Voice Privacy Guiding Principles

Document Purpose

This document describes aspects of voice data privacy which can be used to develop industry guiding principles and stimulate discussion topics for further consideration and work.

Summary

An individual’s voice is part of their person and as such there are both great opportunities and risks. Voice privacy considerations could be clearly described as guiding principles with associated corollaries. Each of these could also be linked to a specific phase of a voice data lifecycle, with certain principles applying to all phases. As a rule, it seems that individuals should have sovereignty over their own voice data and that entities need to consider that voice conveys much more information than traditional data. Voice can be used as a biometric. Therefore voice privacy cannot be treated the same as data privacy.

Background Information

A person’s voice is individual and is an essential physical characteristic. In contrast, data entered via keyboard is an abstraction, or one layer removed from the person. For example a password is an abstraction and not a physical characteristic of a person - and we all know how well passwords are working. There’s a fundamental difference between data which can be associated with people or entities and voice data which is inextricably part of a single person. Voice is a unique physical characteristic and as such can be used as a biometric. Voice can also have attributes not associated with data. Some attributes include:

  • Timbre (tone)
  • Emotion (ululation)
  • Volume, projection
  • Language
  • Regional dialect
  • Accentuation and pitch (e.g., English = stress accentuation, Chinese – tonal pitch)
  • Environmental (background noise, location, acoustics)
  • Speed/pace
  • Resonance area (e.g., chest, nasal)
  • Physiological (vocal cords, physical aspects such as a stutter or lisp)
  • Other influences on voice – voice change in boys during puberty, disease/sickness, mental state such as intoxication
  • Inability to speak but capable of expression through breathing or other non-linguistic sounds

The characteristics and distinctions are important because the opportunities and privacy/security risks associated with voice data differ significantly from traditional data. Before examining guiding principles, let’s consider some underlying assumptions.

Guiding Risk Assumptions

  • Voice enabled technology has the potential to enable individuals, companies and society in new and innovative ways
  • Everyone has individual sovereignty over their own voice
  • Voice has more characteristics than data; therefore data privacy is not necessarily voice privacy. For example, characteristics of voice should never be used to discriminate against an individual.
  • All privacy and security controls must consider that voice can be used to authenticate a personlocally and remotely
  • Governing bodies won’t be able to stay current with the pace of technology
  • We can’t regulate ourselves out of risk / (keep it positive) we can enable & innovate into the space and solve as an industry – should do it ahead of governing bodies

Draft Guiding Principles

  • State Purpose / Notice
  • Entities should clearly & simply state the purpose of the collection of voice data. This transparency builds consumer trust and is the basis for Entity accountability.
  • The Stated Purpose should indicate that Consumers have the right to control their voice data throughout the entire lifecycle.
  • Choice & Consent
  • Entities should give the choice for Consumers to Opt Infirst. This is a way for the consumers to know what they are signing up for. If they need to think about what they are signing up for, that’s better. Then also give the choice to Opt out at any stage of the voice data lifecycle.
  • Informed consent terms should be written clearly & simply enough that Consumers understand the collection, use, security, distribution (internal & 3rd party), retention, and destruction.
  • Informed consent terms should describe the process to correct inaccuracies (e.g., incorrect association). There should be informed consent (implicit, explicit) when terms of use change at any stage of the lifecycle [legal, fair use] (Informed consent terms may be different at different stages)
  • Awareness & Training
  • Entities should provide Voice Data Privacy Awareness to inform the public (add privacy to owner’s manual).
  • Entities should provide Voice Data Privacy Awareness & Training to their staff.
  • Collection, Use & Distribution
  • Entities should limit the collection of voice data to the minimum necessary.
  • Consumers should be able to control the persistence of their voice data and voice metadata (data remanance). [use]
  • Consumersshould have rights before voice data is transmitted across jurisdictional boundaries. Consumers should be able to know the geographic location of their voice data. [distribution]
  • Integration, correlation and analysis of voice data should conform to the stated purpose and make clear when voice data passes to third parties and/or is used outside of the stated purpose when voice data was first collected and informed consent given.
  • Entities that use voice data and associated metadata will be transparent, ethical, and will only use it within the limits of the applicable law.
  • The rights of Consumers with disabilities should not be diminished when they leverage voice to communicate with devices. [ethics]
  • Entities may only evaluate voice data in ways where Consumers or groups of like Consumers cannot be discriminated against. [ethics]
  • Collection of voice data may include “discovery” of already collected voice data from historical archives and other sources which pre-date these guiding principles [ethics] and should be treated under these guiding principles.
  • Entities should adhere to applicable voice data sovereignty law. [legal]
  • Retention & Destruction
  • Entities that use voice data and associated metadata will be transparent, ethical, and will only use it within the limits of the applicable law.
  • Voice data retention is commensurate with stated purpose. [transparency, fair use]
  • Entities should adhere to applicable voice data sovereignty law. [legal]
  • Access Controls
  • Entities should use Least Privilege and Role Based Access Controls.
  • Entities should provide Consumers access to their own voice data and it should be readily available at all times.
  • Technical Controls
  • Consumers have the right to control their voice data throughout the entire lifecycle. [individual sovereignty over one’s own voice]
  • Technical controls should be commensurate with voice data privacy risks. [voice as a biometric]
  • Voice data should always be encrypted, even within private networks.
  • Anonymized voice data means that re-identification to a particular person is statistically not possible. (suggest we take quantum computing into consideration)
  • Entities should be transparent with the technical means they are using to anonymize voice data.
  • Voice masking technologies might be considered whenever voice data does not need to be associated to a Consumer.
  • Services should be developed which make opt in/out & deletion capabilities technical accessible and easy for Consumers.
  • Monitoring (Audit/Validation)
  • Entities should have assigned responsible and accountable personnel overseeing Voice Data Privacy.
  • Entities should include Voice Data Privacy monitoring in their routine GRC/internal audit programs.

Questions

  • How many guiding principles (the fewer the better)?
  • What is the governance model?
  • How does industry, government participate?
  • Can we draw a parallel flow showing the voice data lifecycle and the SDLC?
  • Just as there are data sovereignty issues, individuals may have rights with voice data transmitted across jurisdictional boundaries

Lynn Terwoerds & Kelly Arnholt / Drafted for Executive Women’s Forum, October 2015
/ 1