Tea, Earl Gray, Hot

Posted: May 23, 2012 in Uncategorized

I’m sure you remember quite well watching Jean-Luc Picard standing next to his desk and saying to the computer, “Tea, Earl Gray, Hot” during many an episode of Star Trek : The Next Generation. The whole of idea of talking to computers making some sort of request even going back to the original show in the 1960s was pretty futuristic and exciting stuff.

Here we are 2012, if I turn on my iPhone, activate Siri and say “Tea Earl Gray Hot”, she happily comes back with, “I found a number of restaurants not far from you. I’ve sorted them by rating.”

Least the warm fuzzies of living in the future linger too long, let’s turn our attention to this little story that popped by this morning. http://www.appleinsider.com/articles/12/05/23/ibm_bans_apples_siri_from_its_internal_networks_for_security.html

In it, IBM bans the use of Siri on it’s internal networks. The explanation, “is concerned that spoken data could be stored somewhere on Apple’s servers.”  *facepalm*

In the early 80s with the introduction of the personal computer, I can remember my Dad’s company Gold Seal buying their first PC, my dad setting it up in an area fairly close to the xerox copier. To use, you’d just walk up, turn it on, boot into DOS and run whatever you were going to run. My Dad’s company also had a system 3x and that box had honest to gosh log in ids. There were different security models between the PC and the minicomputer but either way both were tools to get work done.

IBM made a lot of money on the PC despite what might be considered an obvious security flaw. But let’s not pass judgement. Let’s get back to the bits of the matter with Siri.

Speech recognition and the use of computing power behind it to do useful things is pretty exciting stuff. Siri is still in beta. WWDC is coming up in a few weeks. Will Siri be opened up to 3rd party developers? What is Google going to do with Android in Jelly Bean? These are important questions. To get to that point in the future where merely holding a device in your hand and be able to do useful things using just your voice to interact with any application is pretty powerful stuff. This is tech to be embraced.

Speech recognition isn’t easy. It takes some computing power, especially if you want to be really good at it and be able to recognize many different languages. What Siri does is package up the voice data, encrypt over SSL and send it to the great grand cloud of Apple servers in the sky to be worked on.

So here’s the thing and this isn’t IBM specific at all. Do you trust your employees to use Google? Bet so. It’s already known that Google records searches and uses of it’s search engine. Should IBM or any other company ban the use of Google? No. Of course not. That’d be stupid. Companies DO sit down with their employees and coach them on the use of external services and certainly do cover the issue of information that is confidential in nature shouldn’t be shared. Siri isn’t any different than Google in this context. Banning Siri is like banning Google.

PCs over time gained power on passwords. They began to run multiuser operating systems and gained security features. How will security and data privacy evolve in Android and iOS over the next year, time will tell. As mentioned WWDC is just a few weeks away. Google IO a bit further off.  Stay tuned.


  1. tgall, your use case (intentionally?) presents an innocuous use of Google. The case that IBM would be concerned about would be something along the lines of :

    “Remind me about [CONFIDENTIAL MEETING UNDER NDA], tomorrow at 10am”


    “Tell [EXEC] that [M&A ACTIVITY] is cancelled”

    If Siri only acted as a proxy to Google, you’d be right. The concern is that potentially confidential information could be exposed to someone who doesn’t have the appropriate legal commitment to confidentiality.

  2. tgallfoo says:

    Thanks for the comment. Consider all the companies using Google mail or Google calendar as part of their business. If you have confidential materials in Google mail, Google calendar, Google docs, etc one is trusting that Google’s system to store such information. Many companies do especially smaller businesses which can’t replicate cloud based systems in house.

    Does Google do any sort of data collection / indexing over what is stored in the plex? It does.

    The data retention policy “debate” isn’t something new and isn’t specific to Siri. Both Google and Apple have data retention policies. I would submit that those policies are some of the best in the business and they both evolve those policies and their implementation in intelligent ways. If they aren’t, it would be helpful to define what is a best of class policy is.

    • Siri privacy concerns : http://www.jonburg.com/future/2011/10/siri-apple-know-a-lot-about-you-who-cares-about-privacy.html

      Google privacy concerns : http://news.yahoo.com/developments-related-googles-privacy-concerns-214503083–finance.html

      This isn’t about data retention, this is about data privacy and confidentiality. Google has been roasted over the coals for the crap they’ve put in privacy statement. I think your assumption is that it is one of the best in the industry is false. Apple is clearly no angel either.

      Further, if Apple doesn’t commit to contractually protect information to the same standards as IBM would for confidential information, why wouldn’t the CIO declare that Siri (or any other service) is unfit? There are actual IBM standard which the CIO uses to sanction 3rd party services once an evaluation has been done. This isn’t decided arbitrarily.

      Companies that use Google products for their corporate use either:

      a) have some kind of agreement with Google which binds Google to respect the confidentiality of their data
      b) take compensating controls to provided confidentiality where Google can/will not (ie PGP encryption of messages)
      c) Take a calculated business risk as to why it would be cheaper/more efficient to use Google instead of an in house solution.

      • tgallfoo says:

        Data retention, privacy and confidentially are all intertwined and with my damaged DNA I shorten the 3 into 1, data retention.

        The Siri article you point to is old, from last fall. It doesn’t even point to the current policy which was revised after some of the initial brew-ha-ha as people started to discuss the initial implementation.

        Apple, Google are not RIM with it’s opening of back doors for governments such as India and in the middle east.

        It must be recognized that both Apple and Google have taken action over the past few years to address business security concerns such as remote whip, device management, enterprise app deployment and management. Perfect? No. Both are competing for the business world and they aren’t standing still.

        That said.

        There is no standard for services and the policies they have. The world needs one. It would give services something to aim for and be measured by when it comes to data retention, privacy and confidentially.

        I think my position stands. Calling voice recognition services out like Siri doesn’t make sense especially when put into the context of how it works when compared to other services that I’ve outlined. Yes it is a “business risk” as you say, but that’s no different than the business use of Google with is often mitigated through employee education.

        Mobile computing isn’t going away. Use of Android, Google’s services, Dropbox, iOS, Siri et al is becoming core to business. I don’t think anyone claims they are perfect but until someone defines what “perfect” means, the industry agrees to it and implements it it’ll continue to be blog fodder.

        I really appreciate the discussion on this and hope you do as well. Interesting times.

  3. Holding Apple and Google as model citizen, vs RIM as the villain exuding secrets to India and the Middle East is a bit out of context. In *any* scenario, governments have the ability serve warrants to obtain information they want. In certain cases (read: Patriot act and brethren) they can do so via a secret court. Many nations have this proviso.

    There are standards for the privacy of information. EU and Canada have some of the best (IMHO). People often confuse secrecy and privacy. Privacy is the willful consent of information. The point is that I might disclose information via Siri which I did not intend to. The same applies to confidentiality in corporations, since privacy by definition only applies to personal information.

    Corporations (IBM inclusive) should always default to a “No” position regarding new technologies, until they’ve been proven compliant with internal security standards. In IBM, there is an internal security standard (I believe its ITCS329) which declares the security controls an “Outsourced Business Service” provider must comply with. Apple/Siri aren’t compliant.

    Working in security, I think the biggest challenge is understanding the risks, and taking appropriate action to control them. Can’t fault a company for saying “Service X doesn’t meet our measure of security, so don’t use it for conducting our business”.

  4. Yes, this is a good discussion 😉

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s