Google warns EU’s plans to weaken its monopoly could expose user data

谷歌警告：欧盟削弱其垄断地位的计划可能导致用户数据泄露

Europe’s push to rein in Big Tech is ramping up, with the European Commission planning to announce new regulations for Google next month. The rules could see Google forced to play nicer with its EU competitors, but the company has some concerns. Google is framing this not as a manifestation of its anticompetitive bent, but as genuine concern for user privacy. Heather Adkins, Google’s VP of security engineering, told Wired that the EU’s proposals could lead to serious security and privacy issues.

欧洲对大型科技公司的监管力度正在加大，欧盟委员会计划在下个月宣布针对谷歌的新法规。这些规则可能会迫使谷歌与欧盟竞争对手进行更公平的竞争，但该公司对此表示担忧。谷歌将此举描述为对用户隐私的真诚关切，而非其反竞争倾向的表现。谷歌安全工程副总裁希瑟·阿德金斯（Heather Adkins）在接受《连线》（Wired）采访时表示，欧盟的提案可能会导致严重的安全和隐私问题。

The potential changes come in two forms. First, regulators want Gemini dethroned as the sole integrated AI service on Android. This would mean letting users integrate other AI models and give them Gemini-like system access. Separately, the EU wants Google to share anonymized search data with other companies. “If implemented as described today, I think within a short period of time on Android, we’d see a significant increase in fraud in the EU,” said Adkins, who noted these events could happen within weeks of pushing through the changes.

潜在的变革主要有两种形式。首先，监管机构希望取消 Gemini 作为 Android 系统中唯一集成 AI 服务的地位。这意味着用户将能够集成其他 AI 模型，并赋予它们类似于 Gemini 的系统访问权限。此外，欧盟还希望谷歌与其他公司共享匿名搜索数据。阿德金斯表示：“如果按照目前描述的方式实施，我认为在短时间内，Android 系统在欧盟的欺诈行为将显著增加。”她指出，这些事件可能在政策推行后的几周内就会发生。

Gemini’s special status on Android devices gives it access to user files, screen content, and enhanced voice interactions. Adkins doesn’t go into much detail here, but the implication seems to be that bad actors would leverage these new options to install malicious AI services that could steal data and manipulate the user experience.

Gemini 在 Android 设备上的特殊地位使其能够访问用户文件、屏幕内容以及增强的语音交互功能。阿德金斯虽然没有详细说明，但其言下之意似乎是，不法分子会利用这些新选项安装恶意 AI 服务，从而窃取数据并操纵用户体验。

Google has more detailed concerns with the anonymized data sharing. According to the draft of the European Commission’s proposal, Google would have to provide anonymized search data to competitors that is similar to what Google sees internally. That could include the content of searches, ranking, and click rates. This data is core to Google’s search product and has not been provided at this level of granularity before.

谷歌对匿名数据共享有着更具体的担忧。根据欧盟委员会的提案草案，谷歌必须向竞争对手提供与谷歌内部所见类似的匿名搜索数据。这可能包括搜索内容、排名和点击率。这些数据是谷歌搜索产品的核心，此前从未以如此细致的颗粒度对外提供过。

“Anonymization is hard, and you’ve got to have the right technical experts at the table to come up with the solutions,” Adkins told Wired. We have known for years that it’s very possible to unmask people in supposedly anonymous data. In fact, Google suggests that the broad availability of powerful AI models makes it easier than ever to de-anonymize large data sets (that also checks out). Google’s internal security teams have reportedly been able to link this anonymous search data to individual users in as little as two hours using so-called “linkage attacks.”

“匿名化非常困难，必须有合适的技术专家参与才能拿出解决方案，”阿德金斯告诉《连线》。多年来我们都知道，在所谓的匿名数据中识别出个人身份是完全可能的。事实上，谷歌指出，强大 AI 模型的广泛普及使得对大型数据集进行去匿名化变得比以往任何时候都更容易（这一点也得到了证实）。据报道，谷歌内部安全团队曾利用所谓的“链接攻击”，在短短两小时内就将这些匿名搜索数据与个人用户关联起来。

Googlers expressed to Wired that giving this data to smaller EU firms in accordance with the law will make them targets. Google seemingly trusts itself to keep that data secure, but some rinky-dink startup in Europe? Maybe not. Are you ever anonymous? Requiring Google to share data and system access with competitors may come with some security risks, but Google undeniably has a vested interest in maintaining its market position. Both of those things can be true, but is one maybe a little more true than the other? That’s the issue with which the European Commission must grapple.

