1月9日,据《纽约时报》报道,在以色列网络安全公司CheckPoint周三发布的研究报告中显示,TikTok存在严重的安全漏洞,通过这些漏洞,黑客可以公开用户隐私视频、获取用户个人信息以及控制账户进行上传和删除视频内容等操作,简单来说就是能“为所欲为”。

On January 9, the New York Times reported that in a study released on Wednesday by Israeli cybersecurity firm CheckPoint, TikTok had serious security vulnerabilities that allowed hackers to access user privacy videos, access to personal information and control accounts for uploading and deleting video content, simply to do what they wanted.

该消息一经曝光,便在国内外迅速引发热议。一方面这次曝光的安全漏洞潜在危险较大,这种能让黑客接管账号的安全漏洞很让用户担忧;另一方面目前TiKTok已经因用户隐私问题在海外备受“关注”,而这次无论是被《纽约时报》曝光,还是CheckPoint将其调查结果摘要发送给美国国土安全部,都是火上浇油。

As soon as the news came out, it quickly sparked a heated debate at home and abroad. On the one hand, the exposed security breach is potentially more dangerous, a security breach that would worry users; and on the other hand, TiKTok is already \"under scrutiny\" for its privacy issues abroad, fueled by both the New York Times exposure and CheckPoint's summary of its findings to the US Department of Homeland Security.

而对国内用户来说,大家关注的焦点主要集中在两方面,一方面是这次安全漏洞是否涉及抖音国内版本,目前字节跳动并未作出相关解释和说明;另一方面2019年10月底PGone和李小璐抖音草稿箱视频曝光事件目前仍是悬案一件,是否跟此次漏洞相关,也是很多用户讨论的重点。

But for domestic users, the focus is mainly on two aspects, on the one hand, whether the security hole involves the domestic version of the shaking sound, the current byte beat has not been explained and explained; on the other hand, at the end of October 2019, PGone and Li Xiaolu's draft box video exposure incident is still a case of suspension, whether it is related to the vulnerability, is also the focus of many users.

“TikTok可能更着重于快速增长并为用户构建新功能,而不是巩固安全性,像这样的公司有安全漏洞是在我预料之中的。”这是《纽约时报》报道中,来自另一网络安全公司Lookout的研究负责人克里斯托夫·哈巴森(ChristophHebeisen)对TikTok安全漏洞问题的看法,显而易见,类似的舆论压力让TikTok很受伤。

\"TikTok may be more focused on rapid growth and building new features for users than on consolidating security, and companies like this have security vulnerabilities that I expected.\" That's what Christophe Hebeisen, the head of research from another cybersecurity firm, Lookout, said about TikTok's security vulnerabilities in the New York Times report, and it's clear that similar public opinion pressures have hurt TikTok.

回归到这次被曝光的TikTok安全漏洞本身,也着实让抖音吓出一身冷汗。据CheckPoint产品漏洞研究负责人奥代德·瓦努努(OdedVanunu)表示:“我们发现的漏洞都在TikTok系统的核心部分。”比如TikTok官网支持向用户发送SMS短信,但其中一个漏洞能让攻击者对短信链接进行篡改实施诈骗,即发送者仍是TikTok,但短信链接已被篡改,一旦用户点击链接后,其账户将被攻击者控制,尔后即可进行上传、删除视频、访问私密视频、将私密视频公开以及关注其它用户等操作。

Returning to the exposed TikTok security breach itself really scared the sound of a cold sweat. \"The vulnerabilities we've found are at the heart of the TikTok system,\" said Oded Vanunu, who heads research on product vulnerabilities at CheckPoint. The TikTok website, for example, supports sending SMS messages to users, but one of the vulnerabilities allows an attacker to defraud by tampering with the link, that is, the sender is still TikTok, but the link has been tampered with, and once the user clicks on the link, his account will be controlled by the attacker, who can then upload, delete, access private video, make private video public, and focus on other users.

