings to limit data collection and sharing.
  • Be mindful of sensitive information: Avoid discussing confidential or sensitive information within the range of voice assistants.
  • Consider alternatives for sensitive tasks: Refrain from using voice assistants for tasks involving personal or highly confidential information.
  • Stay informed: Stay updated on privacy and security best practices and any changes to UBC's policies regarding IoT devices by joining the Privacy Matters Champions Network.

Voice assistants offer convenience, but they also pose significant privacy risks. By understanding these risks and following UBC's guidelines and legal requirements, faculty and staff can mitigate potential threats and utilize these technologies responsibly.

Go Further…

  • Article

Privacy Matters @ UBC

Safety & Risk Services | 2389 Health Sciences Mall
University Counsel | 6328 Memorial Road,
UBC Cybersecurity | 6356 Agricultural Road
E-mail privacy.matters@ubc.ca

UBC Crest The official logo of the University of British Columbia. Urgent Message An exclamation mark in a speech bubble. Caret An arrowhead indicating direction. Arrow An arrow indicating direction. Arrow in Circle An arrow indicating direction. Arrow in Circle An arrow indicating direction. Chats Two speech clouds. Facebook The logo for the Facebook social media service. Information The letter 'i' in a circle. Instagram The logo for the Instagram social media service. Linkedin The logo for the LinkedIn social media service. Location Pin A map location pin. Mail An envelope. Menu Three horizontal lines indicating a menu. Minus A minus sign. Telephone An antique telephone. Plus A plus symbol indicating more or the ability to add. Search A magnifying glass. Twitter The logo for the Twitter social media service. Youtube The logo for the YouTube video sharing service. Bell Warning