Top Google Security Staff Warn Search Data Could Be Hacked if EU Rules Change
Top Google Security Staff Warn Search Data Could Be Hacked if EU Rules Change
谷歌顶级安全专家警告:若欧盟法规变更,搜索数据恐遭黑客攻击
Google’s top privacy and security staff have warned that plans in Europe, designed to get it to open up its search data and Android operating system to competitors, could lead to people’s search queries being hacked and an increase in cybercrime across the continent, according to multiple interviews and documents shared with WIRED. 根据《连线》(WIRED)获得的多次采访和文件显示,谷歌顶级隐私与安全人员警告称,欧洲旨在迫使其向竞争对手开放搜索数据和安卓(Android)操作系统的计划,可能会导致用户的搜索查询被黑客窃取,并加剧整个欧洲大陆的网络犯罪。
Mountain View’s alarm comes as European Commission officials are set to make final decisions next month in two cases, around Google Search and Android interoperability, under the European Union’s landmark Digital Markets Act competition rules. The rules, which were first adopted at the end of 2022, are designed to force open Big Tech companies that dominate markets, make it easier for others to compete, and reduce reliance on a handful of firms. 谷歌总部(山景城)发出此警告之际,欧盟委员会官员正准备在下个月就谷歌搜索和安卓互操作性这两起案件做出最终裁决,这些裁决基于欧盟具有里程碑意义的《数字市场法案》(DMA)竞争规则。该规则于2022年底首次通过,旨在迫使占据市场主导地位的科技巨头开放系统,降低其他企业竞争的门槛,并减少对少数几家公司的依赖。
Heather Adkins, Google’s vice president of security engineering and a founding member of its security team, says the company has concerns around the proposed changes for both Search and Android. In April, the European Commission published initial details, plus now-closed public consultations, on how Google should open up its search data—sharing anonymized search data with rivals—and allowing other AI services to have more access to the Android operating system. 谷歌安全工程副总裁兼安全团队创始成员希瑟·阿德金斯(Heather Adkins)表示,公司对搜索和安卓业务的拟议变更均存有顾虑。今年4月,欧盟委员会发布了初步细节及现已结束的公众咨询,内容涉及谷歌应如何开放其搜索数据(与竞争对手共享匿名化搜索数据),并允许其他人工智能服务获得对安卓操作系统更多的访问权限。
“If implemented as described today, I think within a short period of time on Android, we’d see a significant increase in fraud in the EU,” Adkins tells WIRED. “The fraudsters are creative and informed. Past implementation [date], I would give it maybe weeks before we began to see an increase in fraud in Europe.” “如果按照目前描述的方式实施,我认为在短时间内,欧盟的安卓系统将出现欺诈行为的显著增加,”阿德金斯告诉《连线》。“诈骗者既有创造力又消息灵通。在实施日期之后,我估计只需几周时间,我们就会看到欧洲欺诈案件的激增。”
Meanwhile, Adkins also claims the proposed changes to Google Search could result in people’s search queries being de-anonymized by bad actors and search data shared with small companies being a target for criminal hackers. 与此同时,阿德金斯还声称,针对谷歌搜索的拟议变更可能导致用户的搜索查询被不法分子“去匿名化”,而与小型公司共享的搜索数据也可能成为犯罪黑客的目标。
The European Commission’s proposals are complex, impact technical systems with billions of users, and are steeped in the continent’s competition laws. As European officials’ deadline of July 27 for announcing its final decisions approaches, Google has been increasingly vocal in its opposition to the parts of the plans it does not believe will work. Some Google competitors, who could benefit from accessing the data, say the plans have less privacy and security impacts than has been suggested. 欧盟委员会的提案非常复杂,影响到拥有数十亿用户的技术系统,并深深植根于欧洲的竞争法中。随着欧盟官员宣布最终裁决的7月27日截止日期临近,谷歌对其认为不可行的部分计划表达了越来越强烈的反对。一些可能从数据访问中受益的谷歌竞争对手则表示,这些计划对隐私和安全的影响远没有外界所说的那么严重。
These competitors, independent researchers, and academics who have responded to the consultations have pointed out how Europe’s plans could work and also potential flaws with them. Rebuttals and counter rebuttals have been issued as competition law collides with privacy impacts. Spokespeople for the European Commission acknowledged WIRED’s request for comment but did not respond to questions about Google’s concerns. 参与咨询的竞争对手、独立研究人员和学者们指出了欧洲计划的可行性及其潜在缺陷。随着竞争法与隐私影响发生碰撞,各方纷纷发表反驳与回应。欧盟委员会发言人确认收到了《连线》的置评请求,但未就谷歌的担忧做出回应。
Since the end of 2022, the Digital Markets Act has allowed European officials to designate tech companies that have large market shares as “gatekeepers” and use the rules to get them to open up their systems and data to competitors. Google parent company Alphabet, Amazon, Apple, Booking, ByteDance, Meta, and Microsoft are all considered gatekeepers, with their products—from LinkedIn and TikTok to Instagram and YouTube—being subject to the rules. 自2022年底以来,《数字市场法案》允许欧盟官员将拥有巨大市场份额的科技公司指定为“看门人”,并利用该规则迫使它们向竞争对手开放系统和数据。谷歌母公司Alphabet、亚马逊、苹果、Booking、字节跳动、Meta和微软都被视为“看门人”,其产品(从LinkedIn、TikTok到Instagram和YouTube)均受该规则约束。