再比如攻击者通过另一个漏洞能够获取账户用户的个人信息,包括电子邮件地址、付款信息、姓名和出生日期等,并且发现漏洞的安全人员解释还称,由于缺乏反跨站请求伪造机制,无需受害者同意,攻击者就可以执行JavaScript代码,替代受害者执行操作,这又加深了人们的担忧。值得庆幸的是,目前漏洞已经被修复,但这并非抖音在海外面临的“用户隐私战争”首战,也不是其最后一战。

Another vulnerability, such as the attacker's ability to access account users'personal information, including e-mail addresses, payment information, name and date of birth, and the explanation by security officials who found the breach, added that the attacker could execute JavaScript code without the victim's consent, instead of the victim's, because of a lack of counter-platform request forgery. Fortunately, the bugs have been fixed, but this is not the first or last battle of the \"privacy war\" facing users abroad.

比如2019年2月,美国联邦贸易委员会投诉TokTik,称其非法收集未成年人个人信息,违反了《儿童在线隐私保护法》(简称COPPA),因为该法要求网站和在线公司在收集13岁以下的儿童个人信息时,必须征得父母同意,为此TikTok同意支付570万美元达成和解。

For example, in February 2019, the Federal Trade Commission of the United States complained that Tok Tik had illegally collected minor personal information, violating the Children's Online Privacy Protection Act (COPPA), which required websites and online companies to obtain parental consent when collecting personal information about children under the age of 13, to agree to pay $5.7 million to reach a settlement.

此外,不久前据外媒报道称,美国国防部最新出台了指令,为避免个人信息曝光,陆军士兵被要求立即卸载和删除TikTok,而从去年10月开始,TikTok就受到美国外国投资委员会(CFIUS)调查,看其是否可以被用于手机用户数据和控制共享内容;在去年12月,美国海军和国防部更是对TikTok发出警告,海军也被要求卸载和删除TikTok;而目前英国信息专员办公室还在对TikTok进行调查,重点仍是看其是否违反欧洲隐私法,因此这次安全漏洞事故,或将让抖音在海外承受更大的监管和舆论压力。

In addition, the latest US Department of Defense directive recently reported that Army soldiers were required to unload and remove TikTok in order to avoid exposure to personal information, while TikTok has been investigated by the US Foreign Investment Commission (CFIUS) since last October to see if it can be used for data-user users and to control shared content; in December, the US Navy and the Department of Defense issued a warning to TikTok, and the Navy was also asked to unload and remove TikTok; and the UK's Information Commissioner's office is still investigating TikTok, focusing on whether it violates European privacy laws, so the security breach may put more pressure on the safety of the incident abroad.

值得一提的是,据《机械之心》报道,外媒称以色列应用内市场研究公司Watchful在最新版本的抖音和TikTok的安卓程序中,发现了基于DeepFakes技术的FaceSwap(换脸)代码,目前该功能还没有发布,据介绍其原理跟去年名噪一时的「Zao」差不多,并且他们还在美国版TikTok应用程序代码中的英文文本中,发现了与该功能相关未发布的服务条款,具体如下:

It's worth noting that foreign media reported that the latest version of the Android app by Israeli market research firm Watchful, based on DeepFakes technology, found the face Swap (Face Swap) code in the latest version of the TikTok app, which hasn't been released yet, said it was about the same as last year's famous'Zao', and that they found the unreleased terms of the service in the U.S. version of the TikTok app:

从去年「Zao」的经历可知,换脸功能虽然很受欢迎,但涉及的隐私问题同样非常复杂,对此不知道“秘研”换脸功能的抖音是否已经有了应对之策。就目前来看,抖音在海外的快速扩张过程中,应对“用户隐私”问题让其花费众多精力,前不久据彭博社报道,为应对包括“用户隐私”在内的各种问题,顾问公司为字节跳动提出诸如进行法律辩护、将TikTok独立运营以及出售多数股权等多种方案,毋庸置疑,隐私事故的出现,给抖音的海外业务发展带来了一定的阻力。

According to last year's experience, while popular, the privacy issues involved are equally complex, and it's not known if there's a way in which to respond to the \"secret research\" shake-up. For now, jitters have put a lot of effort into dealing with \"user privacy\" issues in the midst of their rapid expansion abroad, and a few days ago, according to bloomberg, consultants proposed options for byte beats such as legal defenses, independent operations of tik tok and the sale of a majority stake.

