Dictation app raises privacy concerns Watch Now

Looking at everything with a hearty dose of cynicism is an occupational hazard of security reporting. Whenever a data-hungry app or service is free, there's always a looming feeling of "what's the catch?"

Enter the latest example: Otter, a free transcription app. It lets you record and transcribe meetings in real time. Anyone who's transcribed knows how boring and arduous it is -- and reporters, especially, hate doing it -- even if it's important to have a written record of meetings, source interviews, and other events.

The app, powered by parent company AISense, uses artificial intelligence to churn out accurate transcripts that identify speakers, suggest keywords, and allow keyword searching.

Otter was covered by several tech publications, including Mashable and TechCrunch -- and even here on ZDNet and our sister-site CNET.

Depending on where you read, the app's creators claim "all the data is stored and moved around securely, with no one except the owner having access to it," and that the company is apparently "not interested in peeking into your materials so it can create a profile that will target ads to you."

But nothing in the company's privacy policy explicitly supports those claims.

That's a problem for anyone using the app -- whether it's a reporter who's relying on a sensitive source for stories and needs to keep their identities a secret, or company executives who are discussing proprietary information in a business meeting, just to name two examples.

Otter, like most other apps and services, has a terms of service and a privacy policy -- neither of which have been updated since early to mid last year. In most cases, these legalese-heavy documents are boilerplate guidelines used across the industry as to what data a company will collect, and how it will use and sell user data. Most policies are standard and share common features -- but apps and services that are dedicated to a user's privacy will contain specific language that rules out using a person's data for advertising or data mining, for example.

Neither policy appears to have assurances that the recordings you upload -- which may contain corporate confidential information or sensitive and personal data -- won't be accessed or used in some way.

After we contacted the company and first published this story, Otter scrambled to update the policy and remove key portions that we highlighted, such as granting the company the rights to access and use your data.

We specifically asked (several times) if employees can access submissions or transcriptions. An Otter spokesperson confirmed that the company does have access to user audio and transcription data.

"Only our CTO has access, and our CTO will only permit access in response to a legitimate user request," said the spokesperson. "We only access account-level user data for troubleshooting purposes in response to user queries."

"Users have full control to delete anything from their Otter account. Once it is deleted, we immediately disable access and purge data from our environment," the spokesperson added.

It's not clear based on the company's team page exactly who the company's CTO is -- or what controls are put in place to prevent abuse or hacking.

It's generally assumed, unless explicitly said otherwise, that most tech companies can get access to the data you store with them in some way or another. That's why so many tech companies in the wake of the NSA surveillance scandal began rearchitecturing their systems to shut out law enforcement from their products and services.

Some went completely the other way. Evernote, for one, sparked anger when it changed its privacy policy to allow employees to access private customer data. It later reversed the policy amid the backlash.

Many companies, apps, and services use zero-knowledge or end-to-end encryption, which guards against interception -- including the companies providing the service. These encryption mechanisms are usually employed to guard against government demands for data.

Otter's privacy policy also states that it "may also share" customer data "to respond to lawful requests."

While encryption was only mentioned once in both policies, advertising was mentioned several times.

Even though the privacy policy we reviewed expressly allowed Otter to use customer data for advertising, the company said users shouldn't worry about it.

The spokesperson said the company "will soon roll out a subscription-based revenue model," and that the service has "no plans" to be ad supported.

"We are not in the business of selling user data," said the spokesperson, adding that the company "will be sure to clarify" when the privacy policy is next updated -- which it subsequently was within hours of the publication of this story.

The portions of the policy were removed after we published our story.

In today's data hungry tech industry, it's natural to assume that a free app means "you are the product," as the old adage goes. But that's not always the case. There are so many free sites and services with no hidden agenda -- there's no secret data mining or selling your data. For its part, Otter may well be true to its word, like other transcription and data hungry companies out there. But privacy policies -- as boring as they are to read -- are there for this exact reason.

Bottom line: If you don't trust a privacy policy, don't use the service.

Update on March 6: Otter quietly updated its privacy policy and terms after this story published to remove mentions of advertising and other minor changes, including removing key paragraphs mentioned in this story. The company can, however, still access uploaded recordings and transcriptions.