《2018年趋势:新的技术和立法时代的个人数据》--哈尔滨安天科技集团股份有限公司提供

2018-07-12

隐私是(或者说应该是)一项基本人权。如今,人们对最终用户的“隐私”的理解倾向于数据隐私或信息隐私。这种偏差使得为最终用户保护数据变得越来越复杂。一方面,技术高明的隐私爱好者不会在任何地方留下数字足迹;另一方面,在现实生活中,绝大多数最终用户会在各处留下数字足迹,这为网络犯罪分子提供了一个满是敏感数据的网络。

数据正在推动技术的下一次革命,并                     为正在建设的庞大的人工智能(AI)系统提供资源。问题是,当任何敏感数据进入其中一个系统时,有多少机器驱动的决策过程有权删除这些数据呢,收集这些数据的公司知道其AI系统将这些数据用于何处以及如何使用吗?

尽管大多数最终用户知道他们通过表单和应用程序向社交网络或公司提供个人数据,但许多提供商和服务的数据收集可能不那么透明。

免费软件和服务

由于消费者期望免费或以非常低的成本使用软件,一些厂商决定开启数据收集和数据共享业务。免费软件提供商只有几种方法可以通过他们的产品盈利,最不显得侵略性的方法是(至少从最终用户实际所看到的角度来看)是收集用户数据并出售给第三方。

在过去的一年中,我们看到受信的安全厂商决定提供免费的反病毒产品。虽然他们没有公开说明打算如何通过新的免费产品盈利,但是我们预测其中一些厂商会通过数据收集等间接方法盈利。

继微软开始提供免费的Windows Defender Antivirus服务之后,各厂商提供免费反恶意软件产品并通过间接手段盈利的趋势愈演愈烈。当然,由于一定比例的用户转移到微软的免费服务,现有厂商出售软件的机会减少,因此他们转向了其他盈利手段,即通过提供自己的免费软件而非直接竞争来盈利。

2018年,免费或低成本网络安全软件这一趋势将会继续。这会增加与数据隐私相关的风险,因为免费软件通常缺乏传统的盈利方法,它们引入复杂的披露声明,模糊他们收集用户数据并进行售卖的意图。很多公司的做法都证明了这一点,这些公司提供冗长且难以理解的隐私政策——只有律师才看得懂。

因此,在面对免费产品时,用户应了解提供该产品的公司如何盈利,这一点非常重要。例如,手机游戏可能会显示广告,或者提高游戏的销售量。如果公司的盈利手段不明了,那么很可能您的数据和隐私就是他们的盈利手段。

物联网 

虽然免费产品和应用程序都知道我们的上网习惯,但是物联网(IoT)设备的采用意味着更加敏感的数据可以被收集和利用了。

当你开车下班的时候,你的手机传输交通状况并与其他车主分享,希望能避开拥堵路段早点回家。家中的联网恒温器与您的手机进行通信,显示您的位置和时间。目前,你在回家的路上。当你进入居住的街道时,车库门会根据您的距离自动打开。家里的灯亮起,你当前选择的音乐自动从汽车传输到家中。物联网设备协同工作,使我们的生活更加方便。

而且每个设备都可以收集数据。通过窃取这些数据,攻击者能够描绘出您生活的全貌:您在哪里工作、在哪里吃饭、什么时候去健身房、去什么电影院、去什么地方购物等等。这些数据与机器学习和人工智能的发展相结合,意味着我们开始成为技术的傀儡,因为它越来越多地为我们做出决定。

Gartner分析师预测,到2018年,全球将有112亿联网设备,到2020年这一数字将达到204亿。机器即将崛起,要小心!每当设备要求连网时,我们都需要教育最终用户阅读隐私政策,并就是否接受数据收集条款做出明智的决定。

立法

20185月开始,欧盟委员会的《通用数据保护条例》(General Data Protection Regulation)将会生效,该条例赋予公民更多决定如何处理和使用其信息的权力。该条例影响任何处理或收集欧盟公民数据的公司,无论公司设在哪里。