与国外相比,虽然国内用户对隐私数据敏感度和维权意识相对较低,相关法律也有待加强,但国家对互联网用户数据监管趋势正在变严,而抖音去年也因为用户隐私问题数次引发热议,首当其冲的当属PGone和李小璐抖音草稿箱内视频被曝光事件。

Compared with foreign countries, although domestic users are relatively less sensitive to privacy data and awareness of rights protection, and the relevant laws need to be strengthened, the state is tightening the trend of data regulation of Internet users, and shaking tone has been heatedly debated several times last year because of user privacy issues, the first of which is the exposure of the video in the draft box of PGone and Li Xiaolu.

2019年10月30日,PGone和李小璐存在抖音草稿箱内的三段视频被曝光,瞬间在网上引发轩然大波。最开始舆论焦点是在娱乐明星的花边新闻上,但在PGone后续发布一则微博质问“为什么去年在抖音拍的视频没有任何外传的前提下会被放出来还没有logo?”后,大众很快将目光转移到短视频平台用户隐私问题上。

On October 30,2019, three videos of PGone and Li Xiaolu's presence in the quivering draft box were revealed, instantly sparking uproar online. The initial focus was on the entertainment star's lace news, but in a follow-up to the PGone tweeted,\" Why was it released last year without any outside streaming of the titillating video?\" After that, the public soon turned its attention to the privacy of short video platform users.

接着有传言称视频是抖音员工从后台down下来的,随后抖音回应称“传言不实”,因为运营审核后台没有任何草稿视频,不存在抖音员工从后台草稿箱里下载视频的可能。于是人们又将目光投向“用户草稿箱里的视频能否上传到抖音服务器”,结果有网友晒出《抖音隐私政策》中的第条“信息发布”f款规定,大体意思是说为提升视频上传速度,在视频点击“发布”确认上传前,会被临时加载至服务器,这段“临时期”引发了很多用户对草稿箱短视频内容的担忧。

Then there were rumors that the video was coming from the background down, and then responded that \"the rumors were not true\" because there was no draft video in the background of the operations audit, and there was no possibility that the employees could download the video from the background draft box. As a result, people looked to \"whether the video in the user's draft box could be uploaded to the quiver server,\" resulting in users posting\" information release \"f\" in the \"jitter privacy policy \", which generally means that in order to increase the speed of video upload, the video click\" release \"confirmation upload will be temporarily loaded to the server, the\" temporary period \"has caused many users to worry about the short video content in the draft box.

目前为止,这段视频悬案还未有最终答案,只不过最近TikTok曝光的安全漏洞恰好涉及到相关隐私问题,这让很多网友不由将两件事又联系到了一起,引发了新一轮的热议。不过暂且不管两件事是否有直接关联,但肯定都跟一个问题有关——那就是用户隐私。

So far, there is no final answer to the video, but the recent security breach exposed by TikTok happens to involve privacy issues, which makes many netizens cannot help but link the two things together, triggering a new round of heated debate. But for the time being, it doesn't matter if there's a direct connection between the two things, but it's certainly all about one issue - that's user privacy.

面对用户隐私问题,抖音去年还被腾讯告上了法庭,腾讯指控多闪在未被授权的情况下违规盗用微信/QQ用户数据,从而被法院判违规。据腾讯方面称,抖音将腾讯提供给抖音的微信/QQ授权登陆服务擅自提供给多闪使用,即用户即使仅注册抖音,未注册多闪,但多闪仍能从抖音用户获取微信/QQ头像和昵称。

Faced with user privacy issues, jitters were also sued last year by Tencent, which was convicted by the court of violating the law by accusing Dooshi of illegally stealing WeChat\/QQ user data without authorization. According to Tencent, Tik Tok will provide Tencent's WeChat\/QQQ authorized login service to the multi-flash use without authorization, that is, even if users only register Tik Tok, not registered multi-flash, but multi-flash can still get WeChat\/QQQ avatar and nickname from the users.

