开放,封闭和隐私

注意:本文与开源或封闭源代码无关

8年前的下个月,谷歌工程副总裁Vic Gundotra交付了对苹果的猛烈攻击因为没有开放:1

来自谷歌2010年I / O主题演讲的幻灯片批评苹果

在[我]第一天,我遇到了一个名叫Mr.安迪鲁宾现在我怀疑大多数人都知道Andy Rubin是谁当时他负责当时一个代号为Android的秘密项目,在第一天,Andy热情地向我描述了团队的使命和目的当他说话的时候 - 我会和你保持一致 - 我持怀疑态度事实上,我打断了安迪,我说,“安迪,我不明白Does the world really need another mobile operating system? Google is about advertising — shouldn’t we be on every phone?”

直到今天我还记得安迪的回应,他得了两分Andy提出的第一点是,提供一个免费的移动操作系统 - 一个开源操作系统 - 至关重要,它将在堆栈的每个级别实现创新In other words, OEMs should be free to build all kinds of devices — devices with keyboards, without keyboards, with front-facing cameras, two inches, three inches, four inches — that operators should be able to compete on the strength and coverage of their network — 2G, 3G, 4G, LTE, CDMA — and that in the end, with innovation coming at every layer, it would be the consumer who would be able to benefit by getting the best device on the best network for them.

我记得安迪的第二点:他认为,如果谷歌没有采取行动,我们将面临一个严峻的未来,一个人,一个公司,一个设备,一个运营商,将是我们唯一的选择That’s a future we don’t want! So if you believe in openness, if you believe in choice, if you believe in innovation from everyone, then welcome to Android.

Gundotra repeated the word “open” like a mantra, appealing to the sensibilities of not just people in technology but also its critics, opposed to so-called “walled gardens”; the two primary offenders were deemed to be Apple and Facebook.

这就是谷歌在Android手机上发布消息的最新计划的低调公告 - 这是一个独家的边缘关于它所谓的- 如此引人注目:该公司正在推出一种替代iMessage和WhatsApp等产品的开放式替代产品,但这仅仅是作为最后的手段,而且这种努力正受到批评者们的嘲笑;Walt Mossberg是代表

当然谷歌的批评者并没有批评for being open; they are, like Mossberg, criticizing it for being “insecure” — that is, not end-to-end encrypted like iMessage or WhatsApp然而,这就是问题:“安全”和“开放”是不相容的。

端到端加密的工作原理

A quick primer on how end-to-end encryption works, using iMessage as an example; I’m going to dramatically simplify this explanation, but you can readApple的安全白皮书得到具体细节:

  • When iMessage is turned on, “keys” are generated; these are produced in pairs, one private and one publicThese two keys are related: the public key encrypts content such that it can only be decrypted by a private key; to analogize them to a safe, the public key locks the door, and the private key unlocks it.
  • The relationship between these two keys is, well, the key to understanding how encryption works in messaging (and all communications): anyone sending an encrypted message “locks” the content using a public key, which means that the only person that can “unlock” and read the message is whoever has the corresponding private key.
  • 为此,私钥是,顾名思义私有:它保存在生成​​它的设备上(事实上,每个带有iMessage的设备都会生成自己的加密密钥)同时,公钥是公开的:任何能够向您发送加密消息的人都意味着每个人都必须能够找到与您的私钥对应的公钥。

这是“开放”故障的确切位置:事实上,您可以通过电子邮件等开放协议发送加密内容The problem is that the sender cannot just unilaterally decide to encrypt a message; rather, the接收器必须首先生成公钥 - 私钥对,然后与发件人共享公钥,以便可以加密电子邮件,只有收件人 - 由于他们的私钥 - 才能读取它不用说,这远远超出了大多数用户的能力:他们不仅不理解在谈话之前需要进行对话,他们甚至不知道他们需要使用的语言。

然而,仅WhatsApp和iMessage每天就会发送超过1000亿条消息,原因是两者都已关闭To continue with the iMessage explanation, public keys are sent to Apple’s servers to be stored in a directory service; there they (along with the public keys from all of the user’s devices) are associated with the user’s phone number or email addressThis is the critical piece to making iMessage encryption easy-to-use: senders need only know the recipients phone number or email address; Apple will silently pass the appropriate public keys to the sender to encrypt the message such that only the recipient can read it.2

简而言之,加密对公众来说是可行的,因为Apple控制着一切:两端的客户端和中间的服务器与WhatsApp或任何其他加密消息传递服务的情况相同:被关闭使得端到端加密实际上可以大规模使用。

和,正如我周一解释的那样, this option is not available to Google when it comes to Android: OEMs don’t want to deepen their Google dependence, and carriers do not want to undercut their lucrative SMS business (and Google can’t force the issue because of its looming antitrust problems)唯一的选择是Gundotra在2010年称赞的一个:一个没有人控制的开放标准,为了更好,或者在端到端加密的情况下更糟糕。3

