Do you remember when you were a child, you probably had a favorite toy that was a constant companion, like Christopher Robin had Winnie the Pooh, and your imagination fueled endless adventures? What could be more innocent than that? Well, let me introduce you to my friend Cayla.
你是否記得,在小時候, 你可能有個最愛的玩具, 總是陪在你身邊, 就像克里斯多夫羅賓和維尼熊, 且你的想像力創造出了 無盡的冒險旅程? 還有什麼比那更純真的? 讓我介紹我的朋友 凱拉給各位認識。
Cayla was voted toy of the year in countries around the world. She connects to the internet and uses speech recognition technology to answer your child's questions, respond just like a friend. But the power doesn't lie with your child's imagination. It actually lies with the company harvesting masses of personal information while your family is innocently chatting away in the safety of their home, a dangerously false sense of security. This case sounded alarm bells for me, as it is my job to protect consumers' rights in my country. And with billions of devices such as cars, energy meters and even vacuum cleaners expected to come online by 2020, we thought this was a case worth investigating further. Because what was Cayla doing with all the interesting things she was learning? Did she have another friend she was loyal to and shared her information with? Yes, you guessed right. She did. In order to play with Cayla, you need to download an app to access all her features. Parents must consent to the terms being changed without notice. The recordings of the child, her friends and family, can be used for targeted advertising. And all this information can be shared with unnamed third parties.
凱拉是全世界各國 票選出來的年度玩具。 她能連上網路,使用聲音辨識技術 來回答你的孩子問的問題, 就像個朋友一樣做出回應。 但力量並不是來自 你的孩子的想像力。 力量是來自背後的公司 取得你的家人在安全的家中 很無心地從聊天中釋出的 大量個人資料, 這是一種很危險的虛假安全感。 這個案例讓我有所警戒, 因為我的工作就是要保護 國內消費者的權益。 預計在 2020 年, 有數十億種裝置都會上網, 包括汽車、電度錶, 甚至真空吸塵器, 因此,我們認為這個案例 值得進一步調查。 因為,凱拉知道了這麼多 有趣的資訊之後,會拿來做什麼? 她還對另一位朋友忠誠, 且會分享資訊給他嗎? 是的,你猜對了,就是這樣。 如果要和凱拉玩, 你就必須要下載一個應用程式 來使用她的特色功能。 父母必須要同意一些條款, 這些條款有改變時不會通知。 孩子、孩子的朋友 及家人被錄下的對話 可以被用來做精準廣告投放。 所有這些資訊都可以 和不知名的第三方分享。
Enough? Not quite. Anyone with a smartphone can connect to Cayla within a certain distance. When we confronted the company that made and programmed Cayla, they issued a series of statements that one had to be an IT expert in order to breach the security. Shall we fact-check that statement and live hack Cayla together? Here she is. Cayla is equipped with a Bluetooth device which can transmit up to 60 feet, a bit less if there's a wall between. That means I, or any stranger, can connect to the doll while being outside the room where Cayla and her friends are. And to illustrate this, I'm going to turn Cayla on now. Let's see, one, two, three. There. She's on. And I asked a colleague to stand outside with his smartphone, and he's connected, and to make this a bit creepier ...
夠了嗎?還不只如此。 任何有智慧手機的人, 都可以在一定的距離內 和凱拉連線。 我們質問製造凱拉 和為她設計程式的公司, 他們發佈了一系列的聲明, 宣稱只有資訊科技專家 才有可能危及其安全性。 我們應該要驗證這個聲明, 同時在現場駭入凱拉的系統嗎? 這就是她。 凱拉有內建藍芽裝置, 傳輸距離是 60 英呎, 如果有牆壁阻隔的話, 距離會再短一點。 那就表示,我,或任何陌生人, 能和凱拉娃娃連線, 就算不和凱拉及她的朋友 在同一房間中。 為了說明這一點, 我現在要把凱拉啟動。 咱們來看看,一、二、三。 好了,她開機了。 我請個同事帶著智慧手機站在外面, 他連線了, 還可以再做到更毛骨悚然一點……
(Laughter)
(笑聲)
let's see what kids could hear Cayla say in the safety of their room.
