Welcome to “Ask a security trainer,” the column where the Digital Security Training team at Freedom of the Press Foundation (FPF) answers your burning questions at the intersection of journalism and security. Submit yours here! Let’s jump right into this week’s question.
Dear DST,
At this moment where many companies are using “AI” to market their tools, I noticed some tools I depend on doing the same, particularly cloud transcription services like Otter.ai. How concerned should I be about transcription tools?
Signed,
In This Nimbus
Hi Nimbus,
People of a certain vintage remember the dark days before a computer could transcribe an interview for you. For every one hour of audio, you might do three or four hours of typing, pausing, typing, pausing. … And now that I’m done revisiting those horrible memories, I have to say I really like having online transcription tools as an alternative. These tools are especially useful if you are uploading content that isn’t particularly sensitive to share with a third party, such as an interview that you plan to publish in full. In fact, at Freedom of the Press Foundation (FPF), we use Otter.ai for non-sensitive audio just like this.
But because I’m a security person, I can’t just accept nice things. I have to know more about how they work and the compromises I’m making when I use them. While these tools are fantastic, we would be remiss if we didn’t mention that these tools are not perfect and may have security flaws. If you’re a journalist using AI-generated transcripts to quote sources, we’d recommend double-checking the quote against the original audio.
Whether they use AI-automated transcription or human transcriptionists, online transcription services need you to upload your audio in a way that is legible and thus, recordable to the service provider. So this means that you really need to trust the service provider before uploading.
Some automated transcription services make assurances (e.g., Trint) in their privacy policies that they will not look at transcriptions. Services like Rev have confidentiality agreements with their human transcriptionists. Depending on the sensitivity of the documents you’re working on, these assurances might be good enough, but it really depends on what kind of material you’re uploading.
Another issue that people might not be thinking about: What if your account is breached? With some exceptions (e.g., Otter.ai, Rev), many of these services do not offer even basic account security features like two-factor authentication.
Check if your preferred transcription app allows two-factor authentication. If not, an attacker may be able to log in with just a username and password. We know it’s all too common for people to reuse passwords across websites, so if you’re reusing the same password you use on a transcription site elsewhere, note that if those credentials are ever caught in a breach, attackers may try out your leaked credentials on multiple websites. This is another reason we also recommend using a password manager to create unique passwords, thereby isolating potential damage from a breach.
For topics that are too sensitive to entrust to a third party, I’ve been getting into the habit of using offline transcription tools that run on my device instead, such as OpenAI’s Whisper, though this does take a little more technical knowledge. If you have a fully updated iPhone that supports Apple Intelligence, you can also use it to transcribe phone calls or FaceTime audio using your phone’s built-in software. Likewise, some Android devices (e.g., the Google Pixel line) include a real-time transcription app. But sometimes the easiest and safest choice is to transcribe the relevant sections of sensitive interviews by hand.
In the end, there are a lot of legitimate uses for these tools, and they can be a real time-saver for journalists. But now you have to make some decisions about when they’re the right tool for the job.
Check out our research on some of the most popular transcription tools among journalists and learn more about their security properties.
Best,
Martin Shelton
