Data Security

Data Protection Trust Levels Still Low After GDPR

Posted on by Andy Miller

A report by the Chartered Institute of Marketing (CIM) has shown that as 42% of consumers have received communications from businesses they had not given permission to contact them (since GDPR came into force), this could be a key reason why consumer trust in businesses is still at a low level.

Not Much Difference

The CIM report shows that only 24% of respondents believe that businesses treat people’s personal data in an honest and transparent way.  This is only slightly higher than the 18% who believed the same thing when GDPR took effect 6 months ago.

Young More Trusting

The report appears to indicate that although trust levels are generally low, younger people trust businesses more with their data.  For example, the report shows that 33% of 18-24 and 34% of 24-35 year olds trust businesses with their data, compared with only 17% of over 55s.

More Empowered But Lacking Knowledge About Rights

Consumers appear to feel more empowered by GDPR to act if they feel that organisations are not serving them with the right communications.  For example, the report showed that rather than just continuing to receive and ignoring communications from a company, 50% of those surveyed said that GDPR has motivated them to not consciously opt-in to begin with, or if opted in, make them more likely to subscribe.

This feeling of empowerment was also illustrated back in August in a report based on a study by business intelligence and data management firm SAS.  The SAS study showed that more than half of UK consumers (55%) looked likely to exercise their new GDPR rights within the first year of GDPR’s introduction.

Unfortunately, even though many people feel more empowered by GDPR, there still appears to be a lack of knowledge about exactly what rights GDPR has bestowed upon us. For example, the report shows that only 47% of respondents said they know their rights as a consumer in relation to data protection.  This figure has only increased by 5% (from 43%) since the run-up to GDPR.

What Does This Mean For Your Business?

The need to comply with the law and avoid stiff penalties, and the opportunity to put the data house in order meant that the vast majority of UK companies have taken their GDPR responsibilities seriously, and are likely to be well versed in the rights and responsibilities around it (and have an in-house ‘expert’). Unfortunately, there are always a few companies / organisations that ignore the law and continue contacting people.  The ICO has made clear examples e.g. back in October Manchester-based Oaklands Assist UK Ltd was fined £150,000 by the ICO for making approximately 64,000 nuisance direct marketing calls to people who had already opted out of automated marketing.  This is one example of a company being held accountable, but it is clear from the CIM’s research that many consumers still don’t trust businesses with their data, particularly when they hear about data breaches / data sharing on the news (e.g. Facebook), or continue to have their own experiences of unsolicited communications.

It may be, as identified by the CIM, that even though GDPR has empowered consumers to ask the right questions about their data use, marketers now need to answer these, and to prove to consumers how data collection can actually benefit them e.g. in helping to deliver relevant and personalised information.

The apparent lack of a major impact of GDPR on public trust could also indicate the need for an ongoing campaign to drive more awareness and understanding across all UK businesses.

£385,000 Data Protection Fine For Uber

Posted on by Andy Miller

Ride-hailing (and now bike and scooter-hiring) service Uber has been handed a £385,000 fine by the ICO for data protection failings during a cyber-attack back in 2016.

What Happened?

The original incident took place in October and November 2016 when hackers accessed a private GitHub coding site that was being used by Uber software engineers. Using the login details obtained via the GitHub, the attackers were able to go to the Amazon Web Services account that handled the company’s computing tasks and access an archive of rider and driver information. The result was the compromising (and theft) of data relating to 600,000 US drivers and 57 million user accounts.

The ICO’s investigation focuses on avoidable data security flaws, during the same hack, that led to the theft (using ‘credential stuffing’) of personal data, including full names, email addresses and phone numbers, of 2.7 million UK customers from the cloud-based storage system operated by Uber’s US parent company.

The ICO’s fine to Uber also relates to the record of nearly 82,000 UK-based drivers, including details of journeys made and how much they were paid.

Attackers Paid To Keep Breach Quiet

Another key failing of Uber was that not only did the company not inform affected drivers about the incident for more than a year, but Uber chose to pay the attackers $100,000 through its bug bounty programme (a deal offered by websites and software developers to offer recognition and payment to those who report software bugs), to delete the stolen data and keep quiet about the breach.

