本
文
摘
要
个人隐私永远是个值得花费时间关注的问题。小到骚扰电话,垃圾短信以及各种形式的数据信息泄漏,大到上当受骗甚至丧失生命,在这个信息大爆炸的时代,似乎个人信息安全一直是一个灰色地带,有时骚扰电话和垃圾短信我们直接用手机管家屏蔽或者拉黑,但好像只有关乎生命之类的悲剧发生的时候才能引起舆论的强烈关注,但是又很快被新的新闻给覆盖。
类似悲剧似乎永远都在上演,除了我们个人尽力小心之外,当然也有一些科技公司看到了此中隐藏的巨大商机,因此,超声波跨设备追踪技术应运而生。这样看来,似乎我们脆弱的隐私得到了保护。今天,我们且来看一下,这项技术是否真的那么可信?
How to block the ultrasonic signals you didn’t know were tracking you
如何屏蔽追踪你的未知超声波信号
Your phone can talk to advertisers beyond your back, beyond your audible spectrum.
你的手机可以背着你,悄无声息地和广告商联系。
LILY HAYNEWMAN, WIRED.COM - 11/3/2016, 7:39 PM
Dystopian corporate surveillance threats today come at us from all directions. Companies offer “always-on”devices that listen for our voice commands, and marketers follow u saround the web to create personalized user profiles so they can (maybe) show us ads we’ll actually click. Now marketers have been experimenting with combining those web-based and audio approaches to track consumers in another disturbingly science fictional way: with audio signals your phone can hear, but you can’t. And though you probably have no idea that dog whistle marketing is going on, researchers are already offering ways to protect yourself.
如今,反乌托邦的公司监控从四面八方威胁着我们。公司提供“永远在线”的设备来听取我们的声音指令,而营销者可以跟随我们浏览网页的踪迹来制定个性化的用户方案,从而就(也许)可以向我们展示我们会点击的广告。现在,营销者一直在研究用那些基于网络和音频的方法来追踪消费者,以另一种令人不安的科幻小说似的方法:那些音频信号只有你的手机可以听到的,而你是听不到的。不过虽然你可能不知道什么是狗哨营销,但是研究者已经为你提供保护自我的方式了。
The technology, called ultrasonic cross-device tracking, embedshigh-frequency tones that are inaudible to humans in advertisements, web pages,and even physical locations like retail stores. These ultrasound “beacons” emit their audio sequences with speakers, and almost any device microphone—likethose accessed by an app on a *** artphone or tablet—can detect the signal andstart to put together a picture of what ads you’ve seen, what sites you’ve perused, and even where you’ve been. Now that you’re sufficiently concerned,the good news is that at the Black Hat Europe security conference on Thursday,a group based at University of California, Santa Barbara will present an Android patch and a Chrome extension that give consumers more control over the tran *** ission and receipt of ultrasonic pitches on their devices.
这项技术叫做超声波跨设备追踪,可以在广告,网页,甚至在像零售商店这样的物理位置嵌入人类听不到的高频音调。这些超声波“信标”通过扬声器发送他们的音频序列。几乎所有配置麦克风的设备,比如那些允许某个在智能手机或平板电脑上的应用程序访问使用的,它们可以检测到信号,并根据你所看到的广告、你浏览过的网站、甚至是你去过的地方,整理出一张图片。想必你们现在一定非常担心,但好消息是,在周四的黑帽欧洲安全会议上,加州大学圣芭芭拉分校的一组研究人员将会提供一份安卓系统补丁和Chrome插件, 以便消费者能在他们电子设备的超声波传送和接收方面掌有更多的控制权。
Beyond the abstract creep factor of ultrasonic tracking, the larger worry about the technology is that it requires giving an app the ability to listen to everything around you, says Vasilios Mavroudis, a privacy and security researcher at University College London who worked on the research being presented at Black Hat. “The bad thing is that if you’re a company that wants to provide ultrasound tracking there is no other way to do it currently, you have to use the microphone,” says Mavroudis. “So you will be what we call ‘over-privileged,’ because you don’t need access to audible sounds but you have to get them.”
除了超声波追踪的抽象蠕变因素外,这项技术最令人担心的是,它需要给予应用程序听取你周围一切声音的能力,VasiliosMavroudis说道, 他是伦敦大学里隐私和安全方面的研究者,也参与了那项在黑帽会议展出的研究。 “最糟糕的是,如果你的公司想提供超声波追踪,鉴于目前并没有其他可行的方法,你只能用那些传声设备,”Vasilios Mavroudis 说道。”如此你将成为我们所说的‘特权过度’。因为你并不需要所有可听见的声音,但你却必须得到他们。”
This type of tracking, offered by companies like Tapad and 4Info, has hardly exploded inadoption. But it’s persisted as moret hird party companies develop ultrasonic tools for arange of uses, like data tran *** ission without Wi-Fi or other connectivity. The more the technology evolves, the easier it is to use in marketing. As a result,the researchers say that their goal is to help protect users from in advertently leaking their personal information. “There are certain serious security shortcomings that need to be addressed before the technology becomes more widely used,” says Mavroudis. “And there is a lack of transparency. Users arebasically clueless about what’s going on.”
