应用程序启动器 标记为信任

亲爱的每家高科技公司，请窃取这个想法 (Dear Every Single Tech Company, Please Steal This Idea)

When you send a photo to someone, your messaging app actually first sends the photo to an app’s server, which then sends the photo to them:

当您将照片发送给某人时，您的消息传递应用程序实际上首先将照片发送至应用程序的服务器，然后服务器将该照片发送给他们：

And sure, in the 90’s, when the internet was just starting to get big, this might have been what happened. But somewhere along the line, someone figured out how to profit from user data, and so now here’s what actually happens:

可以肯定的是，在90年代，当互联网刚刚开始蓬勃发展时，可能就是这种情况。 但是沿线的某个地方，有人想出了如何从用户数据中获利的方法，所以现在这是实际发生的情况：

And that’s just sending one photo. In 2019, you give apps access to your camera, location, microphone, contacts, browsing habits, even your medical records. After you tap “Allow” once, an app can even upload your entire photo and video library to their servers in the background while you’re sleeping.

那只是发送一张照片。 在2019年，您可以让应用访问您的相机，位置，麦克风，联系人，浏览习惯，甚至您的病历。 一次点击“允许”后，一个应用甚至可以在您睡觉时将整个照片和视频库上传到后台的服务器中。

The Internet is facilitating an insane free-for-all for our personal data, with potential consequences getting worse. Apps even exploit this data with behavioral science to squeeze every dollar or minute out of their users, when it’s clearly against the users’ best interests. Today, companies have every incentive to exploit our data for profit, and no incentive to protect our privacy.

互联网为 我们的 个人 数据提供了疯狂的 免费服务 ，潜在的后果越来越严重 。 当明显违反用户的最大利益时，应用程序甚至通过行为科学来利用这些数据，从他们的用户中榨取每一美元或每一分钟 。 如今，公司有各种动机来利用我们的数据牟利，而没有动机来保护我们的隐私。

Since we’re only going to rely more on apps over time, the critical question is:

由于随着时间的推移，我们只会更多地依赖应用程序，因此关键问题是：

您如何知道是否可以信任应用程序？ (How do you know if you can trust an app?)

通过隐私政策信任 (Trust Through Privacy Policy)

When you ask a company about protecting your data, they respond by telling you to read their Privacy Policy, which is a document they wrote (or copy-pasted) that promises they’ll protect your data.

当您向一家公司询问有关保护数据的问题时，他们会通过告诉您阅读其隐私权政策(该政策是他们编写(或复制粘贴 )的)来承诺会保护您的数据。

But wait, isn’t that circular logic? I should trust that they’re protecting my data because… they have a document that says they’ll protect my data? How do I know they’re doing any of the things they claim in the Privacy Policy?

但是，等等，这不是循环逻辑吗？ 我应该相信他们正在保护我的数据，因为……他们有一份文件说将会保护我的数据？ 我怎么知道他们在做他们在隐私政策中声明的任何事情？

It turns out it’s impossible to know if an app company is violating their Privacy Policy (or violating privacy regulations in general), because there’s literally nothing stopping them: they’re Privacy Policies, not Privacy Proofs. Not only that, they're not actually legally binding, and in the rare cases when companies actually do get caught, the penalties are unbelievably light. And as recent government (in)action on data breaches, ISP privacy rules, and net neutrality show, often there are no penalties at all.

事实证明，不可能知道应用程序公司是否违反了其隐私政策(或总体上违反了隐私法规)，因为实际上没有什么可以阻止它们：它们是隐私政策 ，而不是隐私证明 。 不仅如此，他们实际上并不具有法律约束力 ，并在当企业其实也陷入了罕见的情况下， 该 处罚 是 令人难以置信的光 。 正如最近政府对数据泄露 ， ISP隐私规则和网络中立采取的行动所显示的那样，通常根本没有任何处罚。

Privacy Polices and regulations do not create real trust, and they only serve to provide a false sense of security or privacy.

