You’re testing out a new Speech-to-Text API or speech recognition software. You upload your audio or video files, select your requirements, receive your transcription, and move on to the next step in your project.
But what happens to the files you uploaded? Are the files protected? When considering a Speech-to-Text provider to work with, don’t assume all your data is safe. It’s important to ask the right questions about Speech-to-Text security before choosing the best API for your project.
Taking the time to understand and address these concerns helps you protect your users' data, and become a trusted partner. If you’re an application developer, here are the questions about Speech-to-Text data security to explore before choosing the best Speech-to-Text API for your project.
Speech-to-Text Security and Data Concerns
All security revolves around three fundamental problems:
1. Customers expect you to restrict access to only those that require access (confidentiality).
2. They expect that information being provided, and derivative outputs are accurate while adhering to their original purpose (integrity).
3. They expect information to be available when it is needed (availability).
Together, these three challenges form what is commonly known as the “security triad.”
Though these are simple problems at face value, they can become increasingly complex as products become more utilitarian. APIs, while making the development process significantly easier, can introduce serious risks if controls are not properly implemented. It is critical to ensure that you, as a developer, are asking the right questions to your API providers to ensure that you are partnering with secure and reliable organizations to safeguard your customers’ data to your customers’ expectations.
Here are some starter questions while selecting an API provider for your next build:
1. Have I accounted for defense in depth while accounting for risk?
Not all data is equal. Safeguards should never exceed the risk that they introduce into projects. It does not make sense to put a $100 lock on a $50 bike. As the analogy implies, developers should spend more time protecting sensitive data than non-sensitive, or public data. Data should be classified and safeguarded in ways that are appropriate given their reason for use.
Sensitive files require a high degree of care, and strong security measures. For example, audio files may contain sensitive customer information or personal data such as credit card numbers, social security numbers, addresses, phone numbers, medical history, or more. This data is highly valuable and impactful if the confidentiality, integrity, or availability of the data is compromised. This type of data should be safeguarded by segmenting the organizational network using recognized networking practices, and/or making use of cloud provider security grouping with granular identity and access management (IAM) implemented. Making use of transcription services with PII Redaction features reduces risks associated with sensitive data leaks or networking errors for more sensitive data.
2. Does the API provider adhere to industry standard frameworks?
Trust is a foundational element of commerce. Modern applications are used by creating webs of trust, and creating synergies by utilizing specialized capabilities of multiple specialized tools and areas of expertise. It is extremely rare for API providers to produce products that are outstanding in multiple areas.
With that said, it is important to adopt standards to ensure the security of your speech-to-text providers are at parity with yours, and your other API providers. This is where cybersecurity frameworks come in. Cybersecurity frameworks exist to help organizations adopt standard practices, and to help organizations demystify complex cybersecurity challenges and adopt strong practices vetted by industry experts. Frameworks such as the National Institute of Standards and Technology (NIST) 800 series, American Institute of Certified Public Accountants (AICPA) SOC 2, and Payment Card Industry Standards provide an inventory of suggested controls for organizations to adopt based on significant research from subject matter experts.
An added benefit of adopting a security framework is the reduction of overhead associated with control implementation, and skilled professionals required to maintain the security of services. Standardization helps build effective, redundant, and reliable programs to ensure single points within the security organization are reduced. This benefit cannot be understated given the lack of skilled cybersecurity professionals globally.
3. How much transparency is provided in code-level controls?
API services are often comprised of so many services that it is difficult to keep track of code. This is where using tools such as Software Composition Analysis (SCA) can be of great benefit. Leveraging SCA allows organizations to have greater transparency into “what goes into the sausage”. SCA enables organizations to effectively use open-source ecosystems while conducting automated examination of components. SCAs can be utilized by using professionally curated and proprietary research, matching accurate scans against that proprietary intelligence, and demonstrating libraries and SDKs used inside their favorite tools. This helps track dependencies and ensures that egregiously vulnerable code is not used in production while reducing security risks to your organization.
SCAs are not always feasible for organizations to adopt as they can be expensive, time-intensive to operate, or both. Asking for vulnerability scans, remediations with timelines, and recent updates made to services is a sound alternative for organizations to adopt if using advanced techniques is not feasible.
4. What technical controls are supporting the security of my data?
Encryption
Encryption keeps your data confidential and protected from unauthorized access. Here are some types of encryption and features to look for:
End-to-End Encryption
End-to-end encryption (E2EE) guarantees that data is encrypted on the sender's device and only decrypted on the recipient's device. This means that data remains encrypted during transmission and storage, protecting it from interception and unauthorized access. Look for APIs that offer E2EE for both your audio/video files and transcriptions.
AES Encryption
Advanced Encryption Standard (AES) is a widely trusted encryption protocol used globally to protect sensitive data. AES-256, in particular, provides a high level of security and is commonly used by government agencies and financial institutions. Make sure the API uses AES-256 encryption for data at rest and in transit.
TLS Encryption
Transport Layer Security (TLS) is a protocol that provides privacy and data integrity between two communicating applications. TLS is essential for protecting data during transmission over the internet. Look for APIs that support the latest versions of TLS (TLS 1.2 or TLS 1.3) to guarantee secure communication channels.
