On September 7th, 2020, the French Data Protection Authority (CNIL) presented their new White Paper: Vocal Assistants and their ethical, technical and legal challenges.
This White Paper is the final product of different experimentations occurring in 2016 by LINC (CNIL’s Digital Innovation Laboratory) and through different partnerships and collaboration with Hadopi (The High Authority for the dissemination of works and the protection of rights on the internet) and the CSA Institute.
During the speech presentation, Félicien Vallet and Martin Biéri (both engineers for LINC) introduced the various shapes and forms that vocal assistants can take but also the different situations in which they are currently deployed in our daily-life. In order to develop a better global understanding of these technology but also to underline their inherent issues and best practices and ways to tackle them, a guidance was needed.
The CNIL’s President, Marie-Laure Denis, explained that new technologies are ‘‘undeniable advances that should not, however, obscure the questions that voice assistants raise from a data protection perspective, particularly with regard to the transparency of their system’s operation’’.
“The objective of this White Paper is to make this work (LINC’s work on vocal assistants) accessible to all types of public. The aim is to present the various legal, technical or ethical issues at stake, and to respond to the concerns of those who build these assistants, those who deploy them, as well as those who may use them. Finally, it also aims to offer advice and guidance to contribute to the development of tools that respect the fundamental rights of the individuals using them”.
White Paper, CNIL’s President Marie-Laure Denis (traduction by the author).
Voice as a sensitive biometric attribute
Security and privacy of individuals are notions at the core of the White Paper. In facts, as “voice contains markers specific to an individual, a combination of physiological and behavioural factors”, this biometric attribute can be used to identify someone.
Furthermore, voice can contain a great deal of information relating to the identity of persons, or permitting to infer “characteristics such as emotional state, socio-cultural origins, ethnicity or state of health”. The White Paper offers interesting analysis and presents best practices “for designers, application developers, integrators and organizations wishing to deploy voice assistants in shared locations” or for the use of such devices in areas blurring the distinction between public and private space.
Issues at stake
Particularly present in our daily lives, vocal assistants are often the target of diverse rumors and speculations. Part 2 of the White Paper, dedicated to myth and challenges of vocal assistants, focuses on the actual threats and legal issues at stake. It insists on “the need for transparency and security of the devices designed, in order to respect the GDPR and the privacy of individuals’’ and raises the question of the responsibilities of each actor involved into the assistant.
“Who is responsible for data processing? How are the relations between the application developer, the assistant, and the designer organized? (…) There are many different data circulation patterns, which vary accordingly to usage and design choices. It is therefore advisable to carry out a case-by-case analysis in order to specify the different roles, modes of intervention and capacities for action of each actor involved”.
Guidance is also provided to users on how to control their voice assistants, for example to ensure the confidentiality of the data transmitted, the use made by children and the security of the devices. Moreover, Part 3 of the White Paper, dedicated to use cases and the applicability of the GDPR in relation with vocal assistants, is of particular interest from a legal point of view. It provides examples to follow and explanations on the issues inherent to the use of a generic vocal assistant, of a banking application and the reuse the data collected by the voice assistant for service improvement purposes.