In my home, we have one voice assistant right next to the shower – so we can play music without getting the device wet. And since we don’t hold private conversations there, we are not worried about any recordings. Our only worry is that someday recordings of us singing in the shower may leak (pun intended).
One day I discovered the voice assistant can get in a deadlock. When asking for the news, it starts playing radio news streams, but it turns out it can’t be stopped. The following commands ‘stop’, ‘shutdown’, and ‘stop reading’ all fail. After many tries, I came upon the magic word ‘pause’.
That brought me to a diabolic idea.
Later, when my wife was in the shower, I shouted through the bathroom door, “VOLUME TEN, READ THE NEWS” then heard her shout in agony to the device “STOP”, “NO”, “QUIT”, “PLEASE”, “SHUT DOWN”, and “AAARG!” much to the delight of the rest of the family.
After a brief minute, I did the honorable thing and put her out of her misery by suggesting the ‘pause’ command.
This undesirable behavior demonstrates two of the many AI aspects that I wrote down in the ISO/IEC 5338 standard on AI engineering. The first issue is that the voice assistant is “potentially autonomous”: AI systems often directly interact with the real world by themselves. Additionally, it displays “emergent behavior”: instead of explicit programming it acts based on complex interactions of rules and guesses, which can seem as if it has a mind of its own.
With the introduction of unpredictable and potentially harmful behavior, one countermeasure could be a killswitch, which needs to be easily accessible for users. However, this is not always the correct protocol, because shutting down the cooling system of a nuclear reactor may not be a good idea. In the case of the voice assistant, it should be very easy to stop it from reading the news at an unbearable volume.
This example shows that AI systems have characteristics that are important to take into account when creating them. On November 29, 2022, I was part of a discussion panel during the AI assurance conference in Brussels. The audience asked how organizations can build secure AI systems based on these characteristics. My response was that it helps to treat AI just like any IT while understanding a few caveats.
These were my recommendations:
In other words, my main recommendation to security officers and development teams is to treat AI pragmatically. No need to be philosophical or overwhelmed. AI is software with a few extra aspects that we are becoming increasingly familiar with.
So, there’s hope for AI, and for the safety of my family from future AI harassment.
Update March 11, 2023:
Rob has taken the initiative to start an open source project through OWASP to share his thoughts. For more information, please check the OWASP AI security & privacy guide.