A former Apple contractor called on EU privacy watchdogs Wednesday to investigate the firm’s “past and present” use of Siri recordings nine months after reports emerged of the firm listening in without users’ knowledge.
“I request that you, as a data protection authority, set out to protect a fundamental right recognized throughout the Union, to take action and investigate Apple’s past and present practices (and of other tech companies following the same practices),” wrote Thomas Le Bonniec, who from May to July 2019 worked on a Siri transcription project in Cork, Ireland.
Last summer, the Guardian reported that contractors reviewed recordings made by Siri, Apple’s voice assistant, without the users’ knowledge, including when Siri was accidentally activated. The investigation followed similar reports about Amazon’s Alexa and Google’s home assistant, as both companies also employed human reviewers to listen to recordings in order to improve the artificial intelligence technology’s efficiency.
Since then, Apple said it moved to an opt-in system that requires users to proactively agree to have their recordings reviewed. Asked about the current program, a spokesperson for the company redirected POLITICO to blog posts from August and October which explain the changes made by the iPhone maker after the reports. “By default, we will no longer retain audio recordings of Siri interactions. We will continue to use computer-generated transcripts to help Siri improve,” Apple said.
Amazon said it would allow users to opt out from the human reviews and Google paused the reviews, which haven’t resumed since.
But despite the three companies publicly acknowledging that users might not have been fully aware of the listening programs at the time, no investigation was opened by the privacy regulators in charge of the companies.
Le Bonniec chose May 20 to send his letter because the date is days ahead of the European flagship privacy reform’s second anniversary, he told POLITICO. The former Apple contractor hopes his public letter will pressure regulators to act and says he’s ready to testify in future probes. He reached out to all European data protection authorities, to the European Data Protection Board, the European Data Protection Supervisor and privacy regulators in Liechtenstein, Norway, Switzerland and Iceland.
Two years in, privacy regulators have yet to impose meaningful fines under the General Data Protection Regulation, raising questions about the ability — and, sometimes, the willingness — of data protection authorities to enforce the legislation.
“[The timing of the letter] is a reminder that we have legislation at EU level that is supposed to be good for something. Up until now, we’re under the impression that there was no repercussion after the Apple, Google revelations. And if we don’t put pressure on Ireland, nothing will happen,” he said, adding that he was breaching his nondisclosure agreement to help regulators investigate.
Under the GDPR’s one-stop-shop mechanism, Ireland’s Data Protection Commission is responsible for Apple and Google, while the Luxembourg National Commission for Data Protection is responsible for Amazon.
Last summer, both regulators said they had “questions” for Apple and Amazon, but decided not to initiate probes, arguing that the European Data Protection Board, the grouping of Europe’s privacy regulators, was working on EU-level guidelines on how to deal with voice assistants, which are expected later this year.
A spokesperson for the Luxembourg data protection authority said it was in regular contact with Amazon on a range of issues but declined to further comment on why it did not launch an investigation on Alexa because it was “bound by the obligation of professional secrecy.” A spokesperson for the Irish privacy regulator said, “We’re still engaged with Apple on a number of fronts, we’re still getting answers to questions.”
According to Hamburg’s data protection authority, which was very vocal when the reports came out and is among the authorities in charge of drafting the guidelines, not enough has been done on privacy violations related to voice assistants.
“Unfortunately, last year’s momentum appears to be lost by now. Some corrections were applied to voice assistants, but not consistently within the industry,” a spokesperson for the regulator said.
“Moreover, the underlying questions if and under what circumstances user data may legitimately be used to improve products (which is a key element to a wide range of AI systems, voice-based and beyond) are far from solved,” the spokesperson added.
Indeed, both Apple and Amazon still have reviewing programs in place. A spokesperson for Amazon said: “We annotate a fraction of 1 percent of interactions to improve the Alexa experience for customers. For example, this information helps us train our speech recognition and natural language understanding systems, so Alexa can better understand your requests, and ensure the service works well for everyone.”
The spokesperson declined to comment on how many users had opted out.
Apple resumed its own Siri program in October with changes: Recordings are no longer stored by default, unless users agree to do it, and only Apple employees, instead of contractors, have access to the samples. The company declined to disclose how many users had opted in.
According to Le Bonniec, regulators should “verify” that Apple indeed stopped processing samples without the users’ knowledge. He also argues such listening programs shouldn’t exist in the first place.
“Mozilla’s [crowdsourcing] Common Voice project asks people to voluntarily participate and give their voice. It’s done in a transparent way, which is proof there is no need to spy on people,” he said.