Verify that the API complies with industry encryption standards and certifications, such as FIPS 140-2 for cryptographic modules. Compliance with these standards indicates that the provider follows recognized best practices for encryption and data security.
In addition to encryption, data masking and tokenization can provide an extra layer of security. Data masking obscures sensitive data elements, while tokenization replaces sensitive data with unique identifiers or tokens. Look for APIs that offer these features to further protect sensitive information.
Malware Prevention
Malware can disrupt operations and negatively impact the confidentiality, integrity and availability of systems. Malware prevention remains a critical control for all organizations, and those delivering services via API are no different. Malware prevention helps ensure organizations remain operational and respond more quickly to incidents while safeguarding against the corruption of sensitive files being sent. Organizations with good malware protection are typically better equipped to safeguard their customers’ most valuable assets - their data.
Role Based Access
RBAC can significantly improve your API security by limiting the exposure of sensitive data. Data should only be accessible to individuals who need it to conduct their duties. Properly implementing role-based access adheres to the principle of least privilege, and reduces risks associated with any harm that may come from the misuse of data. Ask your API providers about their role-based access schemes, and who has access to your audio and transcription files. Knowing how access is granted will help inform your decision about whether providers are able to adhere to your organizational security needs.
Speech-to-Text Data Security Best Practices
Now that you know what to look out for, here’s what are considered data privacy best practices for Speech-to-Text APIs.
Look for Speech-to-Text APIs that:
- Don’t Store Raw Audio/Video Files After Transcription: Once the transcription is complete, the API should delete your raw audio or video files. Keeping these files increases the risk of unauthorized access. Always check that the API has a policy for automatic deletion of these files once the job is done.
- Keep Encrypted Versions of Transcription Files: If the API needs to store your transcription files, they should be encrypted. Encryption keeps your data safe from prying eyes. Also, it’s important that you have the option to request the deletion of these files at any time and that these requests are handled quickly.
- Handle Sensitive Data with Care: If your files contain sensitive information, like customer details or medical records, they need to be handled with extra care. These files should never be shared with third parties without your consent. They should be securely stored and promptly deleted after transcription.
- Follow Transparent Data Handling Policies: Look for APIs that are upfront about how they handle your data. They should have clear documentation that explains their data management, storage, and protection practices, including encryption methods and data retention policies.
- Offer End-to-End Encryption: Your data should be protected at all times, from when you upload it until it’s deleted. This means using end-to-end encryption to keep your data secure during transmission and while it’s stored.
- Testing and Patching: What was secure 5 years ago is not secure today. This statement will continue to be true for the foreseeable future. Partnering with organizations that regularly test and patch their products while aligning to cadences defined by standardization bodies is highly impactful in ensuring your application is secure.
- Perform Regular Security Audits and Updates: Choose APIs that regularly review and update their security measures. The tech landscape is always changing, and what worked yesterday might not be enough today. Regular audits help to protect against new threats.
5. What training have your developers had recently?
Security is like a muscle that requires exercising. Following regular training regimens centered around cybersecurity will help ensure your most important asset (your people) remain equipped with the latest in data security practices. Your provider should conduct regular training on adversarial techniques, such as the Mitre Att&ck Framework, and OWASP top 10, to help ensure that product security is recognized throughout the development lifecycle. Training should be reviewed annually or more frequently, and be required by everyone that interacts with code that goes into production.
Why Security Matters
Data is one of your most valuable assets, and as a developer, you need to be aware that many of your customers have the same sentiment. Demonstrating strong security practices will help you gain the trust of your customers while maintaining the viability of your business.
Here are a few examples and case studies of modern-day businesses where security was not prioritized correctly, and examples of strong security programs benefiting customer organizations:
Success Story: Zoom’s Improved Security Measures
During the COVID-19 pandemic, Zoom faced scrutiny over its security practices, particularly with "Zoombombing" incidents. In response, Zoom implemented end-to-end encryption for its meetings and improved its privacy policies. These measures significantly improved user trust and demonstrated the importance of proactive data security practices.
Case Study: Facebook-Cambridge Analytica Scandal
The Facebook-Cambridge Analytica scandal is a prime example of improper data handling leading to massive misuse. Cambridge Analytica harvested the personal data of millions of Facebook users without consent and used it for political advertising. This breach of trust highlighted the dire consequences of inadequate data privacy practices and the need for stringent data protection measures.
Success Story: Apple’s Commitment to Privacy & Transparency Around Access
Apple has built a strong reputation for prioritizing user privacy. The company encrypts data on its devices and does not keep a copy of users' personal information. Apple’s clear stance on privacy has earned it trust and loyalty from its customers, demonstrating the value of robust privacy measures.
Maintain Confidence in Security and Speech-to-Text Privacy
At AssemblyAI, handling data responsibly is our top priority. That’s why we strictly adhere to the security practices outlined above. If you can’t find data security outlined explicitly in the terms of your partnership, be wary.
This may not mean that your data won’t be handled responsibly, but you don’t want to find out after the fact when your request to delete sensitive data is denied, or if a data breach occurs.
By finding an API that is transparent about their data security practices up front, you can be confident in your relationship moving forward.
If you’d like to speak with us about data security, Speech-to-Text privacy, or other concerns prior to using our API, please contact us.