应用程序的隐私政策怎么写
Recently, Google and Apple published a final set of technical guidelines for government application developers to use when integrating with Android and iOS phones. As someone that reads and creates similar specifications for a living, I was very interested in the design choices that they would make. Each architectural choice gives perspective into the author’s values just as you might glean insights from interpreting a painting or reading a novel. After reading through these documents, I’ve been pleasantly surprised by the focus on protecting individual privacy. Let’s break down what exposure tracing is and what key architectural decisions the authors made.
最近, Google和Apple发布了一套最终的技术指南,供政府应用程序开发人员在与Android和iOS手机集成时使用。 作为阅读并创建类似生活规范的人,我对他们将做出的设计选择非常感兴趣。 每种建筑选择都可以透视作者的价值观,就像您可以通过解释画作或阅读小说来获得见解一样。 阅读完这些文档后,我对保护个人隐私感到惊讶。 让我们分解一下什么是曝光跟踪以及作者做出了哪些关键体系结构决策。
These apps have one purpose: to notify you if you’ve recently been in contact with someone who may be infected. At its core, there are two key components, tracking and matching. Your phone uses Bluetooth to keep track of nearby phones with the app. A couple of times a day, it downloads a list of people who have been confirmed to have the virus, and it tries to match your list to that one. If there’s a match, it tells you. It’s as simple as that.
这些应用程序的目的是:通知您最近是否与可能被感染的人联系。 其核心是两个关键部分,即跟踪和匹配。 您的手机使用蓝牙通过该应用跟踪附近的手机。 一天两次,它会下载一份已确认感染该病毒的人员列表,并尝试将您的列表与该列表相匹配。 如果有比赛,它会告诉您。 就这么简单。
Of course, the specification that Google and Apple released was slightly more extensive than that. There’s more complexity to protect your privacy. Here’s three instances where they’ve done so, and some alternatives that were not chosen that would have violated that privacy for valuable information.
当然,谷歌和苹果发布的规范比该规范更为广泛。 保护您的隐私更加复杂。 这是他们这样做的三个实例,还有一些未选择的替代方案会侵犯隐私权,以获取有价值的信息。
First, no location information needs to be stored or transmitted. No matter if you pass by someone at Walmart or your home, these apps will treat the interaction in the same way. This means that if you upload your information to the government servers, they’d have no way to know if you were exposed in rural Kansas or the heart of NYC. Knowing where you were is incredibly valuable for officials to find hotspots and distribute resources. However, it would also mean that your phone would track you wherever you went, meaning cities could potentially enforce stay-at-home more stringently or become closer to Big Brother. Removing the ability of these officials to track your interactions using location data through the application shows just how much individual privacy is valued.
首先,不需要存储或发送位置信息。 无论您是在沃尔玛还是在家中路过,这些应用程序都将以相同的方式对待互动。 这意味着,如果您将信息上载到政府服务器,它们将无法知道您是否在堪萨斯州农村或纽约市的心脏地带。 知道您的位置对于官员寻找热点和分配资源非常有用。 但是,这也意味着无论您走到哪里,您的手机都将跟踪您,这意味着城市可能会更严格地要求在家中或距离老大哥更近的地方。 删除这些官员通过应用程序使用位置数据来跟踪您的互动的功能,将显示个人隐私的价值。
Second, if you were exposed, you will not be able to determine who gave you the virus. Because of this, people that report themselves as confirmed cases won’t need to fear retribution, so there’s value in this anonymity. To create anonymity in software, we use unique identifiers for each person, usually a large random number. Google/Apple call this a Temporary Exposure Key. What’s interesting is that they also created another anonymous identifier called the Rotating Proximity Identifier. The former lasts 24 hours and is only provided to the government-run server if you choose to upload your test result, while the latter lasts about 15 minutes and is shared with nearby people. This means that anyone that may be listening or trying to piece together where you were would only be able to do so for 15 minutes. Afterward, the key disappears and is replaced by another random one. Similarly, because the former key was never distributed directly to other users, you’d be unable to directly pinpoint exactly where you came into contact with them. This decision provides security against tracking and preserves the privacy of those who were confirmed with the virus.
其次,如果您暴露了这种病毒,则将无法确定是谁给了您病毒。 因此,将自己报告为确诊病例的人无需担心报应,因此这种匿名性具有价值。 为了在软件中创建匿名性,我们为每个人使用唯一的标识符,通常是一个较大的随机数。 Google / Apple将此称为“ 临时暴露密钥” 。 有趣的是,他们还创建了另一个名为Rotating Proximity Identifier的匿名标识符 。 前者持续24小时,仅在您选择上传测试结果时才提供给政府运行的服务器,而后者则持续约15分钟并与附近的人共享。 这意味着可能正在聆听或试图拼凑到您所在位置的任何人只能这样做15分钟。 之后,密钥消失,并由另一个随机密钥代替。 同样,由于以前的密钥从未被直接分发给其他用户,因此您将无法直接精确确定与他们联系的位置。 该决定提供了针对跟踪的安全性,并保留了被病毒确认者的隐私。
Lastly, a third interesting design choice is for the matching algorithms to occur at the systems layer rather than the application layer. This means that the government-created applications won’t be able to access either of the keys I mentioned earlier. Instead, the matching and comparisons are done within the Android/iOS framework written by Google/Apple engineers. (See my earlier article for a more technical explanation of abstraction layers.) The implication here is that the government applications wouldn’t be able to determine who a particular person infected, they would only be able to determine if you were or were not exposed. Also, because Google/Apple don’t have access to the government-run servers of confirmed individuals, they similarly would not be able to determine that, even though they have access to the keys and the matching algorithm. At the cost of information about super-spreaders for governments and medical officials, again, this reinforces the privacy that individuals using these applications will have.
最后,第三个有趣的设计选择是使匹配算法出现在系统层而不是应用程序层。 这意味着政府创建的应用程序将无法访问我前面提到的任何密钥。 相反,匹配和比较是在Google / Apple工程师编写的Android / iOS框架内完成的。 (有关抽象层的更多技术说明,请参阅我的较早文章 。)这里的含义是,政府应用程序将无法确定谁感染了某个特定的人,他们只能确定您是否暴露了。 。 同样,由于Google / Apple无法访问已确认个人的政府运行服务器,因此即使他们有权访问密钥和匹配算法,他们也同样无法确定。 再次以有关政府和医务人员的超级传播者的信息为代价,这加强了使用这些应用程序的个人将拥有的隐私。
Ultimately, these design decisions limit shared and collected information to only what’s necessary to provide user privacy and encourage adoption. Many alternatives could have provided Google/Apple with more consolidated information, but these choices show a respectful willingness to not do so in the middle of this global pandemic. As a software engineer and a user, I’m happy to see these privacy-respecting choices in this design and will eagerly be one of the first users.
最终,这些设计决策将共享和收集的信息限制为仅提供用户隐私和鼓励采用所需的信息。 许多替代方法可以为Google / Apple提供更综合的信息,但是这些选择表明,在这种全球性大流行中,他们愿意不这样做。 作为软件工程师和用户,我很高兴在设计中看到这些尊重隐私的选择,并将热切地成为第一批用户之一。
翻译自: https://medium.com/swlh/how-exposure-contact-tracing-apps-are-designed-for-your-privacy-7e101dff8095
应用程序的隐私政策怎么写
5250
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