隐私警察和法规不会建立真正的信任，它们只会提供虚假的安全感或隐私感。

通过定价信任 (Trust Through Pricing)

It’s a common saying on the internet: “If the product is free, then you’re the product.” And while that’s sometimes true since revenue must come from somewhere, some people make the logical fallacy of thinking the inverse must also be true: “If the product is not free, then you’re not the product.”

互联网上有一句俗语：“如果产品是免费的，那么您就是产品。” 尽管有时这是正确的，因为收入一定来自某个地方，但有些人认为相反的逻辑也必须成立，这在逻辑上是谬论 ：“如果产品不是免费的，那么您就不是产品。”

Due to this mistake, some people use price as a criterion when choosing apps to use, by looking for apps that aren’t free and making the false assumption that non-free products will not exploit their data for profit.

由于这个错误，某些人会在选择要使用的应用程序时使用价格作为标准，方法是查找非免费的应用程序，并错误地假设非免费产品不会利用其数据牟利。

Of course, it’s very possible and just as likely for a company to both charge you for an app while also profiting off of your data or having poor security. Therefore, pricing is a bad criterion for finding an app that you can trust.

当然，公司既有可能向您收取应用程序费用，又有可能从您的数据中获利或安全性差，这很可能，也有可能。 因此，对于找到可以信任的应用程序来说，定价是一个糟糕的标准。

通过美学的信任 (Trust Through Aesthetics)

Woah, those app screenshots look so sleek! And their website is so colorful and tastefully designed, with beautiful animations that you simply can’t resist. Why would an adorable cartoon bear lie to you? Is that even possible?

哇，这些应用的屏幕截图看起来如此时尚！ 他们的网站色彩缤纷，设计高雅，拥有令人无法抗拒的精美动画。 为什么可爱的卡通熊会对你说谎？ 那有可能吗？

Well sadly, yes —  cartoon characters lie all the time. Since they were created by a human and their dialogue is written by a human, an adorable cartoon bear is not less likely to exploit your personal data for profit. It might look cuter while doing it though.

很可惜，是的-卡通人物无时无刻不在说谎。 由于它们是由人类创造的，而对话是由人类编写的，因此一只可爱的卡通熊不会少利用您的个人数据牟利。 虽然这样做可能看起来更可爱。

The aesthetics of a website might tell you that that they spent $20 on a SquareSpace theme (or pirated it), but say nothing about how trustable an app or service is — it‘s even possible that the company skimped on data security in order to spend more on their website’s design and animations.

网站的美感可能会告诉您，他们在SquareSpace主题上花费了20美元(或盗版了)，但对于应用或服务的可信度却一无所知-公司甚至有可能为了提高支出而在数据安全性方面有所作为在他们网站的设计和动画上。

大众信任 (Trust Through Popularity)

If all your friends jumped off a digital bridge, would you? At one point, Yahoo had over three billion accounts, and in 2013, they broke the world record ? for biggest data breach ever, by a very long shot. Since then, there have been many more breaches of tens or hundreds of millions accounts of other companies. And these are only counting disclosed and known breaches — nobody knows what the real numbers are.

如果您所有的朋友都跳出了数字桥梁，是吗？ 有一次，雅虎拥有超过30亿个帐户，而在2013年，他们打破了世界纪录？ 远距离打击最大的数据泄露。 从那时起，其他公司的数以千万计的帐户遭到了更多的违反。 这些只是统计已披露和已知的违规行为，没人知道真正的数字是多少。

Popularity isn’t a reliable proxy of how trustworthy an app is. In fact, there are even scam apps that make it into the top charts of the App Store.

流行度并不是应用程序可信度的可靠代表。 实际上，甚至有一些骗局应用程序跻身App Store的榜首 。

通过“ 4096位军用超加密Rhino HTTPS刮板?????????”获得信任 (Trust Through “4096-Bit Military Ultra Encryption Rhino HTTPS Squeegee ?????????”)

