Apple disclosed today that it stores the data created when people use Siri and Dictation, two voice-driven services found on its mobile devices, for two years.
The disclosure comes after one civil liberties group warned that Apple isn't doing enough to inform its customers of their privacy rights.
The Cupertino, Calif.-based company's privacy policies on its Siri and Dictation services do not disclose exactly how their technology works or how for long the company stores customer data. Both services were first made available to the public as standard features in October 2011.
Some companies, such as IBM, banned use of the services in their workplaces because they could not guarantee the security of their data.
This morning, Wired's Robert McMillan lifted the lid on how long Apple stores the data: up to two years, according to Apple spokeswoman Trudy Muller.
Siri (found on iOS devices) and Dictation (found on both iOS and OS X devices) take voice-input data and send it, over the air, to Apple servers. A random number is generated to anonymize the user, and the data excludes a user's email address, phone number and Apple ID.
After six months, the data is "disassociated" from that random number. Apple then uses it to "generally improve [Siri/Dictation] and other Apple products and services." The company says the data may include "related diagnostic data, such as hardware and operating system specifications and performance statistics."
These files are held for up to 18 months.
Speaking to Wired, Apple said that turning off Siri immediately deletes the random number identifier and "any associated data."
However, if Siri and Dictation remain on and are not disabled, any voice-input data and corresponding personal information will be retained for up to two years from the time it was first entered into your compatible iOS or OS X device.
Google takes a similar approach. The search giant offers similar voice services, and the company anonymizes data after two years to use it to improve its speech recognition service. Google says it has "no way" of telling who spoke a particular query.
But the devil is in the details.
Apple, its partners and its peers may not be able to tell who spoke a particular query after a set amount of time — for Google it is never; Apple has a six-month limit — but the contents of that voice data still remain on their servers.
Such content could range from an innocuous Siri request such as "What was the score of that game last night?" to a sensitive, legally regulated dictation that reveals the precise time a company plans to file for an initial public offering. It is the latter scenario that is of greatest concern.
For this reason, IBM last year banned Siri on its corporate network. Chief information officer Jeanette Horan said the computing giant is "extraordinarily conservative" about computer security, and suggested that "spoken queries might be stored somewhere."
Nicole Ozer, the technology and civil liberties policy director at the ACLU of Northern California, told ZDNet in a phone conversation that Apple "may be storing confidential business information on its servers."
"Apple can be collecting personal information about who you are, who you know, where you go and what you do," she added.
When you use Siri or Dictation, the things you say will be recorded and sent to Apple in order to convert what you say into text and to process your requests.
Your device will also send Apple other information, such as your ﬁrst name and nickname; the names, nicknames, and relationship with you (e.g., "my dad") of your address book contacts; and song names in your collection (collectively, your "User Data").
The statement "User Data" is key — this is the content stored on your phone that can be physically read, including text-based details, contacts, notes, and calendar entries.
Here's a snippet from what it says:
If you turn off [Siri/Dictation], Apple will delete your User Data, as well as your recent voice input data. Older voice input data that has been disassociated from you may be retained for a period of time to generally improve [Siri/Dictation] and other Apple products and services. This voice input data may include audio files and transcripts of what you said and related diagnostic data, such as hardware and operating system specifications and performance statistics.
(Because the two policies are otherwise identical, [Siri/Dictation] are interchangeable.)
There is also this following nugget to consider, which comes at a time where California is mulling over a "right to know" data law that would go above and beyond what EU citizens have. It has yet to be implemented, but other states may follow suit.
For other personal information, we make good faith efforts to provide you with access so you can request that we correct the data if it is inaccurate or delete the data if Apple is not required to retain it by law or for legitimate business purposes. We may decline to process requests [...] for which access is not otherwise required by local law.
Can Apple hold onto this data for as long as it wants?
Under most major jurisdictions, including the U.S. and in the EU, Apple can. It just chooses not to.
While the U.S. doesn't have data retention laws, the EU does — albeit controversially. But EU law doesn't apply in this instance.
According to a European Commission spokesperson, the EU Data Retention Directive does not apply to Apple. Vague as it may be, Apple and Google and its peer companies are not classified by EU authorities as a "telecommunication service providers or operators."
ISPs and telecom firms must hold onto communications data for a period of six months to two years under under the EU Data Retention Directive. This allows governments from around the world to request access to that data, including IP addresses, time and date of emails, phone calls, and text messages, so long as a court requests it.
The EU forces companies to hold onto your data for a set amount of time, but it also dictates that it must be destroyed after a certain amount of time or when it is no longer needed. This policy has been controversial, and there are ongoing disputes over the legality of it, and whether it has even been fully implemented in EU member state law.
Apple may also be under this requirement. To date, the company has not been targeted because it has not been the subject of any complaints.
A lack of clarity and spotty availability of otherwise public information make it difficult for businesses and consumers to make informed choices about their purchasing decisions. There is little upside to this inconsistency. Though for the enterprise, the truth may be a bitter pill to swallow.