Monday, April 22, 2013

Siri Still A Privacy Worry Despite Apple Spelling Out Policy

Apple came clean that it keeps anonymous Siri data for two years, but that has not quelled fears about corporate data privacy

 

By Antone Gonsalves
April 22, 2013CSO — Apple's Siri personal assistant in the iPhone and iPad remains a risk to businesses, despite the company's disclosure that it anonymizes voice clips and deletes the data within two years, experts say.

Without advocating a ban on the use of Siri for employees who bring their own mobile devices to work, experts say companies have to weigh the risks carefully.

"Organizations need to consider Siri within the broader context of their corporate security and compliance guidelines," said Tyler Lessard, chief marketing officer for mobile security company Fixmo. "In short, there is no simple answer to suggest whether a company should, or should not, ban Siri."

Apple told Wired last week that it keeps Siri voice clips for up to two years. In addition, a random number is attached to the user, so the information is anonymized. The disclosure stemmed from an interview that followed an article in which Wired reported that parts of Siri's privacy policy were "fuzzy," and did not say how long the company kept the data.

Apple did not respond to CSO's request for comment.

Siri has always been a concern for organizations, because voice clips from employees using the service in business-related tasks would be stored on Apple's servers. Organizations have no way on their own to track or archive the data or to ensure it remains private.

In 2012, IBM banned employees from using Siri as part of a new set of bring-your-own-device (BYOD) policies. The company feared that conversations with Siri could include confidential information that should not be forwarded to Apple.

While draconian, Dimitri Sirota, co-founder and chief strategy officer for Layer 7, said IBM's approach was the right one, once the company decided that Siri was out. "In an age of BYOD, the only sure fire way companies will be able to prevent leakage of confidential information is through policy and some kind of liability in case of deliberate leakage," Sirota said.

In some ways, Siri is similar to other cloud services that people use for work, oftentimes without the knowledge of their employers. Such services would include Web mail, social networks, such as LinkedIn, and document-sharing services, including Box, Dropbox and SugarSync.

 
While mobile device management software can limit how corporate applications use cloud services, including Siri, a clever employee can always find workarounds.

"For integrated services like Siri, the best policy is to verify the security policies of the cloud provider, but there will be no way around some level of trust," Sirota said.

The number of companies that allow employees to use their own devices has jumped from 10% in 2008 to 80% last year, according to a survey by Aberdeen. Companies like the productivity benefits of mobile technology and the reduced cost of not having to buy the hardware.

However, organizations today are increasingly placing limits on their use on corporate networks, and are deploying technology to separate business data from personal information.

Read more about data privacy in CSOonline's Data Privacy section.

Friday, April 12, 2013

Having A Third Person in the Interview Room

Privacy is considered the single most important psychological factor contributing to the success of an interview or interrogation. This is something we each inherently recognize. For example, if a man wanted to discuss marital problems with a close friend, he would not meet his friend at a crowded bar to discuss this sensitive topic. Rather, he would meet his friend in a quiet restaurant or cafe to discuss his personal problems in private. Quite simply, it is easier for a person to tell the truth when communicating with one other individual. Consequently, we recommend that in most cases interviews should be conducted one-on-one, with only the investigator and suspect in the room.

There are exceptions to this guideline. Perhaps an investigator and his/her partner both want to be present during the interview. A male investigator may be interviewing a female sexual assault victim and, to protect against a false claim of misconduct, request that a female observer be present during the interview. In other cases, the suspect may not speak English requiring that an interpreter be involved during the interview. Finally, a parent, supervisor or union representative may want to be present during the interview or interrogation. Each of these circumstances will be discussed separately.

Partner, witness

The partner or witness should be seated behind, and to the side of the suspect. Second, the partner or witness should remain silent. They may take written notes, but should not interact with the suspect. The goal is to minimize the violation of privacy having a third person in the room presents, as illustrated in figure A:


Figure A

Interpreter

An interpreter should typically be positioned to one side of the investigator, with the investigator sitting directly in front of the subject, as illustrated in figure B. If the interpreter is personally acquainted with the subject, or the subject is hostile, the interpreter may be positioned behind the suspect, similar to the previous witness in figure A.