Buzzwords are cool, but — wait no, buzzwords are terrible and extremely dishonest. Companies and marketers often deploy technobabble or purposely misuse and misapply jargon in order to give the impression of technical sophistication and legitimacy. Often times, if you don’t understand something, it’s either because the explainer has done a terrible job explaining the thing, or it’s because the explainer is intentionally trying to confuse you into submission. In either case, technobabble should make you more wary and trust the explainer even less.

流行语很酷，但是-等一下，流行语很糟糕而且很不诚实。 公司和营销人员经常部署技术漏洞，或者故意滥用和误用术语，以给人以技术成熟度和合法性的印象。 通常，如果您听不懂某事，这可能是因为解释者所做的事情做得很糟糕，或者是因为解释者有意使您迷惑。 无论哪种情况，technobabble都应使您更加警惕，对解释者的信任甚至更低。

那么到底是什么建立了信任？ (So what actually creates trust?)

Apps should have to earn the trust of its users, especially when there are such strong financial incentives for companies to simply lie and abuse user data.

应用程序必须赢得用户的信任 ，尤其是当公司有如此强大的财务动机来简单地撒谎和滥用用户数据时。

To earn user trust, apps should be fully transparent— the public should be able to see everything the app and its servers are doing, so that anyone can verify that there’s no negligent, dishonest, or even malicious activity. In other words: trust through transparency.

为了赢得用户的信任，应用程序应该完全透明-公众应该能够看到应用程序及其服务器所做的一切，以便任何人都可以验证没有任何疏忽，不诚实甚至恶意的活动。 换句话说：通过透明信任。

通过透明信任 (Trust Through Transparency)

Full transparency means making the entire operation of an app public and verifiable, from the app code on your phone or computer, to the server code and infrastructure on the cloud, to the actions of the company’s employees, plus proof of all of that. It’s everything that touches your data. Everything.

完全透明意味着要公开和验证应用程序的整个操作过程，从手机或计算机上的应用程序代码到云上的服务器代码和基础架构，再到公司员工的行为， 再加上所有这些的证明。 接触您的数据的一切 。 一切。

If getting full and verifiable transparency from the apps we use every day seems like a radical idea, it’s because we’ve been trained for so long to expect so little from companies. We’ve been trained to upload our personal data, cross our fingers, and simply hope for the best. The truth is, if we’re giving companies our most sensitive personal information, why shouldn’t we expect them to give us proof of exactly what they’re doing with it?

如果从我们每天使用的应用程序中获得完整且可验证的透明度似乎是一个激进的主意，那是因为我们受了很长时间的培训，对公司的期望很小。 我们已经接受过培训，可以上传我们的个人数据，不由自主地希望取得最好的成绩。 事实是，如果我们要向公司提供我们最敏感的个人信息，为什么我们不应该期望他们为我们提供他们正在做什么的证据？

透明标准 (A Standard For Transparency)

To be clear, partial transparency is insufficient and misleading, because it still allows “bad bits” to be hidden, defeating the purpose of transparency. For example, a company hiding just a small part of their server code is still able to secretly copy all user data to unknown third parties from their servers.

需要明确的是， 部分透明是不够的并且具有误导性，因为它仍然允许隐藏“不良位”，从而破坏了透明的目的。 例如，一家仅隐藏服务器代码一小部分的公司仍能够将所有用户数据从其服务器秘密复制到未知的第三方。

So how do we know if an app is being fully transparent, versus only partially transparent or not transparent at all?

那么，我们如何知道某个应用程序是完全透明的，还是仅部分透明或完全不透明？

A standard for full transparency doesn’t exist today, so we’re creating one and giving it away for free.

如今，完全透明的标准还不存在，因此我们正在创建一个透明标准并免费提供。

This new standard is called Openly Operated, because full transparency requires the entire operation of an app to be open and verifiable. This includes making public all app source code, server code, infrastructure, and employee actions, as well as providing proof of accuracy and validity. It’s like giving the public read-only access to the app operator’s Admin console (example here).