谷歌员工向《连线》表示，根据法律将这些数据提供给欧盟的小型公司，会使这些数据成为攻击目标。谷歌似乎相信自己有能力确保数据安全，但欧洲那些名不见经传的初创公司呢？可能未必。你真的能做到匿名吗？要求谷歌与竞争对手共享数据和系统访问权限可能会带来一些安全风险，但不可否认，谷歌在维持其市场地位方面有着既得利益。这两者可能都是事实，但其中一个是否比另一个更真实？这正是欧盟委员会必须解决的问题。

The EU is undertaking this effort under the auspices of the Digital Markets Act (DMA), which has designated Google, Meta, Amazon, and other giant tech firms as “gatekeepers” that are subject to additional regulation. Google has openly opposed the DMA, calling for the law to be reworked. With significant market shares across a number of tech sectors—including more than 90 percent of web search—the company doesn’t have much reason to support increased regulation.

欧盟是在《数字市场法案》（DMA）的框架下开展这项工作的。该法案将谷歌、Meta、亚马逊和其他科技巨头指定为“看门人”，并对其施加额外的监管。谷歌公开反对 DMA，呼吁对该法律进行修订。由于在多个科技领域拥有巨大的市场份额（包括超过 90% 的网络搜索份额），该公司几乎没有理由支持加强监管。

There are many ways to anonymize user data in aggregate, and Google would know—it frequently leverages anonymized user data, and it stresses the privacy-protecting aspects of this process. Sometimes it hides identities by merging all the data for a group that shares some trait, like a postal code. Google also might mix different types of search queries together to hide connections to a sensitive topic. When that’s not enough, Google may add random noise to the data that can further obscure identities.

聚合用户数据进行匿名化的方法有很多，谷歌对此非常了解——它经常利用匿名用户数据，并强调这一过程中的隐私保护方面。有时，它会通过合并具有相同特征（如邮政编码）的群体数据来隐藏身份。谷歌还可能将不同类型的搜索查询混合在一起，以隐藏与敏感话题的关联。当这些手段不足以保护隐私时，谷歌可能会在数据中添加随机噪声，从而进一步模糊身份。

Google uses these techniques across services—search queries, location data, advertising profiles, app usage, and more. It’s all there in Google’s privacy terms, and we are regularly assured that the data is sufficiently anonymous that it’s no problem even when Google shares it with third parties of its choosing. But when the EU requires Google to give anonymized search data to its competitors, it’s suddenly an untenable privacy issue. Perhaps all of these anonymized data sets are a problem, whether they’re held by Google or not.

谷歌在各项服务中都使用了这些技术，包括搜索查询、位置数据、广告档案、应用使用情况等。这些都在谷歌的隐私条款中有所体现，我们经常被告知这些数据已经足够匿名，即使谷歌将其与选定的第三方共享也没有问题。但当欧盟要求谷歌向竞争对手提供匿名搜索数据时，这突然变成了一个不可接受的隐私问题。也许所有这些匿名数据集本身就是个问题，无论它们是否由谷歌持有。

Regardless, there are some real privacy concerns at issue in this specific regulatory action. Google is essentially contending that the granular nature of the data makes it too vulnerable to being unmasked. If the data is stolen, it seems like a safe bet that at least some of it could be de-anonymized. The European Commission will have to walk a fine line as Google’s business interests would be served by not sharing data, and the goal of regulators is to weaken Google’s monopoly.

无论如何，这一特定的监管行动确实存在一些真正的隐私担忧。谷歌本质上是在辩称，数据的细颗粒度使其太容易被识别出身份。如果数据被盗，几乎可以肯定其中至少一部分数据会被去匿名化。欧盟委员会将不得不走钢丝，因为不共享数据符合谷歌的商业利益，而监管机构的目标则是削弱谷歌的垄断地位。

But nothing is set in stone yet. The comment period ended on May 1, and the commission is determining how to enforce the new rules. It expects to have a final decision on July 27, which will be legally binding for Google as a designated gatekeeper under the DMA. So the exact nature of the AI access and data anonymization is still up in the air.

但目前还没有定论。意见征询期已于 5 月 1 日结束，委员会正在确定如何执行新规则。预计将于 7 月 27 日做出最终决定，该决定将作为 DMA 下指定的“看门人”，对谷歌具有法律约束力。因此，AI 访问权限和数据匿名化的具体性质仍未确定。