加密和隐私

关于数据和隐私的持续辩论与一些重要方面的加密问题直接相关,正如莫斯伯格的推文所指出的:消息内容是用户希望保密的数据,加密实现了这一点。

当然,它并不是消息传递产生的唯一数据:依赖于集中式服务器进行密钥交换所带来的易用性是这些服务器对元数据的必要收集Obviously email addresses and/or phone numbers and/or usernames have to be stored (so that they can be associated with public keys), and the very act of connecting two accounts will generate logs of who was communicating with whom and when, and often from where (through IP addresses)Services can and do differentiate based on how long they keep that metadata; Signal,4例如,承诺尽快刷新元数据,而WhatsApp - 使用Signal开发的加密 - 可以无限期地保存这些数据。

开放/封闭和加密之间的关系与数据和隐私相关的更重要的方式就是:大规模加密只能通过封闭式服务实现,因此它具有隐私性也就是说,在我们作为一个社会需要隐私的程度上,我们越是暗示要求更加封闭的花园,越来越高的墙壁就像一个封闭的花园使用户体验加密管理的挑战一样,数据的集中化也使得隐私 - 某种 - 一种可行的商业模式。

The reality of digital services is that the amount of data each of us generates at basically all times is astronomical; your phone always knows where you are, but so does every app you use and every website you visit.

Stratechery读者地图
战略读者

当然,谷歌知道一个人的每一次搜索,对于很多人来说,他们每一封电子邮件,并且由于公司的广告网络,对Chrome和Google分析的控制,当然还有Android,几乎所有其他人在网上做的事情。Facebook的知识稍微宽泛但可以说更深入:你的朋友,你的兴趣 - 无论是陈述还是透露 - 还要感谢它的“赞”按钮,你的网络活动也是如此。

To focus on simply Google and Facebook, though, is to miss how much other data collection is going on: ad networks are tracking you on nearly every website you visit, your credit card company is tracking your purchases (and by extension your location), your grocery store is tracking your eating habit, the list goes on and on此外,数据食物链越往下走,数据买卖的可能性就越大当然,这是开放的。

数据收集与数据泄漏

尽管如此,谷歌和Facebook之间的对比值得考虑:由于有消息称其收集的一些数据被出售给剑桥分析公司,因此Facebook正处于热水中,该公司吹嘘它帮助选举唐纳德特朗普总统人们确实怀疑这一指控对于Facebook开始分享这些数据的事实引起了多大的愤慨,但抛开这一点,值得注意的是,愤怒源于数据的共享,而不是其收集是的,有些人对这个集合感到愤怒 - 但他们在目前的丑闻之前感到愤怒,他们的反对意见根本没有向更广泛的公众注册。

This view is buttressed by the fact that Google has been largely unscathed by the current controversy; what seems significant is not the fact that the company collects data, but rather that it has been careful to keep that data inside its walled garden事实上,Gundotra对Apple的攻击总是具有讽刺意味的是:Google在其专有技术或其赚钱广告设备(其中用户数据起着重要作用)方面一直都是开放的。它坚持Android的开放不是基于原则而是基于合理的策略:挑战者总是希望将其补充商品化,而对于谷歌而言,智能手机本身就是搜索和广告的补充。

The implication is quite far-reaching: being open, at least to the extent that openness involved user data of any sort, is increasingly unacceptable; that new companies and user benefits might result from that data no longer matters, a fate that all-too-often befalls the not-yet-created.

谷歌和Facebook的壕沟

这在三个方面巩固了Facebook和Google:

  • 首先,如果没有对其专有数据的有意义访问,任何一个挑战者都不太可能出现总而言之,这已经不太可能了:整个行业都从Instagram的背景中了解到,从一个商业角度来看,与潜在竞争对手分享数据是个坏主意。
  • Second, Google and Facebook will increasingly be the only source of innovations that leverage their data; it will be too politically risky for either to share anything with third parties这意味着依赖于用户数据的新功能必须由两个巨头中的一个构建,或者,就像在相对于市场的中央计划系统中总是如此,根本不构建。
  • 第三,谷歌和Facebook的广告优势,已经很大,将变得势不可挡两家公司都在自己的平台上生成大部分用户数据,也就是说他们的数据收集和广告业务是集成的Most of their competitors for digital advertising, on the other hand, are modular: some companies collect data, and other collect ads; such a model, in a society demanding ever more privacy, will be increasingly untenable.

There are increasing expectation that this is exactly what will happen with the European Union’s General Data Protection Regulation (GDPR)来自华尔街日报

布鲁塞尔希望其新的通用数据保护法规(GDPR)阻止科技巨头及其合作伙伴向消费者施加压力,放弃对其数据的控制以换取服务欧盟希望为世界各地的立法树立榜样But some of the restrictions are having an unintended consequence: reinforcing the duopoly of Facebook Inc和Alphabet Inc.的谷歌......