此外,之前一篇名为《法学博士生维权:我为什么起诉抖音、多闪侵犯我的隐私权?》文章也在网络上引发热议,该文作者称抖音和多闪两款APP,在APP通讯录未包含任何信息、他个人也未明确授权两者使用个人通讯录的情况下,就向他精准推荐了多位“好友”,其中更有他多年未联系的人,比如前任,让作者非常气愤,由此将两款APP运营方告上法庭,并质问其是如何获取“好友关系”并侵犯隐私的。

In addition, the previous article called \"law rights doctoral students: why do I sue jitter, multi-flash infringement of my privacy?\" The article also sparked debate on the internet, where the author said the app's address book contained no information and he personally didn't specifically authorize the use of his personal address book, accurately recommending \"good friends\" to him, including those he hadn't spoken to for years, such as his predecessor, who angered the authors by taking the two app operators to court and questioning them about how they had acquired a \"good friend relationship\" and violated their privacy.

可见,不止是国外,国内用户和法律对个人隐私的保护也在日益加强,而不管是从法律层面,还是舆论层面,互联网平台对用户隐私的保护多应该更加“用心”,以免失去“人心”。

It can be seen that it is not only abroad, but also the protection of personal privacy by domestic users and laws is increasingly strengthened, and whether it is from the legal level or the public opinion level, the protection of user privacy by Internet platforms should be more \"attentively\" to avoid losing \"people's hearts \".

总而言之,在互联网时代,数据资源就是“新石油”,用户数据就是“新财富”,不管是正规的互联网平台,还是利用技术漏洞非法获取用户数据的黑客,其本质上都是想利用用户数据获取利益,只不过黑客是非法获取数据牟利,正规的互联网平台是合法利用数据赚钱,短视频平台亦是如此。

All in all, in the Internet age, data resources are \"new oil \", user data is\" new wealth \", whether it is the formal Internet platform, or the hacker who uses the technical loophole to obtain the user data illegally, its essence is to use the user data to obtain the benefit, only the hacker is illegal to obtain the data for profit, the formal Internet platform is to use the data to make money legally, the short video platform is the same.

不过,对用户和监管部门来说,短视频平台跟黑客一样都是需要监管的对象,因为一旦平台非法利用用户数据牟利,其带来的危害性可能还会更大。而对平台来说,它既要不断提升安全技术,防范黑客非法获取用户数据,又要不断提升保护用户隐私意识,对用户隐私心存敬畏,避免监守自盗,方可赢得人心。

However, for users and regulators, short-video platforms, like hackers, are as much regulated as they are, because if the platform illegally uses user data for profit, it may be more harmful. And for the platform, it should not only continuously improve the security technology, prevent hackers from illegally obtaining user data, but also constantly enhance the awareness of protecting user privacy, fear user privacy, and avoid self-theft to win the hearts of the people.

正如张小龙在最近的微信公开课Pro所讲的,作为平台,因为我们有大量的数据,什么该用,什么不该用,其实是我们一直思考的问题,我们在这里也倡导同行一起重视这个问题。张小龙所讲的同行有无特指我们不知道,但作为平台,对待大量的用户数据,什么该用,什么不该用,真值得大众思考。

As Zhang Xiaolong said in the recent WeChat open class Pro, as a platform, because we have a lot of data, what should be used, what should not be used, in fact, we have been thinking about the problem, we also advocate here to pay attention to this issue together with our peers. I don't know if zhang xiaolong's peers are specific to us, but as a platform, it's worth thinking about how to treat a lot of user data, what to use and what not to use.


欢迎转载,转载请注明出处:金沙手机版app下载