咱們來看看孩子們在安全的房間中 能聽到凱拉說什麼。
Man: Hi. My name is Cayla. What is yours?
男子:嗨,我是凱拉, 你叫什麼名字?
Finn Myrstad: Uh, Finn.
芬恩默斯塔:呃,芬恩。
Man: Is your mom close by?
男子:你媽媽在附近嗎? 芬恩:不在,她在店裡。
FM: Uh, no, she's in the store.
Man: Ah. Do you want to come out and play with me?
男子:啊。你想要出來跟我玩嗎?
FM: That's a great idea.
芬:好主意。
Man: Ah, great.
男子:啊,太好了。
FM: I'm going to turn Cayla off now.
芬恩:現在我要把凱拉關機了。
(Laughter)
(笑聲)
We needed no password or to circumvent any other type of security to do this. We published a report in 20 countries around the world, exposing this significant security flaw and many other problematic issues. So what happened? Cayla was banned in Germany, taken off the shelves by Amazon and Wal-Mart, and she's now peacefully resting at the German Spy Museum in Berlin.
我們不需要密碼, 也不用規避任何其他 安全機制就能做到這樣。 我們在全世界二十個國家 刊出了一篇報導, 揭露出這項重大的安全瑕疵, 以及許多其他有問題的議題。 所以,結果呢? 德國下了對凱拉的禁令, 亞馬遜和沃爾瑪都將它全面下架, 現在,她很安詳地在柏林的 德國間諜博物館中長眠。
(Laughter)
(笑聲)
However, Cayla was also for sale in stores around the world for more than a year after we published our report. What we uncovered is that there are few rules to protect us and the ones we have are not being properly enforced. We need to get the security and privacy of these devices right before they enter the market, because what is the point of locking a house with a key if anyone can enter it through a connected device?
然而,在我們的報告刊出之後, 有超過一年的時間, 在全世界其餘的店家裏 仍然可以買到凱拉。 我們發現的是, 保護我們的規則非常少, 而存在的那些規則 又沒有被妥當執行。 在這些裝置進入市場之前, 我們得先把它們的 安全性和隱私性做好, 因為,如果任何人都能 透過連結的裝置來進入房子, 那用鑰匙把房子鎖上又有什麼意義?
You may well think, "This will not happen to me. I will just stay away from these flawed devices." But that won't keep you safe, because simply by connecting to the internet, you are put in an impossible take-it-or-leave-it position.
你可能會想: 「這不會發生在我身上。 我會和這些有瑕疵的 裝置保持距離。」 但那並不表示你就是安全的, 因為只要連上網路, 你就被放在一個 「不要就拉倒」的困難位置上。
Let me show you. Like most of you, I have dozens of apps on my phone, and used properly, they can make our lives easier, more convenient and maybe even healthier. But have we been lulled into a false sense of security? It starts simply by ticking a box. Yes, we say, I've read the terms. But have you really read the terms? Are you sure they didn't look too long and your phone was running out of battery, and the last time you tried they were impossible to understand, and you needed to use the service now? And now, the power imbalance is established, because we have agreed to our personal information being gathered and used on a scale we could never imagine.
讓我展示給各位看。 跟大部分人一樣,我的手機上 有一大堆應用程式, 妥當使用它們可以讓生活更簡易、 更方便,可能還會更健康。 但我們是否被誤導入 一種虛假的安全感呢? 一開始只是簡單的勾選動作。 是的,我們宣稱已閱讀過條款了。 但你真的閱讀過條款嗎? 還是其實是:條款看來太長了, 你的手機快要沒電了, 且上次你試著閱讀條款, 實在無法看懂, 而你現在就需要用這項服務? 權力的不平衡就這麼建立了, 因為我們已經同意讓個人資訊 被以我們永遠無法想像的 規模來收集和使用。
This is why my colleagues and I decided to take a deeper look at this. We set out to read the terms of popular apps on an average phone. And to show the world how unrealistic it is to expect consumers to actually read the terms, we printed them, more than 900 pages, and sat down in our office and read them out loud ourselves, streaming the experiment live on our websites. As you can see, it took quite a long time. It took us 31 hours, 49 minutes and 11 seconds to read the terms on an average phone. That is longer than a movie marathon of the "Harry Potter" movies and the "Godfather" movies combined.
