Security Implications of AI Voice Dictation
Security Implications of Ai Voice Dictation
Ai Voice dictation tools are becoming popular because of the self-evident productivity gains. On average, people tend to write between thirty to forty words per minute without dedicated typing training. Voice dictation, on average, transcribes approximately 100 to 120 words per minute because that is the average speed of speech. Conventionally, the story would end here because the productivity gains are so obvious. There is not much to explain. However, the less obvious implications are all related to data security.
The Dependency on vendors Data Sub-processor security
Cloud based Ai Voice dictation creates an operational dependency on a vendor’s continuous willingness and ability to provide the service. That dependency, however, extends far beyond what most procurement teams can verify. You can verify the vendor’s SOC two compliance and privacy policy, but you cannot verify the ongoing compliance and security mechanisms of the five to ten infrastructure and software providers the vendor is using continuously to provide the service. Recognize each one of those infrastructure providers touches your unencrypted data because otherwise the service cannot function.
Infrastructure providers such as Amazon AWS hosting the vendor’s compute and storage so your data is resting on systems outside the vendor’s control. Likewise, content delivery networks and API proxies all transfer your data through systems neither you nor your vendor control. Critically, engineering and support staff may gain access to those data when handling system incidents.
Each sub-processor extends the trust boundary further. Under European legislation such as the GDPR, each of those sub-processors must be fully disclosed and covered by contractual protection. However, in practice, customers of a vendor rarely have full visibility into the full supply chain of the vendor.
Opaque Jurisdiction Risk
In theory, where your data are processed, matters legally, because each jurisdiction prescribes binding privacy and security protection measures. In reality, though your data may cross jurisdictions you did not choose, and may not even be aware of that the transit happened. The vendor might be headquartered in one jurisdiction for tax reasons, operates from a second jurisdiction, processes data in third one, backups are stored offsite in a fourth jurisdiction, and support staff may operate in yet another jurisdiction. When you read your vendor contract carefully, you usually contract with one legal business. Ask yourself, does the vendor disclose multiple other jurisdictions that support their operations?
The distinction between where the business is located and where data are processed is critical, because each jurisdiction grants government different levels of access to all data from a vendor, regardless of where the customer of the vendor might be located.
The converse, however, is unfortunately also true. Under the U.S. Cloud Act, U.S. law enforcement is entitled to full data access from any U.S. corporation, regardless of where the data center or servers are physically located. That means, for example, that a U.S. cloud hosting company that operates a data center in Germany via a subsidiary is legally obligated to grant full access to all data to U.S. law enforcement. Furthermore, the Cloud Act is often subject to legal cooperation agreements between nations. For example, Australia and the United States have legal cooperation agreements in place, and a company in Australia under this legal framework also falls under the application of the Cloud Act. Regardless of where their data are located.
Business Continuity
The legal risk may or may not have practical implications. Assuming that law enforcement has no reason to look into a legal business that uses voice dictation, the risk might be deemed acceptable. However, AI-based voice dictation requires network access and there are multiple points of failure. The local ISP may face some connectivity issues. The cloud provider may face issues, as happened recently with AWS, and that put the entire service offline. And the central question. Really, comes down to whether your business retains its competitive edge when those network or cloud services are temporarily unavailable? The recent events in Iran has caused multiple disruptions in regional AWS data centers, so the risk can become tangible for reasons outside anyone’s control. Likewise, traveling in areas with limited connectivity imposes structurally a similar risk. Mobile productivity tools way too often assume continuous network connectivity, but that is not a given in all areas of the world.
The common theme between supply chain security, legal risk, and business continuity risk all comes down to a dependency on a single vendor that uses infrastructure neither you nor the vendor controls.
The Cost of Compliance
Mandatory compliance attempts to mitigate a large part of the risk that emerges from the lack of control over infrastructure. The argument goes that when you cannot control the infrastructure, compliance attempts to control the vendor to establish reasonable security measures and promises to uphold their part of the agreement established through compliance checks. The cost of compliance, though, falls partly on your organization because annual vendor review, SOC two compliance reviews, and regular security analyses are all expenses your business has to bear. For cloud based Ai voice dictation, this becomes more complicated because, by implication, it’s not possible to control what people dictate and that means the decision where to deploy cloud-based AI dictation and where not is a high-level security decision about who gets productivity through dictation and who not.
Questions to Ask Before Procuring Ai Voice Dictation
An organization’s procurement team need to ask several questions to gain clarity from their AI voice-based dictation solution:
- Does the application require internet connectivity for any aspect of usage, installation, activation, or usage?
- Are speech recognition models bundled together with the application or downloaded during or after installation? When downloaded, how are the downloaded data verified to as genuine?
- Does the application transmit any data such as audio transcript, telemetry data, crash report, or license check to any external server?
- Can the vendor’s security claims be independently verified?
Data Sovereignty
One way to manage risk is to increase compliance of vendors and implementing stricter protocols, higher levels of documentation, and doing regular security audits.
One alternative is to eliminate the supply chain risk, legal risk, and the business continuity risk altogether. Local first offline dictation tools, such as AirGap Voice, eliminate the need for vendor dependency, eliminate the supply chain risk of data sub-processors, and eliminate the jurisdiction exposure, while preserving business continuity regardless of whether internet is available.
The most secure data are always those that never leave your device. Data sovereignty starts with taking ownership of your valuable data. You cannot afford to lose. Legal documentation, IP filings, financial documentation, all those files you cannot afford to lose should never leave your device. Airgap voice eliminates multiple categories of risk by ensuring sensitive audio always stays on your device.
This article was dictated using Airgap Voice for mac in 25 minutes and edited for clarity in 10 minutes.