此新标准称为“ 公开操作” ，因为要完全透明，就要求应用程序的整个操作都是开放且可验证的。 这包括公开所有应用程序源代码，服务器代码，基础结构和员工操作，以及提供准确性和有效性的证明。 就像授予公众对应用程序操作员的管理控制台的只读访问权限( 此处的示例)。

How this is different from apps today? Here’s the photo-sending example from the beginning again — except this time, the app is Openly Operated:

这与当今的应用程序有何不同？ 这是从头开始的照片发送示例，但这次是“公开操作”的应用程序：

Unlike the earlier examples, the Openly Operated certification process forces the app to be fully and verifiably transparent, preventing the app’s operators from hiding privacy and security issues. This process, at a high level, is:

与之前的示例不同，“开放式” 认证过程迫使该应用程序具有完全可验证的透明性，从而防止应用程序的操作员隐藏隐私和安全问题。 从总体上讲，此过程是：

1. The app fulfills specific requirements to demonstrate full transparency, and uses direct references to source code, infrastructure, and other evidence to prove the app’s privacy or security claims.

   该应用程序满足特定要求 证明完全透明，并使用直接引用源代码 ， 基础架构和其他证据来证明该应用程序的隐私或安全声明 。

2. Combine these requirements and proof of claims into an Openly Operated Audit Kit that anyone can publicly view and verify.

   将这些要求和索赔证明结合到一个开放式审计工具包中 任何人都可以公开查看和验证。

3. Get matched with independent auditors, who verify the Audit Kit to produce public Openly Operated Audit Reports, detailing their verifications and providing a summary.

   与独立审核员匹配，他们审核审核工具包以生成公开的公开运行的审核报告 ，详细说明其审核并提供摘要。

This lets everyone participate in “trust through transparency”: users who are more technical can perform verifications themselves by diving into the nitty gritty details in the Audit Kit, while less tech-savvy users can read the independent Audit Reports and summaries. Openly Operated’s transparency is the opposite of the status quo, where apps simply tell users to read their totally unproven and unverifiable Privacy Policy.

这使每个人都可以参与“通过透明的信任”：技术含量较高的用户可以通过深入了解“审计工具包”中的具体细节来自己执行验证，而技术含量较低的用户可以阅读独立的审计报告和摘要。 公开操作的透​​明性与现状相反，在这种情况下，应用程序只是告诉用户阅读其完全未经验证和无法验证的隐私政策。

Openly Operated is a free certification. Our mission is for all apps to earn trust through transparency, so all documentation is available at no cost, and companies pay nothing to license the certification. We’ve even built examples to show that Openly Operated apps are possible. These are more than proof-of-concepts — they’re in production, fully functional, and are operating at scale with real users.

公开运营是免费的认证。 我们的使命是使所有应用程序都通过透明性赢得信任，因此所有文档均免费提供，并且公司无需支付任何费用即可获得认证许可。 我们甚至构建了一些示例来表明开放式应用是可行的。 这些不仅仅是概念验证-它们已经投入生产，功能齐全，并且可以与实际用户一起大规模运行。

一切都应该公开经营 (Everything Should Be Openly Operated)

Companies have been blatantly dishonest with how they handle and secure user data for too long. Since its creation until now, Facebook has had a privacy setting for user wall posts labeled “Only Me”. To any regular person, “Only Me” has a simple meaning: one person, themselves, and literally nobody else.

长期以来，公司一直公然不诚实地处理和保护用户数据。 自创建至今，Facebook已为贴有“ Only Me”的用户墙贴设置了隐私设置。 对于任何普通人来说，“只有我”的含义很简单：一个人，一个人，而实际上没有其他人。

But over the last ten years, we’ve learned the hard way that Facebook has a very different definition of “Only Me”. To Facebook, “Only Me” means “Me and All Of Facebook’s Advertisers and Their Partners and Some Of Facebook’s 25,000 Employees and Some Unknown Number Of Contractors and Facebook Apps That Friends or I Have Used and Those Apps’ Employees and Anyone Those Apps Share Or Sell Data To… Maybe”.

