-
Notifications
You must be signed in to change notification settings - Fork 10
Security Issues
We are making speech software and part of that is making sure our users are safe.
To make good speech software we have to look at all the ways that a bad person might try to do bad with it.
This is a good list for people:
- working on the Open Voice Factory so that they can make good choices
- using the Open Voice Factory so they can think about how they manage their own risks
- using any speech software - because almost all of the risks apply to all existing devices.
We're only looking at risks around speech devices here - there are lots of other risks our users should probably think about - particularly around carers. Some risks are much less likely with the Open Voice Factory, but some are more likely.
Imagine an OVF user called Alice. There is also a bad person called Malory. Malory is interested in causing trouble by altering Alice's speech device.
Malory might:
- Try and change the settings on Alice's hardware hosting the Open Voice Factory.
- Try and break into the Open Voice Factory server to disable or alter messages
- Steal Alice's access link to view all the words and utterances in Alice's voice.
- Steal Alice's hardware to read previous conversations
- Steal Alice's templates and replace some messages so that Alice says silly words in public, or, say, CAN'T complain that Malory is stealing from her.
(This is a relevent cartoon)
Looking at the potential risks one at a time:
This is only possible if Malory has physical access to the hardware (a family friend or a care worker). Some devices have passcodes that stop users altering settings. The Open Voice Factory doesn't have a password, but the local client has very few settings anyway (one can switch on and off scanning and that's about it) so this is quite low impact.
This is hard to do and needs a lot of technical skill. However it doesn't need physical access to a machine. The main way it is a risk to Alice is if she is accidentally involved - Alice's service could be affected by someone trying to damage Bob's device (assuming Bob is another user on the same server).
This needs access to the hardware, it's definately a crime and mostly importantly - the Open Voice Factory doesn't record any conversations. This is low risk.
Because we want to make voices as easy as possible to access, we don't have usernames or passwords - each uploaded template creates a new scrambled url for people to use. The good news is that anyone with that URL can use the voice, the bad news is that anyone with that url can use the voice. We try and make this as clear as possible to users.
Steal Alice's templates and replace some messages so that Alice says silly words in public, or, say, CAN'T complain that Malory is stealing from her.
This is hard, Malory needs physical access to the device (or needs to con a carer into switching language packs) - it is no more likely with the Open Voice Factory than with any other AAC device, but we need to be aware of how serious this might be.
That's a fairly exhaustive list of potential problems. The next stage of this is to ask yourself how much risk there is of someone causing one of those problems to you. Be careful who you let access your device and who is given access to the URL.
We've tried to find a balance in the Open Voice Factory between security and use. For example - we don't require usernames and passwords because we think that puts up a big barrier for some of our users - but we do make sure that there is only one (scrambled) url that lets people access a voice. We also don't let people edit a voice when it's been created - so you are protected from tampering that way.
We don't record any conversations, or even any tracking information, so there is no way that you can be comprised that way. And we've been open about our code, and our process - so you can feel secure that we aren't acting badly, even if Malory is.