“This call may be recorded for quality assurance purposes.”  We have all heard this missive whenever we call an 800 number, or any big company.  But when we “consent” to having our voice “recorded,” what exactly have we consented to?

A recent article by the Associated Press shows how banks, credit card companies and others are using our consensually recorded conversations to create a profile of our voice, which they then use to create a voice profile.

Banks and others then share this voice profile as a form of authentication — so the bank can really tell if it is you calling for information.  Not a bad idea.  But I don’t think that it’s being implemented the right way.  And it is probably not being done legally.

Goog 411

Years ago, there was something called “Directory Assistance” from something called “the phone company.”  You would dial “411” and a voice on the other line (called, a “human being”) would ask, “what city and state?” and then “what listing?” and would provide you with the telephone number of the local movie theater, newspaper, or buggy whip outlet store.

When Telco’s began charging a dollar a call for this “service,” Google came up with something called “Goog 411,” just dial “1-800-GOOG-411” (1-800-466-4411) from your cell phone, and an automated voice would ask the same questions, and once you selected the right entry, would automatically connect you to the merchant you selected.  A pretty good, and free service.

There’s an adage in Internet parlance — if someone offers you something useful for free, you aren’t the customer.  You are the product.

Google was using Goog 411 to collect information about consumers and sell that data to merchants.  This could be as simple as “what kind of pizza do people in Topeka, Kansas like?” or “what is the most requested listing in Cheyenne, Wyoming on Tuesday nights?”  A merchant could determine whether an advertising campaign is working, or track individual user preferences.

And you thought you were just asking for a phone number.

But Google also used the Goog 411 program to collect a massive database of human voices acting naturally.  They used this database to feed their voice recognition program, and other companies likewise compiled massive databases of natural voices for things like Apple’s Siri and Windows Contera programs.

And you thought you were just asking for a phone number.

Now the banks are going further.  Not only are they collecting your voice for “quality control” purposes, but for what they call “anti-fraud,” purposes.  Call centers already use automated programs to “listen in” on your calls for indications that a customer is upset, frustrated or angry.  These heuristic programs look for subtle hints that the customer is getting upset, like rising pitch or tone, higher volume, or frequency of references to the help desk agent’s mother or lineage.

According to the AP, banks are now hiring third parties to collect and voiceprint their customers as a form of auditory validation.  “My Voice is my Password.  Verify Me.”

When Roger O. Thornhill calls the bank to check his balance, the bank records Thornhill’s voice and conducts a pattern analysis.  The next time Roger calls, the computer matches not only the telephone number and account number, but also the voice.  If the voices  don’t match, then it isn’t the same person (accounting for a chest cold, or the results of game 4 of the Nationals’ playoff game.)    Assuming it works, it’s not a bad way to authenticate people.

And that’s the problem.

Consent Consent Consent

While the majority of states require only one party to the communication to “consent” to the “interception” or “recording” of a conversation, various states like Illinois, Maryland, New Jersey, Florida, New Hampshire, California and others require that all parties to the conversation consent to the recording or interception of the call.  That’s why we have those silly “notices” that your call may be recorded.  If you proceed with notice, you have “consented” to the recording.

Recently, a brand new student driver hit one of my cars while it was parked in a High School parking lot.  The owner of the other car wanted to proceed through their insurance company, and filed a claim.  I called their insurance company, and they asked for my name, registration, etc., but then they asked for my date of birth, a PIN, and my social security number.

And I wasn’t the customer!  They also said that they were recording the conversation.  I demurred on providing my SSN and PIN, and asked that they not record the conversation.  They had no way to turn off the recording.  Since I never “consented” to the recording, the continued recording was actually unlawful in Maryland.

But even if I had consented, we have to ask what exactly did I consent to?  I really don’t object to the insurance company keeping a record of my claim, and if they think it’s easier to know what I said by recording it, so be it.  But they are also collecting a bunch of other information too — my telephone number, location, etc.  And, of course, my voice.

Consent to record is NOT consent to do whatever they want to with that recording.  If I were to call a local restaurant and tell them what a wonderful job they did, I would not have consented to have that recording used in their next TV ad.

According to the AP story, a banking consortium suggests that banks change their warning message to “This call may be monitored, recorded and processed for quality assurance and fraud prevention purposes.”  No dice, kemosabe.

The basic tenet of privacy law is that before you collect data (and especially biometric data) you have to tell the party WHAT you are collecting, WHY you are collecting it, and WHAT you plan to do with it.  The “this call may be recorded for fraud prevention” notice just doesn’t cut the mustard.

How about, “When you call this bank, we will record your conversation and make a biometric voiceprint of your call.  We will collect and store this, sell it or share it with others, and use it to not only validate your identity when you want us to, but also to identify you personally in situation where you may choose to remain anonymous.  Oh, and we can sell this data to others, or use it for any other purposes we may later decide.  Oh, and you have no choice about this, since ALL calls are recorded irrespective of your consent.”

This kind of “consent” is absurd.  It would be like saying that you have “consented” to the collection, storage and use of your DNA by drinking from a glass, or touching a piece of paper.

I am all for preventing fraud.  I might be in favor of a biometric database to help prevent fraud.  But I am seriously concerned about the potential for abuse of such a database.  For example, such a database could be useful to identify the unidentified “Westerners” responsible for the ISIS (ISIL) beheading videos. Probably a good thing.  It could also be useful to identify the Hong Kong protesters by voice, or those responsible for the Arab Spring uprisings.

If I agree to have my bank profile my voice to ensure that when I call THAT BANK I am the same person, that’s fine.  The bank will then have to protect and secure the voice biometric, and not share it with anyone without my consent.  And that would include the NSA, the FBI, or other banks.  That’s how consent works.  I don’t give up my rights just because I had the audacity to make a phone call.   No matter how much the bank may want me to.

Leave a Reply