Before GDPR

Even though GDPR, which came into force on 25th May this year says that the ICO has the power to impose a fine on a data controller of up to £17m or 4% of global turnover, the Uber breach took place before GDPR.  This means that the ICO issued the £385,000 fine under the Data Protection Act 1998, which was in force before GDPR.

Other Payments and Fines

Uber also had to pay a $148m settlement agreement in a case in the US brought by 50 US states and the District of Columbia over the company’s attempt to cover up the data breach in 2016.

Also, for the same incident, Uber is facing a £533,000 fine from the data protection authority for the Netherlands, the Autoriteit Persoonsgegevens.

What Does This Mean For Your Business?

As noted by the ICO director of investigations, Steve Eckersley, as well as the data security failure, Uber’s behaviour in this case showed a total disregard for the customers and drivers whose personal information was stolen, as no steps were taken to inform anyone affected by the breach, or to offer help and support.

Sadly, Uber joins a line of well-known businesses that have made the news for all the wrong reasons where data handling is concerned e.g. Yahoo’s data breach of 500 million users’ accounts in 2014 followed by the discovery that it was the subject of the biggest data breach in history to that point back in 2013. Similar to the Uber episode is the Equifax hack where 143 million customer details were stolen (44 million possibly from UK customers), while the company waited 40 days before informing the public and three senior executives sold their shares worth almost £1.4m before the breach was publicly announced.

This story should remind businesses how important it is to invest in keeping security systems up to date and to maintain cyber resilience on all levels. This could involve keeping up to date with patching (9 out of 10 hacked businesses were compromised via un-patched vulnerabilities) and should extend to training employees in cyber-security practices, and adopting multi-layered defences that go beyond the traditional anti-virus and firewall perimeter.

Companies need to conduct security audits to make sure that no old, isolated data is stored on any old systems or platforms, thereby offering no easy access to cyber-criminals. Companies may now need to use tools that allow security devices to collect and share data and co-ordinate a unified response across the entire distributed network.

Even though the recent CIM study showed that less than one-quarter of consumers trust businesses with their data security, at least the ICO is currently sending some powerful messages to (mainly large) businesses about the consequences of not fulfilling their data protection responsibilities.  For example, as well as the big fine for Uber, back in October, the ICO fined a Manchester-based company £150,000 for making approximately 64,000 nuisance direct marketing calls to people who had opted out via the TPS, and earlier this month, a former employee of a vehicle accident repair centre who stole customer data passed it to a company that made nuisance phone calls was jailed for 6 months following an ICO investigation.

Free VPN Tools May Be Linked To China

Posted on by Andy Miller

A new investigation by Metric Labs of the top free VPN (Virtual Private Network) apps in Apple’s App Store and Google Play has revealed that more than half are run by companies with Chinese ownership.

What’s A VPN?

A ‘Virtual Private Network’ (VPN) is generally used to keep internet activity private, evade censorship / maintain net neutrality and use public Wi-Fi securely e.g. avoid threats such as man-in-the-middle attacks.  A VPN achieves this by diverting a user’s traffic via a remote server in order to replace their IP address while offering the user a secure, encrypted connection (like a secure tunnel) between the user’s device and the VPN service.

Popular Free Apps

VPNs (Forbes, 2017) are the most searched-for apps in the world, partly because people have become much more concerned with privacy and they have become more afraid of government surveillance of their digital activities.  For example, the UK government’s Investigatory Powers Bill), which was passed into 29th November 2016 as the Investigatory Powers Act (“Snooper’s charter”) means that a large list of UK agencies, including various police forces and government departments, can ask for any UK citizen’s stored browsing history (details of every website and instant messaging apps that you have visited or used in the past 12 months).

