Siri still a privacy worry despite Apple spelling out policy

Apple’s Siri personal assistant in the iPhone and iPad remains a risk to businesses, despite the company’s disclosure that it anonymizes voice clips and deletes the data within two years, experts say.

Without advocating a ban on the use of Siri for employees who bring their own mobile devices to work, experts say companies have to weigh the risks carefully.

“Organizations need to consider Siri within the broader context of their corporate security and compliance guidelines,” said Tyler Lessard, chief marketing officer for mobile security company Fixmo. “In short, there is no simple answer to suggest whether a company should, or should not, ban Siri.”

Apple told Wired last week that it keeps Siri voice clips for up to two years. In addition, a random number is attached to the user, so the information is anonymized. The disclosure stemmed from an interview that followed an article in which Wired reported that parts of Siri’s privacy policy were “fuzzy,” and did not say how long the company kept the data.

Apple did not respond to CSO‘s request for comment.

Siri has always been a concern for organizations, because voice clips from employees using the service in business-related tasks would be stored on Apple’s servers. Organizations have no way on their own to track or archive the data or to ensure it remains private.

In 2012, IBM banned employees from using Siri as part of a new set of bring-your-own-device (BYOD) policies. The company feared that conversations with Siri could include confidential information that should not be forwarded to Apple.

While draconian, Dimitri Sirota, co-founder and chief strategy officer for Layer 7, said IBM’s approach was the right one, once the company decided that Siri was out. “In an age of BYOD, the only sure fire way companies will be able to prevent leakage of confidential information is through policy and some kind of liability in case of deliberate leakage,” Sirota said.

In some ways, Siri is similar to other cloud services that people use for work, oftentimes without the knowledge of their employers. Such services would include Web mail, social networks, such as LinkedIn, and document-sharing services, including Box, Dropbox and SugarSync.

[Also see: Avoiding basic BYOD blunders]

While mobile device management software can limit how corporate applications use cloud services, including Siri, a clever employee can always find workarounds.

“For integrated services like Siri, the best policy is to verify the security policies of the cloud provider, but there will be no way around some level of trust,” Sirota said.

The number of companies that allow employees to use their own devices has jumped from 10% in 2008 to 80% last year, according to a survey by Aberdeen. Companies like the productivity benefits of mobile technology and the reduced cost of not having to buy the hardware.

However, organizations today are increasingly placing limits on their use on corporate networks, and are deploying technology to separate business data from personal information.