但是在过去的十年中，我们已经了解到Facebook对“仅我”的定义有很大的不同。 在Facebook上，“只有我”是指“我和所有 Facebook 广告客户 及其 合作伙伴，以及Facebook 25,000名 员工中的一些，以及朋友或我曾经使用过的 承包商和Facebook应用程序的 数量未知，以及这些应用程序的 员工以及这些应用程序 共享或分享的 任何人 将数据出售给 …… 也许 “。

Privacy and security scandals happen every week not because companies are evil, but because like anything else, companies operate on incentives. In a world where there’s no way to verify an app’s security or privacy claims, why should a company be honest and make less money, while their competitors are being dishonest and making more money? Current incentives give dishonest and insecure companies an edge to grow faster, compete more efficiently, spend more on marketing, and capture the most customers.

每周都会发生隐私和安全丑闻，这不是因为公司是邪恶的，而是因为公司像其他任何事情一样，都是在激励机制下运作。 在一个无法验证应用程序的安全性或隐私权声明的世界中，为什么一家公司应该诚实并赚取更少的钱，而竞争对手却不诚实并赚更多的钱？ 当前的激励措施使不诚实和缺乏安全感的公司具有更快增长，更有效竞争，在营销上花费更多并吸引最多客户的优势。

Openly Operated provides a structured way for companies to prove their privacy and security claims. Users have nothing to lose and everything to gain by demanding transparency from the apps they give their personal data to. The question shouldn’t be “Why should the apps I use be transparent?” —  it should be “Why aren’t the apps I use transparent? What are they hiding?”

公开运营为公司提供了一种结构化的方式来证明其隐私和安全声明。 通过向其提供个人数据的应用程序要求透明性，用户不会有任何损失，也不会有任何收获。 问题不应该是“为什么我使用的应用程序应该透明？” -它应该是“ 为什么我不能用透明的应用程序？ 他们隐藏了什么？”

你可以做什么 (What You Can Do)

This is Openly Operated’s official release announcement. If you think a standard for full, verifiable transparency is important, here’s how to help:

这是Openly Operated的正式发布公告。 如果您认为建立完整的，可验证的透明度的标准很重要，请使用以下方法：

1. Share this story with your friends and family. Many people are still stuck in the old ways of thinking that Privacy Policies, aesthetics, or popularity are useful metrics for trust. Show them that full transparency is what really matters, and that it’s actually possible.与您的朋友和家人分享这个故事。 许多人仍然停留在旧的思维方式中，认为隐私政策，美观或受欢迎程度是信任的有用指标。 向他们展示完全透明才是真正重要的，并且实际上是可能的。

2. Subscribe to the Openly Operated newsletter to receive monthly updates. Your email address is kept private and never shared with third parties — see the proof in OpenlyOperated.org’s Audit Kit and Audit Reports.

   订阅公开通讯，以接收每月更新。 您的电子邮件地址是私有的，永远不会与第三方共享-请参阅OpenlyOperated.org的“ 审计工具包”和“ 审计报告”中 的证明 。

3. Learn more at OpenlyOperated.org. No matter your level of technical expertise, there’s something for you, whether you’re a user curious about the many benefits of transparency, an engineer building apps people can trust, or a company that wants to win customers while increasing security.

   在OpenlyOperated.org上了解更多信息 。 无论您的技术专业知识水平是什么，无论您是对透明性的诸多好处感到好奇的用户，还是构建人们可以信赖的应用程序的工程师，还是想在提高安全性的同时赢得客户的公司，您都有所需要。

—

-

We are Johnny Lin and Rahul Dewan, co-founders of Openly Operated, the free transparency certification. We want to answer your questions and read your comments — email us at hi@openlyoperated.org, or find us on Telegram.

我们是免费透明性认证Openly Operated的联合创始人Johnny Lin和Rahul Dewan。 我们想回答您的问题并阅读您的评论-给我们发送电子邮件至hi@openlyoperated.org ，或在Telegram上找到我们。

This post originally appeared on the Openly Operated blog here.

该帖子最初出现在此处的Openly Operated博客中。

翻译自: https://www.freecodecamp.org/news/why-you-cant-trust-apps-today-and-how-to-fix-it/

应用程序启动器 标记为信任