China Links To Free VPNs – Security & Privacy Concerns

Bearing in mind that the main reason for getting a VPN is to preserve your privacy and security, the problem with the results of the Metric Labs survey is that they show that over half of the top free VPN apps that people can find e.g. in the App Store and Play Store for UK and US, have Chinese ownership or are based in China.

The problem with being linked to (or based in) China, according to the report about the Metric Labs (top10vpn) survey, is that China tightly controls access to the Internet from within the country, has clamped down on VPN services, and many of the free VPN services with links to China offer little or no privacy protection and no user support.

How Bad Are They?

The investigation revealed that 17 of the 30 top free VPN apps available from simple online searches have links to China and 86% of those apps have security issues.  It was also discovered that 64% of apps have no dedicated website, and 86% of apps have unacceptable privacy policies with many being presented in an amateur fashion e.g. posted on a Free WordPress sites with ads.  Some of the privacy policies either give no information about the sharing of information with third parties, have no privacy policy at all, use a stock privacy policy not related to VPNs, or simply state that information will be shared with China.

What Does This Mean For Your Business?

When you bear in mind that the reason for downloading a VPN app is to preserve privacy, the results of this investigation indicate that simply trusting one of the free VPN apps available online, and without pausing to look at its privacy information or look too much into it could be a mistake.  If your privacy is valuable to you (and you’ve not already been provided with a trusted VPN), it may be worth seeking out a trusted paid-for service. There are many lists available online from Tech magazines that offer useful comparisons and information to help you choose a VPN that will give you the right levels of performance and security.

MFA Lockout For Microsoft & Azure Users Causes Business Disruption

Posted on by Andy Miller

The latest multi-factor authentication (MFA) issue left users of Azure and Microsoft Office 365 unable to login to their accounts on Monday 21st, causing widespread disruption to businesses in Europe, Asia, and some parts of the US.

What Happened?

According to reports by Azure, the root cause was a European-based database, reaching operation threshold with requests from MFA servers.  This led to latency and timeouts, and an attempt to re-route traffic through North America caused the extra traffic to block servers.

Finally Rectified

After lasting from 4.39 am to the evening in the UK, the problem was finally rectified.  According to Microsoft reports, services could be resumed after engineers removed the link between the backend service and the Azure Identity MFA service, thereby allowing the impacted servers to catch up with the existing authentication requests.

Happened Before

This was certainly not the first time that disruptive outages had occurred with Azure and Microsoft’s service.  For example, a global outage in September this year affected Azure and Office 365 users worldwide after one of Microsoft’s San Antonio-based servers was knocked offline by severe weather.  Also, in October, UK Office 365 users endured a 3-day-long outage and had the frustration of having more login prompts appearing after their user credentials had already been entered.
Price Rise Makes Outages More Annoying
In addition to the obvious costly business disruption, the spree of outages occurring around the time of announcements of new commercial prices i.e. an increase of 10% over previous on-premise pricing (4% increase for employees who are part of a volume discount agreement), the service failures caused even greater annoyance.

MFA

Multi-factor authentication, which works by requiring any two or more verification methods for a login / transaction, such as a randomly generated passcode, a phone call, a smart card (virtual or physical), or a biometric device, is designed to be beneficial to a user and their business because it should provide an extra layer of security for user sign-ins and transactions.  Unfortunately, in the case of this most recent outage, MFA cost users rather than helping them.

What Does This Mean For Your Business?

For some companies, the recent outages at Microsoft and Azure are likely to bring into focus the dangers of placing huge operational dependency on one environment i.e. Microsoft, and of trusting a single cloud supplier to keep connected and productive during unplanned (and planned) email outages, especially when you have no independent cyber resilience and continuity plan.  In recent months, many businesses will have been counting the productivity costs of sticking to a software-as-a-service monoculture with a company whose service has let them down on several occasions.  Unfortunately, the dominance of big tech companies with their familiar Operating Systems and environments, and the fact that most businesses are committed to them with few possible, practical alternatives to choose from, mean that most businesses may simply have to unhappily endure the outages and weigh them up against the benefits and reliability of the environment generally.

For Microsoft, these outages can be damaging to its reputation and can shake the trust of its prized business users.