像Tapad和 4Info等公司提供的这种追踪方式是很难被广泛使用的。但它仍然存在,因为越来越多第三方公司开发出广泛用途的超声波工具,比如无需无线网络或其他连接的数据传输。技术发展得越广,就越容易在营销中使用。因此,研究者们说他们的目标是为了保护用户以防他们在无意间泄漏个人信息。“在这项技术被广泛使用之前,必须要解决它严重的安全缺陷问题,”Vasilios Mavroudis 说道。“它还缺乏透明度。用户们基本上对于发生了什么事情一无所知。”
Currently, when Android or iOS do require apps to request permission to use a phone’s microphone. But most users likely aren’t aware that by granting that permission, apps that use ultrasonic tracking could access their microphone—andeverything it’s picking up, not just ultrasonic frequencies—all the time, evenwhile they’re running in the background.
目前,安卓和iOS系统确实需要应用程序得到用户许可才能连接手机的话筒。但是大多数用户可能还没有意识到,一旦授予权限,使用超声波追踪的应用程序可以接入他们的麦克风,以及它接收的所有一切,并不仅仅只是超声波频率——每时每刻,甚至包括它们在后台运行的时候。
The researchers’ patch adjusts Android’s permission system sothat apps have to make it clear that they’re asking for permission to receive inaudible inputs. It also allows users to choose to block anything the microphone picks up on the ultrasound spectrum. The patchisn’t an official Google release, but represents the researchers’ . recommendations for a step mobile operating systems can take to offer more tran sparency.
研究者的补丁对安卓的权限系统进行了调整,以确保应用程序必须明确地表明它们在请求接收人耳无法听到的信号输入。这个补丁还允许用户选择屏蔽在超声波频谱上被话筒接收的任何内容。这个补丁虽不是由谷歌官方发布的,但这意味着研究者们的建议可为移动操作系统增加更多透明度。
To block the other end ofthose high-pitched audio communications, the group’s Chrome extension preemptively screens websites’ audio components as they load to keep the ones that emit ultrasounds from executing, thus blocking pages from emitting them. There are a few old services that the extension can’t screen,like Flash, but overall the extension works much like an ad-blocker forultrasonic tracking. The researchers plan to post their patch and their extension available for download after their Black Hat presentation.
为了屏蔽那些高音音频通信的另一端,这个研究小组的Chrome插件会预先扫描网站的音频组件, 以免发射超声波的组件在网页加载时启动,从而阻止网页发出音频信号。 在一些旧客户端上此插件无法扫描,例如Flash,但总的来说, 此插件就像用于拦截超声波追踪的广告拦截器。研究者们计划在黑帽会议后,将他们的补丁和扩展插件发布到网上以供下载。
Ultrasonic tracking has been evolving for the last couple of years, and it is relatively easy to deploy since it relies on basic speakers and microphones instead of specialized equipment. But from the start, the technology has encountered pushback about its privacy and security limitations.Currently there are no industry standards for legitimizing beacons or allowing them to interoperate the way there are with a protocol like Bluetooth. And ultrasonic tracking tran *** issions are difficult to secure because they need to happen quickly for the technology to work. Ideally the beacons would authenticate with the receiving apps each time they interact to reduce the possibility that a hacker could create phony beacons by manipulating the tones before sending them. But the beacons need to complete their tran *** issions in the time it takes someone to briefly check a website or pass a store, and it’s difficult to fit an authentication process into those few seconds. The researchers say they’ve already observed one type of real-world attack in which hackers replay a beacon over and over to skew *** ytics data or alter the reported behavior of a user. The team also developed other types of theoretical attacks that take advantage of the lack of encryption and authentication on beacons.
