Enterprise note-taking apps face legal scrutiny as Otter hit with privacy suit

Otter.ai and other call recording, note-taking apps like Read.ai and even Google Gemini have become handy tools for many enterprise users, automatically kicking off in the background and providing full transcripts of calls and key meeting takeaways.

But some see the services as intrusive and, according to a complaint filed last week in California on behalf of plaintiff Justin Brewer, illegal. The class action alleges that Otter records all users without their consent (which is required in California and other states), and, further, uses their voices to train its speech recognition AI tools.

The complaint points out that, while Otter users may be aware of and okay with the tool recording them and their meetings, non-users, who are not asked for permission, may not. Brewer also claims that his privacy rights have been violated, suggesting that Otter is out of compliance with the USA’s federal Electronic Communications Privacy Act, the Computer Fraud and Abuse Act, and numerous California laws.

The complainants intend to start a class action, and say that more than 100 plaintiffs share Brewer’s concerns.

Broader implications

With the proliferation of transcription apps within enterprises, this complaint has implications far beyond Otter.

“AI companies, for the most part, have followed the ‘move fast and break things’ paradigm and ignored the finer points of copyright and wiretap laws,” Johannes Ullrich, dean of research for SANS Technology Institute, told Computerworld. “Requesting explicit permission from all call participants could threaten the business model for many of these note-taking and personal assistant applications.”

Otter: Nobody should be recorded without their consent

Otter has more than 25 million users globally, and recently celebrated reaching $100 million in annual revenue, which the complaint calls “an exceptional figure” for a company of its size.

The company’s “Otter Notetaker” service records participants in Google Meet, Zoom, and Microsoft Teams meetings, regardless of whether they are Otter users themselves. The company’s privacy policy and privacy and Security FAQs both state that it uses meeting participants’ voices to train its speech recognition AI.

Responding to the complaint, a spokesperson for Otter.ai told Computerworld: “We are deeply committed to safeguarding our users’ data and protecting privacy. Nobody should be recorded without their knowledge or permission, regardless of the recording device used.”

Otter Notetaker automatically takes notes for users so they can “participate more freely” in their Zoom, Google Meet, and Microsoft Teams meetings, the spokesperson said, and users are advised that transparency is important for all meeting participants.

“We encourage them to ask for permission, to indicate when they are recording and transcribing conversations with others,” the spokesperson said.

The company is “reviewing the matter,” they said, emphasizing that Otter does not initiate recordings on its own; rather, they are initiated by Otter users, and the company’s Terms of Service make it clear that users are responsible for obtaining any necessary permissions before doing so.

“All Otter users are instructed to follow any notice and consent rules, and since such laws vary across jurisdictions, we also provide users with the applicable local, state and federal requirements when using any kind of recording features, whether they record meetings using Otter or any of the various other ways to do so,” the spokesperson said.

Explicit instructions in Otter’s Terms of Service state: The Service may provide a feature that allows you to record individual conversations and/or upload recorded conversations. The laws regarding the notice and notification requirements of such recorded conversations vary by location. You acknowledge and agree that you are solely responsible for providing any notices to, and consent from, individuals in connection with any recordings as required under applicable law.”

But the complaint says of this practice: “Otter tries to shift responsibility, outsourcing its legal obligations to its accountholders, rather than seeking permission and consent from the individuals Otter records, as required by law,” it states.

It should also be noted that Otter, Read, and other transcription apps are active participants in calls, and show up in windows alongside human users. But the complaint points out that Read, for one, allows any participant, including non-account holders, to stop recording during a meeting, where Otter does not.

Plaintiffs: Otter wrongfully puts onus on users

The complaint claims Otter does not obtain prior consent from participants nor inform them that their conversations are being used to train the company’s automatic speech recognition (ASR) and machine learning models, “and in turn, to financially benefit Otter’s business.”

It describes Otter Notetaker as a “separate and distinct third-party entity” that only seeks consent to record from the host, not other participants. It may also join meetings without obtaining consent, and without sending out pre-meeting invitations or notifications unless the user enables a setting that the complaint says is off by default. Further, when joining a meeting, it does not provide a link to the company’s privacy policy.

Otter says it trains its proprietary AI on “de-identified audio recordings” and transcriptions that may contain personal information to provide more accurate services. “Explicit permission” is obtained when users rate transcripts and check a box to give it and third-party service providers access permission.

However, the complaint notes that Otter does not provide any description of what de-identification entails and says it does not remove confidential information nor guarantee speaker anonymity. The lawyers point to scientific research that reveals that “even sophisticated de-identification procedures are unreliable,” and call out Otter’s policy of retaining data for an “indefinite period.”

Brewer’s lawyers did not respond to Computerworld’s requests for additional comment.

New territory for note-taking

SANS’ Ullrich pointed out that AI note-taking is fundamentally different from old-fashioned call recording hardware and software.

“If your call is recorded using a traditional call recording system, the recording is usually only available to the person or organization recording the call,” he said. But with AI, the vendor also has access to recordings, an issue that has previously come up with other voice assistants.

For instance, earlier this year Apple settled a case around recording of Siri data, “often without the user even knowing that Siri was listening.” This is a theme in other lawsuits, as well.

More generally, the complaint highlights the moral obligation for safe and effective innovation in AI-based transcription technology and the safeguards surrounding the technology, said Fritz Jean-Louis, principal cybersecurity advisor at Info-Tech Research Group. Serious legal and ethical implications could arise if an employee’s recording is fed into a transcription engine as training data. Unauthorized transcription can compromise confidentiality, expose privileged communications, and erode trust among employees, partners, and customers.

Enterprises should keep several factors in mind when implementing effective safeguards, he advised:

Be aware of consent laws in the jurisdiction serviced by your organization, or any other jurisdiction where your organization conducts business.

Adopt clear procedures and disclosures for all meetings where recording takes place.

Limit the use of transcription technology in sensitive contexts such as legal, human resource and executive meetings.

Identify third-party software and/or tools for proper security, transparency, and data governance.

Train employees in the ethical use of the organization’s transcribed records/notes and their privacy implications.

“Stricter consent requirements do not signal the end of transcription technology,” Jean-Louis emphasized. “If explicit consent is required for all conversations and collaboration, transcription technology will have to adapt. The path forward lies in balancing convenience with accountability.”

More on privacy issues:

Chrome extension privacy promises undone by hardcoded secrets, leaky HTTP

The ultimate Android privacy guide

How to protect your privacy in Windows 11

Meta adds privacy feature to WhatsApp days after US House ban

How to go incognito in Chrome, Edge, Firefox, and Safari