Firefox Quantum Browser’s ‘Monitor 2.0’ Will Warn You About Security Breaches

Posted on by Andy Miller

Mozilla’s latest update for its Firefox Quantum browser includes the Firefox Monitor 2.0 security tool, which can tell you whether a site you’re visiting has suffered a security breach in the last 12 months and whether your details have been leaked online.

Developed in Partnership with HIBP

Back in June, the Mozilla blog detailed how it was testing the Firefox Monitor tool which was being developed in partnership with HaveIBeenPwned.com (HIBP), a service run by Troy Hunt, described by Mozilla as “one of the most renowned and respected security experts and bloggers in the world”.  At the time of testing, it was announced that Monitor, through its HIBP / Firefox partnership, would be able to check a user’s email address against the HIBP database in a private-by-design way.  Mozilla said that visitors to the Firefox Monitor website would be able to check (by entering an email address) to see if their accounts were included in any known data breaches, with details on sites and other sources of breaches and the types of personal data exposed in each breach. It was also announced that the Firefox site would offer recommendations on what to do in the case of a data breach, and how to help the user to secure their accounts.

Rolled Out

The Monitor 2.0 security tool that’s just been rolled out in the latest Firefox Quantum update can tell you if your details have been leaked online (if you visit monitor.firefox.com), provide a desktop notification /alert when you visit a website that’s been compromised in the last 12 months, and give extra security details such as how many accounts were affected by a breach and what happened in the breach.

You Can Turn Notifications Off

Mozilla has been quick to point out that the Monitor tool has been designed to help but not annoy users and as such, if you’ve already been told about the potential security issues, you can navigate back without being told again and you can disable the notifications altogether with a just few clicks, if you’d prefer not to see them.

What Does This Mean For Your Business?

Google Chrome dominates the browser market, but there is still a lot of competition among those fighting it out with a less than 10% share of the market – Apple’s Safari, Firefox, Microsoft’s Internet Explorer & Edge.  Adding this tool, that’s linked to a renowned security expert, to the Firefox browser could add some real value at a time when the news is full of major security breaches, but most of us may not know how to check whether our details have been stolen, and what to do next.

Businesses always need to be very security-conscious, particularly since the introduction of GDPR, and being able to see notifications about pages that have been breached may be another way that business users can help to protect themselves.

The tips and personal stories of those who have been affected by a data breach highlighted on the Firefox website for Quantum business users may also help raise awareness about online privacy and could help provide prompts and ideas to help keep improving data protection and cyber resilience in businesses.

Jail For Car Accident Data Thief

Posted on by Andy Miller

An employee at a vehicle accident repair centre who stole the data of customers and passed it to a company that made nuisance phone calls has been jailed for 6 months following an investigation by the Information Commissioner’s Office (ICO).

Used Former Co-Worker’s Login To Company Computer

The employee of Nationwide Accident Repair Services, Mustafa Kasim, used a former co-workers’ login details to access software on the company computer system (Audatex) that was used to estimate repair costs.  The software also stored the personal data (names and phone numbers) of the owners of the vehicles, and it was the personal data of thousands of customers that Mr Kasim took without the company’s permission, and then passed on to a claims management company that made unsolicited phone calls to those people.

ICO Contacted

Mr Kasim was unmasked as the data thief after the Accident Repair Company noticed that several clients had made complaints that they were being targeted by nuisance calls, and this led to the decision to get the ICO involved.

During the investigation, it was discovered that Mr Kasim continued to take and pass on customer data even after he started a new job at a different car repair organisation which used the same Audatex software system.

First With A Prison Sentence

What makes this case so unusual is that it is the first prosecution to be brought by the Information Commissioner’s Office (ICO) under legislation which carries a potential prison sentence.

Computer Misuse Act

Even though the ICO would normally prosecute in this kind of case under the Data Protection Act 1998 or 2018 with penalties of fines rather than prison sentences, in the case of Mr Kasim it was judged that the nature and extent of the criminal behaviour required making a wider range of penalties available to the court.  It was decided, therefore, that s.1 of the Computer Misuse Act 1990 would be used in the prosecution, and it was the offences under this that resulted in the 6-month prison sentence that Mr Kasim received.