数字广告公司,即广告技术公司,表示谷歌和Facebook对GDPR的严格解释会挤压他们的业务广告技术公司将自己的技术嵌入到出版商的网站和应用程序中,使他们与科技巨头竞争与巨头不同,广告技术公司与消费者没有直接关系他们表示谷歌和Facebook的回应迫使出版商代表数十家人们从未听说过的广告技术公司寻求同意。

这并不奇怪 - 我在几个月前预测And, while GDPR advocates have pointed to the lobbying Google and Facebook have done against the law as evidence that it will be effective, that is to completely miss the point: of course neither company wants to incur the costs entailed in such significant regulation, which will absolutely restrict the amount of information they can collectWhat is missed is that the increase in digital advertising is a secular trend driven first-and-foremost by eyeballs: more-and-more time is spent on phones, and the ad dollars will inevitably followThe calculation that matters, then, is not how much Google or Facebook are hurt in isolation, but how much they are hurt relatively to their competitors, and the obvious answer is “a lot less”, which, in the context of that secular increase, means growth.

隐私和监管

There is a broader question from GDPR specifically and the idea that the tide is pushing towards walled gardens generally: what should the seemingly inevitable regulation of tech companies look like? It seems increasingly certain that privacy will be a major focus (it obviously already is in the European Union), but to stop there would be a mistake.

具体而言,如果强调隐私和数据不泄漏是一个优先事项,那么已经存在的平台将越来越根深蒂固并且,如果这些平台将越来越根深蒂固,那么更有价值的监管将确保在这些平台之上建立平等的竞争环境The reality is that an emphasis on privacy will only increase the walls on those gardens; it may be fruitful to rule out the possibility of unfair expansion.

注意:我写道后续行动在每日更新中,您可以在此脚注中阅读:

  1. 图片来自他的演讲[↩︎]
  2. 由于私钥与设备相关联,因此iMessage实际上会多次加密单个邮件,每次使用公共密钥来访问不同的收件人设备[↩︎]
  3. To be very clear, it is technically possible to layer encryption onto RCS, but it requires the cooperation of the carriers collectively and the addition of a trusted entity like certificate authorities for https; the entire point, though, is that carriers refuse to do this[↩︎]
  4. 作为封闭式服务的开源软件的一个例子[↩︎]
  5. So, I definitely messed up with yesterday’s article in a way none of you noticed; given that周一我写了深入了解谷歌的新内容倡议,我在昨天的文章中略过了细节,开放,封闭和隐私不幸的是,这意味着我得到了大量的推文和来自非订阅者的电子邮件,带我去完成项目任务,好吧,我已经解释过了(我没有收到订阅者的任何内容)收费墙的危险!

    Probably the two biggest points of pushback were that Google could build an encrypted system if they wanted to (as I explained on Monday, they already tried, and they can’t really exercise Android leverage right now), and that carriers could build a federated key exchange system and/or something akin to the certificate authority framework that undergirds HTTPS这都是真的!

    不过我的观点 - 以及谷歌必须接受的现实Verge功能解释 - 是运营商不会那样做,完全停止The only way to achieve end-to-end encryption in the real world as it exists today is to build a separate centralized service that sits on top of phones (via apps) and runs over the InternetTo put it another way, Google wasn’t choosing whether to build an encrypted service or an open one; they were choosing whether to build something better than SMS or nothing at all.

    Now, does Google have a business interest in message content being unencrypted? I suppose, and as I noted on Monday, making Allo unencrypted by default was a bad look (although understandable for non-advertising related reasons, specifically the deep integration with Google Assistant)但事实是,谷歌已经了解了很多人,特别是那些使用Android的人有人可能会争辩说谷歌并没有为加密做足够的努力,但是我认为公司积极不想要加密并不是很正确。

    Still, the clarification is useful given the comparison I was trying to draw between encryption and privacy: just as one can, in theory, envision a standard that is both open and includes encryption (like HTTPS!), one can also envision a world where users truly own their data in a secure way and carry it from service-to-service实际上,如果将这些系统纳入技术基础(如HTTPS!),而不是在根深蒂固的现有者的反对下进行改造,这种系统就更加可行。

    还有两点跟进:

    • 虽然我没有这么明确地说,但我认为我至少强烈暗示我会这样做期待Apple的支持他们当然可以 - 记住,这基本上是短信2.0,苹果显然支持短信 - 但我很难想象苹果公司没有坚持(非常合法!)借口的任何情况没有加密More importantly, it is even more difficult for me to see any way that carriers could exert leverage on Apple; their lack of leverage is why iMessage exists in the first place.
    • 当然,区块链是理论上的解决方案,但是我之前已经注意到了,关于这次辩论的真正区块链优势是通过权力下放彻底解除聚合者可以肯定的是,对于本文中提出的许多原则来说,这绝不是一个肯定的事情,特别是在扩展的用户体验和这种分散化之间的权衡。无论如何,任何这样的解决方案在未来都是相当不错的方式。

    关于监管的最后一点,请继续关注它长期以来一直是最重要的[↩︎]