Google’s search business, which is estimated to make up 90 percent of the worldwide search market, is, unsurprisingly, the only search engine that includes the rules. Under the DMA, Google already shares some data with search engine competitors; however, the planned changes alter how this would work. 谷歌的搜索业务估计占据了全球搜索市场90%的份额,不出所料,它是唯一受此规则约束的搜索引擎。根据DMA,谷歌已经与搜索引擎竞争对手共享了一些数据;然而,计划中的变更将改变这一运作方式。
The plans broadly say Google should provide online search engines with access to search data “on par” with the data that Google itself collects, including “any query input” people enter into Google Search plus some other metadata. Put simply: what people type into Google. It will also have to share click data and the ranking results of search queries. “This is a unique data set which only Google has had access to for many, many years, and there’s not a straightforward way for any other competitor to build or obtain access to something similar,” says Alissa Cooper, the executive director of the tech policy research hub the Knight-Georgetown Institute. 这些计划大体上要求谷歌向在线搜索引擎提供与谷歌自身收集的数据“同等水平”的搜索数据访问权限,包括人们输入到谷歌搜索中的“任何查询输入”以及其他一些元数据。简单来说:就是人们在谷歌中输入的内容。它还必须共享点击数据和搜索查询的排名结果。科技政策研究中心“奈特-乔治城研究所”(Knight-Georgetown Institute)执行主任阿丽莎·库珀(Alissa Cooper)表示:“这是一个独特的数据集,多年来只有谷歌能够访问,其他竞争对手没有直接的方法来构建或获得类似的数据访问权限。”
These sharing requirements, according to the EU’s proposals, are protected by anonymization methods to protect individuals’ search queries being linked back to them. Those measures will be accompanied with contracts between Google and search competitors that it shares data with, broadly saying they cannot try to reidentify users, link the search data with other information, and that information must be shared securely. 根据欧盟的提案,这些共享要求受到匿名化方法的保护,以防止个人的搜索查询被关联回本人。这些措施将辅以谷歌与其共享数据的搜索竞争对手之间的合同,合同大体规定它们不得试图重新识别用户、不得将搜索数据与其他信息关联,且信息必须安全地共享。
Google, however, claims in one document seen by WIRED that the proposed anonymization techniques contain “deep weaknesses” and it would have to release search data at “much higher levels of granularity” than it currently does. Google staff say they have proved the data can be reidentified, and if this is the case, “it is not anonymous in the first place.” 然而,谷歌在《连线》看到的一份文件中声称,拟议的匿名化技术存在“深层缺陷”,且谷歌将不得不以比目前“高得多的粒度”发布搜索数据。谷歌员工表示,他们已经证明这些数据可以被重新识别,如果情况确实如此,“那么它从一开始就不是匿名的。”
“Privacy engineers have proved that this data can be easily reidentified. If data can be reidentified, it is not anonymous in the first place. And the law specifically requires it to be anonymized,” says David Lewis, Google’s director of the company’s privacy advisory for Europe, the Middle East, and Africa. “Whether Google has a vested interest or not is irrelevant to the question of whether millions of people’s most private questions may end up with someone they don’t know and never expected would see their searches.” “隐私工程师已经证明这些数据可以很容易地被重新识别。如果数据可以被重新识别,它从一开始就不是匿名的。而法律明确要求必须进行匿名化处理,”谷歌欧洲、中东和非洲地区隐私咨询总监大卫·刘易斯(David Lewis)表示。“谷歌是否有既得利益,与数百万人的最隐私问题是否会落入他们不认识且从未预料到会看到其搜索记录的人手中这一问题无关。”
The company previously said, according to Reuters’ reporting, that its security red team could reidentify search users based on the data in “less than two hours.” The specific details of those tests have not been published. 据路透社报道,该公司此前曾表示,其安全红队可以在“不到两小时”内根据这些数据重新识别搜索用户。这些测试的具体细节尚未公布。
“Anonymization is hard, and you’ve got to have the right technical experts at the table to come up with the solutions,” says Google’s Adkins, who suggests there is a “middle ground” to be found. Adkins says large language models could also be an “ideal tool” for helping to de-anonymize data if it falls into malicious hands and adds that t… “匿名化很难,你必须有合适的技术专家参与,才能拿出解决方案,”谷歌的阿德金斯说道,她建议可以找到一个“中间地带”。阿德金斯表示,如果数据落入恶意之手,大型语言模型也可能成为帮助“去匿名化”数据的“理想工具”,并补充说……