Figure B

The interpreter should be instructed to translate the investigator(s questions and the subject(s response to the questions word for word in first person. ("I wasn't there." versus "He said he wasn't there.") Specifically, the interpreter should be cautioned not to summarize either questions or responses. If the interpreter is not trustworthy, perhaps because of possible sympathy toward the subject, the investigator may explain that the entire interview will be electronically recorded and that the accuracy of the interpreter's translations will be checked by an objective third party. While this may not, in fact, be feasible such a statement may have the effect of more accurate translations.

Finally, the subject should be instructed to address the investigator when speaking. There will be a natural tendency for the subject to talk to the interpreter, since the interpreter is the person who asked the question. However, to properly evaluate the subject's nonverbal behaviors and to increase the deceptive subject's fear of detection (lying to the investigator rather than the interpreter), it is important that the subject direct his or her responses to the investigator.

At the beginning of the interview the subject should be politely admonished if he responds to the interpreter rather than the investigator, e.g,. "Armando, talk to me, not him." Once this pattern has been established, it could be a significant behavior symptom of deception if the subject, all of a sudden, addressed the interpreter rather than the investigator. This is similar to the witness in a courtroom looking to the defense attorney for help prior to responding to a threatening question asked by the prosecutor.

Parent, union representative

In the previous situations the third person in the interview room is beneficial to the investigator. However, this is not necessarily the case when the third person is an advocate for the suspect, such as a parent, human resource staff or a union representative. In those circumstance in which there is no legal requirement for the parent or company representative to be in the room, the investigator should meet with this individual in private and first try to persuade that person to not be present during the interview or interrogation. The following statement has been used effectively to accomplish this goal:

"I believe you and I have the same goal which is to identify whether or not (suspect) is involved in (issue). [Parent] If he is involved you certainly don't want him to think that he can get away with something like this and do worse things in the future, right? [Company Rep] If he is involved in this you owe it to the other employees in this company to discipline the proper person and not put all employees under a cloud of suspicion and have them subjected to greater scrutiny, right?

Let's assume, for a minute, that in fact (suspect) did commit this offense. Put yourself in his shoes. Do you think it would be easier for him to tell the truth with just me in the room? Of course it would be. Think back when you were young and did something wrong. Was it easier for you to tell the truth to just your mom or dad? Or did you want to be questioned in the presence of many people? Just your mom or dad, right. This is the same situation.

Let me learn what the truth is and then I will bring you into the room for you to hear the truth. At that point you may ask (your son) (employee) any questions you wish to. But let's work together in this matter to learn the truth by allowing me to first talk to him in private, alright?"


If the parent or company representative insists on being in the interview room during questioning, the investigator should have that individual sit in the witness chair illustrated in figure A. Second, the parent or company representative should be advised that they are only in the room to observe, and that if they speak and interrupt, the investigator will have no choice but to terminate the interview because of this interference.

During the interview or interrogation, if the parent or company representative does say or ask something the investigator should immediately advise the parent or company representative with a statement such as:

"Jim/Mary I just want to remind you that our agreement was that if you were in the room you would only observe and not interject yourself into the conversation . Correct? You are not keeping up your end of the bargain. If you continue to interrupt me I am terminating this interview because of your interference."
In conclusion, during most interviews and interrogations the investigator should be alone in the room with the suspect absent any legal requirement to do otherwise. If a third person is present as an observer or interpreter, specific procedures should be followed to minimize the violation of privacy this third person represents. If the third person is an advocate for the suspect the investigator should attempt to persuade that individual to remain outside the room. If that individual insists on being present during the interview, they should be cautioned to not interrupt the investigator.

-----------------------------------------------------------------------------------------------------------------------------

This Investigator Tip was developed by John E. Reid and Associates Inc. Permission is hereby granted to those who wish to share or copy the article. For additional 'tips' visit www.reid.com; select 'Educational Information' and 'Investigator Tip'. Inquiries regarding Investigator Tips should be directed to Janet Finnerty johnreid@htc.net. For more information regarding Reid seminars and training products, contact John E. Reid and Associates, Inc. at 800-255-5747 or www.reid.com.

 Members of CPIRC.com receive special discounts on John E. Reid course registration fees and training materials.  The reduced seminar fee for the Reid open registration seminars is $395 U.S. (a savings of $155 from the standard $550 per person fee). The discounts are 10% or better on our products.