cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
iluom
Contributor II

Machine Translation Solution and Security

Hello!

 

Is it really safe and secure to use any third party Machine Translation Solution? would like to see potential issues with machine translation solutions offered by 3rd parties.

If the purpose is for the customer support agents to chat with non-English customers.

Did any one see any vulnerabilities , attack surface in using those translation APIs.

Any thoughts to share?

What kind of care should i take before using those APIs? any suggestion appreciated.

 

Thanks

 

 

Chandra Mouli, CISSP, CCSP, CSSLP
5 Replies
rslade
Influencer II

> iluom (Contributor I) posted a new topic in Tech Talk on 10-05-2019 10:21 PM

 

> Hello!   Is it really safe and secure to use any third party Machine Translation
> Solution? If the purpose is for the customer support agents to chat with
> non-English customers. Did any one see any attack surface in using those
> translation APIs. Any thoughts to share?   Thanks    

 

Well, the standard test is to actually do a translation. So, let's take your posting and put it into Latin:

 

(Well, I'd post it here, but the Dreaded "Community" Pr0n Filter has struck again.  A perfectly normal Latin word [the word for "with," as it happens] appears to be "rude" in English.)

 

Now, I'm not a native Latin speaker, so let's translate it back:

 

Hi! The third they are not really a part of a machine and easy to use Is it safe The solution in translation? If the fact that the minister agents Customers with non-English chat. Any surface of any force Those who use the translation APIs. However, there is a part? thanks

 

Hmmmm. I wouldn't sign any translated contracts ...


............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
CraginS
Defender I


@iluom wrote:

 

Is it really safe and secure to use any third party Machine Translation Solution? w...

Any thoughts to share?

What kind of care should i take before using those APIs? any suggestion appreciated.


Mouli,

Here are a few questions that come to mind.

1. Is your company subject to the GDPR, or other privacy protection laws?

2. Is the translation function operated completely in locally installed software and processor, or does it rely on sending the text across the internet to the solution provider system for translation ( a la Google Translate)? 

3. How much of the translation content is stored locally and how much at the solution provider? For how long?

4 Given that help desk calls may include protected privacy information and possibly financially sensitive information, what access does the solution provider have to that information?

5. What data ownership rghts are contractually defined for the oroginal and translated text, fo rboth your company and the solution provider?

 

You can see, none of the above deal with your security concerns but they set the stage for appropriate security questions about the service.

 

6. What intrusion protection and privacy protection controls are in place at the solution provider?

7. What intrusion alert and data leak protection (DLP) capabilities are operating at the solution provider?

8. What data breach laws is the solution provider subject to?

9. What customer notification and recovery processes does the solution provider follow in case of a breach?

 

I imagine community members can suggest additional considerations for this situation.

 

Due diligence can certainly be a bit of effort, eh?

 

Good luck.

 

Craig

 

 

D. Cragin Shelton, DSc
Dr.Cragin@iCloud.com
My Blog
My LinkeDin Profile
My Community Posts
wimremes
Contributor III

The first question I'd ask is : What is your threat model?

 

What are the scenarios you can come up with where the translation service would extend your attack surface in such a way that it could impact your business? 



Sic semper tyrannis.
iluom
Contributor II

Thanks for your suggestions.

Here i found a good resource

 

https://www.vendorsecurityalliance.org/questionnaire2018.html

 

 

 

Chandra Mouli, CISSP, CCSP, CSSLP
denbesten
Community Champion

@rslade points out the most obvious issue....   Translators are "serviceable" in that they make it possible for you to figure out what somebody is saying in another language, but they do not deliver "professional" results that I would want representing me or my company to our customers.  Grammar and spelling are a huge reputational factor in non-verbal communications.  My general rule is that I will use them for reading, but not writing.

 

From a "security" perspective, you need to consider that the data being translated is being shared with a third party. In doing so, you open the possibility that they can become aware of confidential information and that you are giving them the possibility of misrepresenting the conversation to the other party, either inadvertently or with malicious intent.