On the 2nd of this month, LG Uplus said the number of subscribers to its artificial intelligence (AI) calling app "ixi-O" had surpassed 1 million. But coincidentally, that was the day when the call information of 36 Ixio users was leaked to 101 other users. Ixio is a latecomer compared with SK Telecom's adot. While adot led the market by highlighting its call recording feature, LG Uplus promoted Ixio as being strong on security thanks to its differentiator as on-device (built-in) AI. But this incident is stoking anxiety among Ixio subscribers.
◇ Trying to speed up as subscribers grew led to an error and data leak
According to LG Uplus on the 9th, the leaked call information this time involved some of the following for 36 people: △ the other party's phone number △ the time of the call △ a summary of the call content. The form of the call information leak was that information for an unknown Ixio user B appeared on Ixio user A's phone. The information of 36 people was exposed to 101 users who newly installed or reinstalled Ixio.
The circumstances under which the call information was leaked arose as the company improved the service for its increased users. LG Uplus carried out Ixio operations improvement work from 8 p.m. to 8:35 p.m. on the 2nd. With the number of ixi-O users recently growing, it conducted an upgrade to speed up the slowed server. The work targeted the scenario of restoring recent call history and summaries when reinstalling the Ixio app, improving behavior that redundantly called the information. Up to that point, the company had no idea an error had occurred.
The data leak came to light through a customer report. At 10:22 a.m. on the 3rd, an LG Uplus customer found the call content of another user, not their own call records, on the Ixio screen and reported it via the Voice of Customer (VOC) in the app. LG Uplus rolled back the Ixio service improvement work within about 40 minutes of the customer inquiry and brought the error to a close for the time being.
Subsequently, over three rounds, the company blocked app access so that 101 users could not view other Ixio users' call records. LG Uplus said it notified the 36 customers whose information was leaked by phone, and for those hard to reach, it informed them via text messages and other means. It then reported the matter to the Personal Information Protection Commission. A telecommunications industry official said, "It's unlike LG that a customer data leak happened due to a work mistake, and that the company learned of a critical error through a customer report."
◇ It turned out to be a half-baked "on-device AI"
The reason this call information leak became controversial is that LG Uplus mentioned On-device AI and said call content is not transmitted to the server, raising the question of how the information was leaked.
On-device AI refers to technology that performs AI computation on the device itself, such as a smartphone, PC or car, without going through a cloud server. It is known to reduce cloud dependence to increase response speed, strengthen security and provide expense savings. In particular, because data is processed inside the device without being transmitted to an external server, it is preferred for corporations and individuals from an information protection perspective.
The company said the full call audio and content are not stored on the server, but call logs and summaries are stored on the server for six months. LG Uplus said, "Just as previous data follows when you change devices on mobile messengers, we temporarily store call information on the server for six months," adding, "This part is also stated in the privacy policy."
Experts say it is hard to see On-device AI as unconditionally safe. Hong In-ki, a professor in the Department of Electronic Engineering at Kyunghee University, said, "It is true that On-device AI is relatively advantageous in terms of security because it is not connected through the cloud, but as this case shows, if the network is connected, you cannot assume it is necessarily safe."
In an evaluation by Kalyan Nakka, Jimmy Dani and Nitesh Saxena at the SPIES Lab in Texas on "the reliability and ethics of small language models (SLMs) applied to on-device AI," results showed that on-device SLMs had much lower reliability than server-based SLMs. The researchers particularly saw greater risk that on-device AI could leak personal information.
◇ Cold water on ixi-O's smooth sailing… can it regain user trust?
Whether this call information leak was a simple employee mistake or an unforeseen error in ixi-O's development process will only be clear when the results of the investigation come out. LG Uplus emphasizes that it stemmed from a simple mistake and is different from hacking.
According to the data analytics solution Mobile Index by IGAworks, ixi-O's domestic mobile monthly active users (MAU) first surpassed 10,000 in Apr. this year and increased to 70,000 in Jun. Last month it recorded 326,715. It still trails far behind adot, but its growth is fast. SK Telecom's adot MAU was 1.81 million to 1.87 million in Oct.–Nov. this year, a sluggish patch.
LG Uplus said it confirmed that the leaked information did not include unique identifiers such as resident registration numbers or passport numbers, nor financial information. Still, despite the company's explanation, it is questionable whether customers will trust and use ixi-O. If employee mistakes recur, similar data leaks could happen.
Kim Yong-dae, a professor in the School of Electrical Engineering at KAIST, said, "LG Uplus' call information leak showed that when there are no safeguards to prevent leaks, similar incidents can occur due to mistakes or even intentionally," adding, "Development and operations processes that consider privacy protection and security must be established."