這就是為什麼我和我同事 決定要深入了解這個狀況。 我們開始閱讀一般手機上的 熱門應用程式的條款。 為了讓世界看到, 認為消費者會真的閱讀條款 是多麼不切實際的期望, 我們便把條款印出來, 印了超過九百頁, 坐在辦公室中,自己大聲讀出來, 在我們的網站上直播這項實驗。 如各位所見,做這件事 花了好長的時間。 我們花了 31 小時 49 分鐘 11 秒 才把一支一般手機上的條款讀完。 這比《哈利波特》系列 加上《教父》系列的 電影馬拉松都還要久。
(Laughter)
(笑聲)
And reading is one thing. Understanding is another story. That would have taken us much, much longer. And this is a real problem, because companies have argued for 20 to 30 years against regulating the internet better, because users have consented to the terms and conditions.
且,閱讀只是閱讀, 並不等於了解了。 了解要花的時間還要更長許多。 這是個真實的問題, 因為,二三十年來, 企業一直提出理由 反對將網際網路做更好的規制, 就是因為用戶已同意了條件和條款。
As we've shown with this experiment, achieving informed consent is close to impossible. Do you think it's fair to put the burden of responsibility on the consumer? I don't. I think we should demand less take-it-or-leave-it and more understandable terms before we agree to them.
正如我們用這個實驗展示的, 要做到真的知情同意,幾乎不可能。 你們認為把責任的重擔 推給消費者是公平的嗎? 我不認為。 我認為,我們應該要求 減少「不要就拉倒」, 增加大家看得懂的條款, 然後我們才做出同意。
(Applause)
(掌聲)
Thank you.
謝謝。
Now, I would like to tell you a story about love. Some of the world's most popular apps are dating apps, an industry now worth more than, or close to, three billion dollars a year. And of course, we're OK sharing our intimate details with our other half. But who else is snooping, saving and sharing our information while we are baring our souls? My team and I decided to investigate this. And in order to understand the issue from all angles and to truly do a thorough job, I realized I had to download one of the world's most popular dating apps myself.
接著,我要跟各位說 一個關於愛的故事。 有些世上最熱門的應用程式 是約會應用程式, 目前這產業的年產值 約是三十億美金。 當然,我們願意分享 我們的個人細節資訊 給自己的伴侶。 但當我們在掏心掏肺 展露内心世界時, 還有誰在窺探、儲存, 並分享我們的資訊? 我和我的團隊決定要調查這件事。 為了從各角度了解這個議題, 並真正做到透徹完整, 我知道我自己必須要下載 世界上最熱門的約會 應用程式之一。
So I went home to my wife ...
所以我回家找我太太……
(Laughter)
(笑聲)
who I had just married. "Is it OK if I establish a profile on a very popular dating app for purely scientific purposes?"
我們才新婚。 「我可不可以在一個非常熱門的 約會應用程式上建立個人檔案, 單純是科學研究用途?」
(Laughter)
(笑聲)
This is what we found. Hidden behind the main menu was a preticked box that gave the dating company access to all my personal pictures on Facebook, in my case more than 2,000 of them, and some were quite personal. And to make matters worse, when we read the terms and conditions, we discovered the following, and I'm going to need to take out my reading glasses for this one. And I'm going to read it for you, because this is complicated. All right.
這是我們的發現。 藏在主選單背後的, 是一個預先打勾的選項, 打勾表示這間約會公司可以取得 我在臉書上的所有個人照片, 我臉書上的照片就有兩千張以上, 有些真的是很私人的。 更糟糕的是, 當我們閱讀條件與條款時, 我們有下列發現, 這次我得要拿出我的閱讀眼鏡。 我會唸給各位聽,因為這很複雜。 好。
"By posting content" -- and content refers to your pictures, chat and other interactions in the dating service -- "as a part of the service, you automatically grant to the company, its affiliates, licensees and successors an irrevocable" -- which means you can't change your mind -- "perpetual" -- which means forever -- "nonexclusive, transferrable, sublicensable, fully paid-up, worldwide right and license to use, copy, store, perform, display, reproduce, record, play, adapt, modify and distribute the content, prepare derivative works of the content, or incorporate the content into other works and grant and authorize sublicenses of the foregoing in any media now known or hereafter created."