过去的几年里超声波追踪技术一直在发展,应用起来也相对简单,因为它依赖的是基本的扬声器和麦克风而非专业设备。但从一开始,这项技术就遇到了隐私和安全限制的难题。目前没有任何行业标准来使信标合法化或者是允许它们像有通信协议的蓝牙那样交互操作。超声波追踪传输是很难受保护的,因为它们需要快速运作才能使这项技术起作用。理想状况下,信标将在每次交互时都会对接收应用进行身份验证,以减少黑客在信标发送之前通过篡改音调来创建虚假信标的可能性。但是这些信标需要在人们浏览网页或者经过一家商店的瞬间完成传输,然而在几秒钟内想要完成身份验证是很困难的。研究者们说他们已经发现了一种真实世界的攻击方式:黑客们一次次地重放信标来扭曲分析数据或者改变用户的行为报告。这个团队还详述了其它类型的理论攻击,这些攻击方式都利用了信标缺乏加密和身份验证的缺陷。
The Federal Trade Commission evaluated ultrasonic tracking technology at the end of 2015, and the privacy-focused non-profit Center for Democracy and Technology wrote to the agency at the time that “the best solution is increased transparency and a robust and meaningful opt-out system.If cross-device tracking companies cannot give users these types of notice andcontrol, they should not engage in cross-device tracking.” By March the FTC haddrafted a warning letter to developers about a certain brand of audio beacon that could potentially track all of a users’ televisionviewing without their knowledge. That company, called Silverpush, has since ceased working on ultrasonic tracking in the United States, though the firm said at the time that its decision to drop the tech wasn’t related to the FTC probe。
在2015年年末,联邦贸易委员会评估了超声波追踪技术,而专注于隐私保护的非营利组织民主和技术中心也在当时写信给该机构——“最好的解决办法就是增加透明度并建立一个强有力的排除系统。如果跨设备追踪公司不能给用户提供此种通知和控制权限,那他们就不应该进行跨设备追踪。”到3月份,联邦贸易委员会已经向开发者们发了一封警告信,内容是关于某品牌的音频信标能在用户不知情的情况下,追踪用户看电视的情况。那家公司叫做Silverpush, 从那以后在美国已经停止有关超声波追踪的工作,尽管这公司表示他们放弃这项技术的决定和联邦贸易委员会的调查并没有关系。
(Silverpush公司的超声波追踪技术遭到质疑)
More recently, two lawsuits filed this fall—each about theAndroid app of an NBA team—allege that the apps activated user microphones improperly to listen for beacons, capturing lots of other audio in the process without user knowledge. Two defendants in those lawsuits, YinzCam and Signal360, both told WIRED that they aren’t beacon developers themselves and don’t collect or store any audio in the spectrum that’saudible to humans.
数到最近,今秋的两起诉讼,分别与不同的NBA球队的安卓应用程序有关,都称这些软件在用户不知情的情况下,不恰当地激活用户的麦克风来收听信标,还捕获了许多其它的音频。两起诉讼中的两名被告,YinzCam 和Signal360两家公司都告诉WIRED,他们并非信标的开发者,也没有以此收集和储存任何人类可听见的音频。
But the researcherspresenting at Black Hat argue that controversy over just how much audio ultrasonic tracking tools collect is all the more reason to create industry standards, so that consumers don’t need to rely on companies to make privacy-minded choices independently. “I don’t believe that companies are malicious, but currently the way this whole thing is implemented seems very shady to users,” says Mavroudis. Once there are standards in place, the researchers propose that mobile operating systems like Android and iOS could provide application program interfaces that restrict microphone access soultrasonic tracking apps can only receive relevant data, instead of everythingthe microphone is picking up. “Then we get rid of this over privileged problemwhere apps need to have access to the microphone, because they will just needto have access to this API,” Mavroudis says.
但是出席黑帽会议的研究者们认为,关于超音波追踪工具应能够收集多少音频的争议使得我们更有理由建立行业标准,这样消费者不需要依靠公司再来做出保护隐私的选择。“我不认为公司是恶意的,但目前整件事情的进行方式对于用户来说实在太隐秘了。“Mavroudis说道。研究者提出,一旦有标准可执行,像安卓和iOS此类的移动操作系统就可以提供应用程序接口来限制麦克风的访问,届时超音波追踪软件就只能接收相关数据,而非麦克风接收的所有内容。“如此我们就能摆脱这个特权过度的问题,因为在软件需要连接麦克风的时候,它们只需要连接这个API。“Mavroudis说。
For anyone who’s not waiting for companies to rein in what kinds of audio they collect to track us, however, the UCSB and UCL researchers software offers a temporary fix. And that may be more appealing than the notionof your phone talking to advertisers behind your back—or beyond your audible spectrum.
对于那些不愿意等公司来决定哪些音频可用于追踪用户的人,加州大学圣芭芭拉分校和伦敦大学学院的研究者提供了一种临时的解决方案。而这,比起你的手机背着你悄无声息地和广告商联系,也许更加吸引人。
翻译 by Viola
校对 by Yarina
终校 by 何以
微信小编 小白
树屋字幕组-文翻组
翻译仅供学习交流,严禁用于商业用途
戳原文链接可阅读本期原文,请保证科学上网状态!
回复“杂志”可查看往期文翻内容
往期回顾:
英语文翻—杂志 | 阿尔法狗凭啥能打败世界冠军?
英语文翻—杂志 | 什么?“红绿灯”还有这样的作用!
英语文翻—杂志 | 是时候把它拿出来了!
英语文翻—杂志 | 用黑人女性重塑上帝
英语文翻—杂志 | 《纽约客》影评人Anthony Lane:这个假期看什么
---------
欢迎关注
新浪微博@树屋字幕组
加入请发邮件至
thetreehousefansub@foxmail.com,树屋长期招新中!
粉丝QQ群:212357829(英语)299166456(西语)633120940(日语)