What Does This Mean For Your Business?

Since preparing for GDPR, many companies have become much more conscious about the value of personal data, the importance of protecting customer data, and the possible penalties and consequences of failing to do so.  In this case, the ICO acknowledged that reputational damage to affected companies whose data is stolen in this way can be immeasurable e.g. Nationwide Accident Repair Services and Audatex. The ICO also noted the anxiety and distress caused the accident repair company’s customers who received nuisance calls.

This case was also a way for the ICO to send a powerful message that obtaining and disclosing personal data without permission is something that will be taken very seriously, and that the ICO will push boundaries and be seen to use any tool at its disposal to protect the data protection rights of individuals. The case also serves as a reminder to businesses that looking at ways to provide the maximum protection of customer data and plug any loopholes is a worthwhile ongoing process, and that threats can come from within as well as from cyber criminals on the outside.

Fatal Security Flaws Discovered in Solid State Drives (SSDs)

Posted on by Andy Miller

Researchers from Radboud University in the Netherlands have released a paper highlighting several security flaws that they’ve discovered in SSDs which mean that data from a flash disk can recovered in more than one way, even if it’s supposedly self-encrypted.

What Is An SSD?

An SSD is a solid-state storage device that uses integrated circuit assemblies (memory chips on a circuit board with and In/Out interface to feed power and transfer data) as memory to store data persistently. Even though it doesn’t actually contain a physical disk, it is sometimes called a called solid-state disk.

Hardware Encryption Not Better Than Software Encryption

Whereas the popular belief is that AES encryption should stop you from accessing data on a disc that isn’t plugged in to its home system (encryption with SSD through ATA security and TCG Opal encryption methods) and that hardware encryption is similar to or better than software encryption, the findings of the research appear to disprove this.

Not Just Cheap Drives Vulnerable

The research looked at top-of-the-range drives including models by Crucial and Samsung, and found that only the T3 and T5 (external) drives remained secure, whereas the others were found to have fatal vulnerabilities, some to non-cryptographic hacking. Even BitLocker, the Microsoft encryption with each copy of Windows was found to be vulnerable. According to the research, vulnerabilities are such, across the range of vendors, that determined attackers could access data in many so-called encrypted drives without any keys or passwords.

Vulnerable to a Range Attack Methods

Through the reverse-engineering of the firmware of a sample of SSDs, the researchers were able to discover a number of vulnerabilities in self-encrypting SSDs that can leave them open to a range of attacks and exploits. These could include attackers seizing full control of the CPU, corrupting memory, and cracking default passwords, thereby bypassing a custom password set by a user.

Example

The researchers provided a case study of how an attacker could try to breach a locked Crucial MX300 drive with encryption via TCG Opal. The case study outlines how an attacker could install modified firmware that includes read/write capabilities, and then, if encryption is performed via TCG Opal, write executable code to bypass several layers of security, and thereby access the precious data.

What Does This Mean For Your Business?

The discovery by the researchers shows that hardware-based encryption is far less secure than businesses may have thought and that hardware-based full-disk encryption may not, in fact, be a more secure alternative to software-based methods. Also, it seems that the security flaws are in leading products across multiple vendors.

Businesses may, therefore, be best advised not to rely solely on hardware encryption as offered by SSDs for confidentiality. In fact, it may be better to also employ an open source, audited, software full-disk encryption solution.

As well as alerting businesses to the risks of relying solely on the apparently flawed hardware encryption offered by SSDs, this story should surely make vendors take another close look at their SSD products and how the security of them can be improved.

IBM Security Expert Says Prepare For Quantum

Posted on by Andy Miller

As businesses come to realise that they may be required to store some data for decades, encrypted data should be secure well beyond its useful life, and with this in mind, security architect for Benelux at IBM, Christiane Peters, is suggesting that businesses should start preparing now to implement post-quantum data protection.