「凡是張貼出內容」—— 內容指的是你的照片、聊天對話, 和約會服務上的其他互動—— 「做為服務的一部分, 就表示你自動允許本公司、 其附屬機構、授權者、繼承者 一項不可撤回的」—— 意思是你不能改變心意—— 「永久」——意思是永遠—— 「非獨家、可轉移、 可再授權、完全已付清、 全球性的權利和許可, 可以使用、複製、儲存、演出、 展示、重製、記錄、播放、 改編、修改,及發行該內容, 製作該內容的衍生作品, 或把該內容整合到其他作品中, 並允許和授權將上述許可 再授權給任何現在已知 或之後創造出的媒體。」
That basically means that all your dating history and everything related to it can be used for any purpose for all time. Just imagine your children seeing your sassy dating photos in a birth control ad 20 years from now.
基本上,意思就是你的 所有約會歷史記錄 以及其相關的一切, 隨時都能被用在任何目的上。 想像一下, 你的孩子在二十年後, 在生育控制廣告上 看到你的狂野約會照片。
But seriously, though --
但,說真的——
(Laughter)
(笑聲)
what might these commercial practices mean to you? For example, financial loss: based on your web browsing history, algorithms might decide whether you will get a mortgage or not. Subconscious manipulation: companies can analyze your emotions based on your photos and chats, targeting you with ads when you are at your most vulnerable. Discrimination: a fitness app can sell your data to a health insurance company, preventing you from getting coverage in the future. All of this is happening in the world today.
這些商業的做法 對你而言有什麼意涵? 比如,財務損失: 根據你的網頁瀏覽記錄, 演算法可以決定 你是否能取得抵押借款。 潛意識操控: 企業可以根據你的照片 和聊天對話來分析你的情緒, 在你腦波最弱的時候, 針對你做精準廣告投放。 歧視: 健身應用程式可以把你的資料 賣給健康保險公司, 使你未來無法投保某些保險項目。 上述這些都是現今世界 正在發生的事。
But of course, not all uses of data are malign. Some are just flawed or need more work, and some are truly great. And there is some good news as well. The dating companies changed their policies globally after we filed a legal complaint. But organizations such as mine that fight for consumers' rights can't be everywhere. Nor can consumers fix this on their own, because if we know that something innocent we said will come back to haunt us, we will stop speaking. If we know that we are being watched and monitored, we will change our behavior. And if we can't control who has our data and how it is being used, we have lost the control of our lives.
但,當然,並非所有的 資料使用都是惡意的。 有些只是有瑕疵或是需要再改善, 有些真的很棒。 也有一些好消息。 在我們提出法律投訴之後, 約會公司改變了它們全球的政策。 但不可能到處都有像我的組織這種 為消費者權益奮戰的組織。 消費者也無法靠自己解決這個問題, 因為,如果知道我們無心說出的話 將來會回頭困擾我們, 我們就不會脫口而出了。 如果我們知道自己被監看、監視著, 我們會改變我們的行為。 如果我們無法控制誰擁有我們的資料, 及資料會如何被使用, 我們就失去了我們人生的控制權。
The stories I have told you today are not random examples. They are everywhere, and they are a sign that things need to change. And how can we achieve that change? Well, companies need to realize that by prioritizing privacy and security, they can build trust and loyalty to their users. Governments must create a safer internet by ensuring enforcement and up-to-date rules. And us, the citizens? We can use our voice to remind the world that technology can only truly benefit society if it respects basic rights.
今天我告訴各位的故事 並不是隨機發生的例子。 它們處處可見, 它們是一種徵兆, 表示改變是必要的。 我們要如何達成那改變? 企業必須要知道, 如果它們把隱私和安全性 列為優先事項, 就能建立用戶的信任和忠誠度。 政府必須通過確保執法和最新規則 以創造更安全的網際網路。 那我們公民呢? 我們能發聲來提醒世界, 科技若不能尊重基本權利, 就不可能真正讓社會受惠。
Thank you so much.
非常感謝大家。
(Applause)
(掌聲)