On May 12, 2025, the Canadian Centre for Cyber Security (the Cyber Centre) published guidance addressing cyber security risks associated with voice-activated digital assistants (the Guidance).

The Guidance describes “voice-activated digital assistants” as a type of smart device that can control other devices when prompted by a human voice. These assistants come in various forms, such as smart speakers or smartwatches. They use voice recognition to perform tasks like checking the weather or playing music and can communicate with other smart devices through the internet, forming a network known as the Internet of Things.

The Guidance explains that a voice-activated digital assistant’s ability to connect with other devices makes it an attractive target for cyber threats actors. Specifically, the interconnected nature of these devices means that a vulnerability in one digital assistant or connected device may jeopardize the security of the entire network. Further, when a voice command is given, these devices send the recorded voice command to a cloud-based service which may retain a recording or transcription of that command, including any potentially sensitive or confidential information (especially if the voice command feature was accidentally triggered).

To combat these threats, the Cyber Centre recommends reviewing vendors’ privacy policies and security practices before using these digital assistants; and asking certain questions when selecting a vendor, such as:

  • Can the listening feature be turned off?
  • Who has access to raw voice or text data?
  • How long is the data stored and where is it stored?

The Guidance also outlines best practices for securing voice-activated digital assistants, including:

  1. setting strong, unique passwords and enabling multi-factor authentication;
  2. disabling the assistant when discussing sensitive topics near it;
  3. reviewing the device settings to limit data collection, such as turning off remote access functions or active listening if not needed; and
  4. regularly deleting voice request history to ensure there is no memory bank of your voice profile and the contents of your conversations.

For a full list of best practices and information on threat mitigation, see the complete Guidance here.

Summary By: Victoria Di Felice

 

E-TIPS® ISSUE

25 06 11

Disclaimer: This Newsletter is intended to provide readers with general information on legal developments in the areas of e-commerce, information technology and intellectual property. It is not intended to be a complete statement of the law, nor is it intended to provide legal advice. No person should act or rely upon the information contained in this newsletter without seeking legal advice.

E-TIPS is a registered trade-mark of Deeth Williams Wall LLP.

Victoria Di Felice
By Victoria Di Felice
June 11, 2025
Cybersecurity