Post What?

The suggestion is that, in a relatively short time, quantum computers will be commercially available. One threat from this could be that quantum computers in criminal hands could be used to try and crack encrypted business data. For example, in the US, the National Security Agency (NSA) warned back in 2015 that progress in quantum computing was at such a point that organisations should deploy encryption algorithms that can withstand such attacks from quantum computers.

The encryption algorithms that can stand up to attacks from quantum computers are known by several names including post-quantum cryptography / quantum-proof cryptography, and quantum-safe / quantum-resistant cryptographic (usually public-key) algorithms.

What’s The Problem?

Ultimately, with technology advancing at such a rapid rate and with organisations needing to keep some data for long periods of time, there is the risk that even though this sensitive data is stored in secure encrypted formats now, this encryption could be cracked in the not-too-distant future by cyber-criminals with access to commercial supercomputers. Being able to crack encryption could mean encrypted data could no longer be safe even if it is stolen. For example, this could mean that encrypted data lost / stolen in a breach this year could be accessed in the future. Indeed, it is known that some data is being stolen today with this in mind.

How To Prepare Now For Quantum Computer Risk

Christiane Peters is reported as suggesting that ways in which companies could prepare to counter the encryption code-cracking risk posed by the ability of cyber-criminals to use commercially available quantum computers include:

  • Developing / updating crypto policies.
  • Creating an inventory of all systems and applications using cryptography.
  • Classifying data and mapping data flows.
  • Creating an enterprise-specific outlook and timeline for quantum safe crypto.

Developing a Post-Quantum Implementation Strategy

Understanding that encryption is just one way to protect data, combining other capabilities with encryption will help overall cyber resilience over time. For example, companies could also focus on certificate management, mobile device management, application scanning, data loss prevention, security incident response, access control, data classification and digital forensics.

Personal Data Protection Could Pay Off In The Long Term

Christiane Peters, commenting on the findings of a Ponemon Institute study, has also pointed out that, as well as preparing for the security of cryptography in the post-quantum era, businesses that are able to focus on data protection could, by investing in security and encryption now, reap the benefits in the longer term. For example, the report shows that the average cost saving with extensive use of encryption is $13 per data record.

What Does This Mean For Your Business?

What the experts appear to be saying is that even though the use of robust, high-assurance encryption technologies may make the decrypting of protected data impossible in the short-term, this may not always be the case. The power of super-computers may mean that, quite soon, criminals may be able to crack encryption codes. In order to ensure that sensitive company data, particularly personal data is safe in the longer term, companies may want to start looking into ways that they can prepare for quantum data protection standards.

Adult Site Visits on Work Computer Lead to Network Infection

Posted on by Andy Miller

The extensive online porn-accessing habit of an employee of a US government department known as the US Geological Survey (USGS) is being blamed for a government computer network becoming infected with malware.

9,000 Pages

In an investigation, highlighted in a paper (published online) by the US Office of the Inspector General, it was discovered that the unnamed employee is alleged to have accessed 9,000 pages on adult pornography websites.

Infected

It is believed that the infection of the government network happened after the employee used their work laptop to visit pornographic websites, some of which originated in Russia and contained malware, thereby compromising and infecting the laptop. It was from this laptop that the malware was able to spread to the government network.

The employee is also reported to have saved images from the infected websites onto an unauthorised USB device, and to a personal Android phone that was connected to the government-issued computer. This resulted in the Android phone also becoming infected with malware.

Stealing Information

The big risk with malware is, of course, that it is designed to steal information and spread to other systems, and in the case of ransomware, for example, to destroy files, lock-down systems, and extort money.

Malware

In the UK, a government report from April this year found that nearly half the businesses in the UK have fallen victim to cyber attacks or security breaches in the last year, and that the most common breaches involved fraudulent emails e.g. phishing, attempts by scammers to impersonate the organisation online, as well as viruses and malware. The annual Verizon data breach investigations report from April showed that ransomware is the most popular form of malware used in cyber-attacks, and this type of malware is responsible for 40% of all successful malware attacks. The use of ransomware has doubled over the last year.

