Meeting minutes
privacy
gerard: personal assistant isn't really personal
… because it's in a call center or the cloud
debbie: maybe IPA providers shouldn't be called personal because they don't belong to a person
hugues: the personal assistant has the history
… the whole dialog section could be in your pocket
… how to keep personal information away from a cloud provider
… the other issue is how do I increase my context with encryption
debbie: could we put a privacy barrier between the Dialog and the IPA providers
hugues: the provider shouldn't be able to access the context
hugues: if the provider requests confidential information, it will need my approval
… for example, if I'm buying a flight, it's good if I don't have to repeat the information
debbie: you have to balance security with driving the user crazy
hugues: most people don't understand why we need security and privacy
… a medical system is even worse
debbie: let's agree on privacy requirements
gerard: goes in 3.3.6
Brainstorming privacy requirements
1. keep user's personal information secure during interactions
2. enable authorization of personal information for user's intended purposes
3. keep user's dialog secure
4. keep provider's dialogs secure
5. enable personal information to be used later as part of context in future conversations
6. reuse of trained ASR should be possible, for example, by feeding a vectorized model to improve understanding
7. enable any part of the dialog to be used later as part of context
8. support levels of security (e.g. name vs. your financial situation), school records would have different levels. The levels could be assigned ratings or levels of security, e.g. this information has a level 5 rating, the server has to be certified to support that rating, the certification has to support that rating. Does this exist? Part of the
trust organization of the web like SSL?
9. Some organizations, such as banks, will request certification, and still want to be able to use their mechanisms
10. don't prevent organizations from using their own security mechanisms
Amazon has special agreements with banks, so that the banks trust them
This bank requirement is also for payment information
equivalent to single sign on for business
11. is there something equivalent to a "trusted device" for voice?
12. Does it trust the phone or the browser, browser is more correct, users need to authenticate the new device
13. what about two people using the same phone? For example, biometrics
debbie: resume next time