违反该条例可能会导致巨额罚款,但是如何对欧盟境外的公司实施罚款没有明确的答案。525日开始执行该条例后,欧盟委员会可能会杀鸡儆猴,对欧盟境外的公司来个下马威。如果不这样做,很多跨国公司可能会冒险不去遵守该条例,所以我们可能会看到欧盟委员会在2018年采取行动。

2017年,美国的新政府废除了未决的法律——该法律禁止互联网服务提供商(ISP)未经许可地收集客户数据,导致美国的隐私法出现倒退。虽然有些互联网服务供应商自愿承诺不允许第三方使用这些数据,但这并不意味着他们不会将这些数据用于他们自己的商业利益。

从我们的在线活动收集的数据足以让黑客了解我们,但我们却不知道有人在收集我们的信息。

客户个人数据可能会成为黑客的攻击目标,我们已经看到数据网站、商店和其他网站攻击导致的数据泄露事件。通过监控我们的网络活动来窃取数据是网络犯罪分子的大招,为他们提供了勒索用户的机会。

对于许多软件和服务提供商来说,操控大量数据然后将其用于有意义的事情的能力相对较新,这是因为数据存储和处理成本最近大幅下降。“大数据”生态系统现在意味着更多的公司有能力收集、关联和出售他们的数据。

公司可以轻松收集数据并将其出售,而我们愿意接受默认设置且不愿花时间仔细阅读隐私政策,这意味着我们的身份、生活方式和个人数据正在成为企业资产。

我希望,2018年用户的安全意识能够提高。但实际上,我认为更多的数据会被收集,而用户甚至不会意识到。随着我们草率地将每一台设备联网,我们的隐私会被进一步侵蚀,直到完全没有隐私。


《Trends 2018 - Personal data in the new age of technology and legislation

https://www.welivesecurity.com/2018/01/18/trends-2018-personal-data-new-age-technology-legislation/

TONY ANSCOMBE

18 JAN 2018

Privacy is, or should be, a fundamental human right. Nowadays, the understanding of what the term privacy means for the end user inclines towards data privacy or information privacy. This deviation makes maintaining the desired data-neutral position for the end user increasingly complex. On one hand, there are extremely technology-driven privacy enthusiasts who cultivate zero digital footprint anywhere, on the other – in real life, the vast majority of end users leave a footprint everywhere; giving cybercriminals a web-scape full of sensitive data that looks like a sandy beach on a busy day.

Data is driving the next revolution in technology and feeding the vast artificial intelligence (AI) systems being built. The question is: when any sensitive data enters one of the systems, how many machine-driven decision-making processes will be able to enforce the right to erasure and the right to be forgotten and will the companies collecting this data understand where and how it is being used by their AI systems?

While the majority of end users understand that they are giving their data to social networks or to companies through forms and applications, there are many other providers and services whose data-collecting may not be so transparent.

Free software and services

As consumers expect to enjoy software at no cost, or very low cost, some vendors have taken the decision to enter the data-collection and data-sharing business. Providers of free software only have a few methods by which to monetize their products and the least intrusive, at least from the perspective of what the end user actually sees, could be the collection and sale of data to third parties.

In the past year we have seen trusted security vendors deciding to offer free anti-virus products. While they may not have openly declared their intentions as to how the monetization of their new, free products will work, we can expect to see some of them use indirect  monetization methods such as data collection.

The trend of offering of free antimalware products, and the likely monetization of them through indirect means, seems to have accelerated after Microsoft began offering Windows Defender Antivirus as a free default option. Naturally, as a percentage of users shift to the Microsoft by default option, there is less opportunity for existing vendors to sell software, hence the appetite for alternate monetization via offering their own free software rather than direct competition.

The free or low-cost cybersecurity software will continue trending over the next year. This will increase risks connected with data privacy, as free software usually lacks traditional monetization methods, and instead, introduces complex disclosure statements that are in part designed to obscure intent as to what data is being collected and whether it can be sold. This is evidenced by the many companies offering lengthy and unreadable privacy policies that are comprehensible only to lawyers.