What Does This Mean For Your Business?

In this case, the use of USB devices and government computers for personal use was against the rules, but this didn’t appear to be actively monitored and / or enforced. As the government department discovered to their cost, and too late, it may have been better to address such obvious security vulnerabilities by restricting web access to certain types of websites (and monitoring this), disabling USB connections on government-issued computers, providing IT security training, and developing a well-communicated IT security policy.

This story also highlights the risks of policies such as ‘bring your own device’ in businesses. BYOD policies allow employees to bring in their personally owned laptops, tablets, smart-phones and even storage devices, and use them to access company information and applications, and solve work problems. Unfortunately, as shown in this story and in a study by SME card payment services firm Paymentsense back in May, BYOD schemes and using USB storage devices can increase the cyber-security risks for businesses and organisations. The most popular types of BYOD security incidents in the last 12 months include malware, which affected two-thirds (65%) of SMEs, and viruses (42%).

These days, secure cloud storage and storage on secure company systems are provided, and this, combined with adequate security training and forbidding the use of USB ports (closing USB ports) on company computers could be ways of minimising this kind of security risk for many businesses.

Ubicoustics Overhears Everything You Do … And Understands

Posted on by Andy Miller

Researchers in the US have presented a paper based on their research that identified a real-time, activity recognition system capable of interpreting collected sounds that could well be used by home smart speakers.

Identify Other Sounds, and Issue Responses

Researchers at Carnegie Mellon University in the US claim to have discovered a way that the ubiquity of microphones in modern computing devices, and software that could use a device’s always-on built-in microphones could be used to identify all sounds in room, thereby enabling context-related responses from smart devices. For example, if a smart device such as an Amazon Echo were equipped with the technology, and could identify the sound of a tap running in the background in a home, it could issue a reminder to turn the tap off.

Ubicoustics

The research project, dubbed ‘Ubicoustics’, identified how using an AI /machine learning based sound-labeling mode, drawing on sound effects libraries, could be linked to the microphone (as the listening element) of a smart device e.g. smart-watches, computers, mobile devices, and smart speakers.

As Good As A Human

The sound-identifying, machine-learning model used in the research system was able to achieve human-level performance in recognition accuracy and false positive rejection. The reported accuracy level of 80.4%, and the misclassification level of around one sound in five sounds, means that it is comparable to a person trying to identify a sound.

As well as being comparable to other high-performance sound recognition systems, the Ubicoustics system has the added benefit of being able to recognise a much wider range of activities without site-specific training.

Applications

The researchers noted several possible applications of the system used in conjunction with smart devices e.g. sending a notification when a laundry load finished, promoting public health by detecting frequent coughs or sneezes and enabling smart-watches to prompt healthy behaviours after tracking the onset of symptoms.

Privacy Concerns

The obvious worry with a system of this kind is that it could represent an invasion of privacy and could be used to take eavesdropping to a new level i.e. meaning that we could all be living in what is essentially a bugged house.

The researchers suggest a potential privacy protection measure could be to convert all live audio data into low resolution Mel spectrograms (64 bins), thereby making speech recovery sufficiently difficult, or simply running the acoustic model locally on devices so no audio data is transmitted.

What Does This Mean For Your Business?

The ability of a smart device to be able to recognise all sounds in a room (as well as a person can) and to deliver relevant responses could be valued if used in a responsible, helpful, and not an annoying way. It doesn’t detract from the fact that, knowing that having a device with these capabilities in the home or office could represent a privacy and security risk, and has more than a whiff of ‘big brother’ about it. Indeed, the researchers recognised that people may not want sensitive, fine-grained data going to third-parties, and that operating a device with this system but without transmission of the data could provide a competitive edge in the marketplace.

Nevertheless, it could also represent new opportunities for customer service, diagnostics for home and business products / services, crime detection and prevention, targeted promotions, and a whole range of other possibilities.