Looking at everything with a hearty dose of cynicism is an occupational hazard of security reporting. Whenever a data-hungry app or service is free, there's always a looming feeling of "what's the catch?"
Enter the latest example: Otter, a free transcription app. It lets you record and transcribe meetings in real time. Anyone who's transcribed knows how boring and arduous it is -- and reporters, especially, hate doing it -- even if it's important to have a written record of meetings, source interviews, and other events.
The app, powered by parent company AISense, uses artificial intelligence to churn out accurate transcripts that identify speakers, suggest keywords, and allow keyword searching.
Depending on where you read, the app's creators claim "all the data is stored and moved around securely, with no one except the owner having access to it," and that the company is apparently "not interested in peeking into your materials so it can create a profile that will target ads to you."
That's a problem for anyone using the app -- whether it's a reporter who's relying on a sensitive source for stories and needs to keep their identities a secret, or company executives who are discussing proprietary information in a business meeting, just to name two examples.
Neither policy appears to have assurances that the recordings you upload -- which may contain corporate confidential information or sensitive and personal data -- won't be accessed or used in some way.
After we contacted the company and first published this story, Otter scrambled to update the policy and remove key portions that we highlighted, such as granting the company the rights to access and use your data.
We specifically asked (several times) if employees can access submissions or transcriptions. An Otter spokesperson confirmed that the company does have access to user audio and transcription data.
"Only our CTO has access, and our CTO will only permit access in response to a legitimate user request," said the spokesperson. "We only access account-level user data for troubleshooting purposes in response to user queries."
"Users have full control to delete anything from their Otter account. Once it is deleted, we immediately disable access and purge data from our environment," the spokesperson added.
It's not clear based on the company's team page exactly who the company's CTO is -- or what controls are put in place to prevent abuse or hacking.
It's generally assumed, unless explicitly said otherwise, that most tech companies can get access to the data you store with them in some way or another. That's why so many tech companies in the wake of the NSA surveillance scandal began rearchitecturing their systems to shut out law enforcement from their products and services.
Many companies, apps, and services use zero-knowledge or end-to-end encryption, which guards against interception -- including the companies providing the service. These encryption mechanisms are usually employed to guard against government demands for data.
While encryption was only mentioned once in both policies, advertising was mentioned several times.
The spokesperson said the company "will soon roll out a subscription-based revenue model," and that the service has "no plans" to be ad supported.
The portions of the policy were removed after we published our story.
In today's data hungry tech industry, it's natural to assume that a free app means "you are the product," as the old adage goes. But that's not always the case. There are so many free sites and services with no hidden agenda -- there's no secret data mining or selling your data. For its part, Otter may well be true to its word, like other transcription and data hungry companies out there. But privacy policies -- as boring as they are to read -- are there for this exact reason.