Thus, with any free product it is important that a user understands how the company is making money: for example a mobile game may show adverts, or upsell levels of the game. If it is not obvious how the company makes money, then it is highly likely your data and privacy are the method of monetization.

Internet of Things

 

While free products and apps are all-knowing about our online habits, the adoption of Internet of Things (IoT) devices means that even more sensitive data is now available for collection and exploitation.

As you drive home from work, your phone is transmitting traffic conditions to share with other drivers, hopefully allowing you to make intelligent detours or driving decisions to get you home earlier. The connected thermostat at home is communicating with your phone, relaying your location and the time of day. Currently, you are homeward bound. As you enter the suburban street where you live, the garage door opens automatically, using your proximity to make a decision. The lights come on and your current choice of music transfers from the car to your home automatically. IoT devices are designed to work together, simplifying our existence.

And every device can tell a story via the data it collects. Combining those various data streams, any attacker will be able to paint a full picture of your life: where we work, where we eat, when we go to the gym, what cinema we visit, where we shop and so on. The combination of this data and advances in machine learning and artificial intelligence could mean that we start becoming puppets of technology as it increasingly makes decisions for all of us.

Analysts at Gartner predict that in 2018 there will be 11.2bn connected devices in the world, rising to 20.4bn by 2020. The rise of the machines is coming, beware! Every time a device asks to be connected we need to educate the end user to read the privacy policy and to make informed decisions about whether or not to accept the data collection terms as set out in the privacy policy.

Legislation

Starting in May 2018, the European Commission’s General Data Protection Regulation, a directive that gives citizens more power over how their information is processed and used, comes into effect. The legislation affects any company processing or collecting the data of a European Union citizen, regardless of where the company is based.

Non-compliance could result in large fines, but there is no clear answer as to how these fines will be imposed on companies outside of the EU. The Commission may feel that it needs to make an example of a company located outside of its territorial borders, and, potentially, very soon after the May 25th implementation date. Without such an example of enforcement many international companies may take the risk of non-compliance, so we might see the European Commission step up and take action in 2018.

Privacy in the US took a backward step in 2017 when the new administration repealed pending legislation that restricted internet service providers (ISPs) from collecting customer data without permission. While some ISPs have made a voluntary pledge not to allow third-party marketing, that does not mean they will not use such data for their own commercial gain.

The depth of data collected from our online habits could easily allow profiles to be constructed, showing what may be considered extremely personal interests, drawing on information that we don’t realize someone is collecting.

Customer profiles could become the target of hackers and we have seen individual data breaches of data sites, stores and others sites. Stealing data that is generated by watching everything we do online could be the ultimate prize to a cybercriminal, offering the opportunity to blackmail users based on their online habits.

The ability to manipulate huge amounts of data as described above and then to use it for something meaningful is a relatively new option for many software and service providers, as the associated storage and processing costs have dropped massively. The ‘big data’ ecosystem now means that many more companies have the ability to collect, correlate and sell their data.

The ease with which companies can collect data and sell it, our willingness to accept the default settings, and our avoidance of actually reading a privacy policy, means that our identity, way of life and personal data are becoming a corporate asset.

I hope that 2018 brings about greater user awareness, but realistically I suspect it will see greater amounts of data collected with little awareness on the part of the user. With every device that gets connected without informed decision or choice, our privacy is eroded further, until at some point privacy will be something that only our ancestors enjoyed.

  附件:

《Trends 2018 - Personal data in the new age of technology and legislation》--原文.pdf

《Trends 2018 - Personal data in the new age of technology and legislation》--译文.pdf

 

联系我们
办公地点:中国电子技术标准化研究院
地址:北京安定门东大街1号
邮编:100007
电话:010-64102639
邮箱:cciahyz@china-cia.org.cn

微信公众号