Personal information protection is an economic problem, not a security problem. And the problem can be easily explained: The organizations we trust to protect our personal information do not suffer when information gets exposed. On the other hand, individuals who suffer when personal information is exposed don't have the capability to protect that information.
个人信息保护是一个经济问题,而不是安全问题。原因很好解释:我们信任的机构泄露我们的个人信息并不会受到惩罚;另一方面,个人并没有能力保护自己的个人信息。
There are actually two problems here: Personal information is easy to steal, and it's valuable once stolen. We can't solve one problem without solving the other. The solutions aren't easy, and you're not going to like them.
实事上这是两个问题:
1
)个人信息容易被窃取;
2
)个人信息有价值。我们无法只解决一个问题。解决方案并不简单,并且大部分人可能会抵触这种方案。
First, fix the economic problem. Credit card companies make more money extending easy credit and making it trivial for customers to use their cards than they lose from fraud. They won't improve their security as long as you (and not they) are the one who suffers from identity theft. It's the same for banks and brokerages: As long as you're the one who suffers when your account is hacked, they don't have any incentive to fix the problem. And data brokers like ChoicePoint are worse; they don't suffer if they reveal your information. You don't have a business relationship with them; you can't even switch to a competitor in disgust.
首先,我们要解决的是经济问题,若要启动信用卡的简单认证机制,信用卡公司将不得不投入更多的钱,并且由于使用更为繁琐,很可能会流失大量顾客,这两种损失比信用卡公司因信用卡诈骗带来的损失大多了,因此信用卡公司并没有动力来解决这个问题。银行和券商也有这种想法。至于
ChoicePoint
公司这样个人资料处理商来说,情况更为严峻,若发生数据泄露时间,该公司并不会有任何损失。你也无法禁止它收集你的个人信息。
Credit card security works as well as it does because the 1968 Truth in Lending Law limits consumer liability for fraud to $50. If the credit card companies could pass fraud losses on to the consumers, they would be spending far less money to stop those losses. But once Congress forced them to suffer the costs of fraud, they invented all sorts of security measures--real-time transaction verification, expert systems patrolling the transaction database and so on--to prevent fraud. The lesson is clear: Make the party in the best position to mitigate the risk responsible for the risk. What this will do is enable the capitalist innovation engine. Once it's in the financial interest of financial institutions to protect us from identity theft, they will.
信用卡安全工作做的比较到位的一个原因是
1968
年
Truth in Lending
法令的实施,该法令限值顾客只需对
50
美元以上的信用卡造假负责任。如果信用卡公司能够将伪造信用卡的责任推到消费者身上,,它们将毫无动力来加强安全。但是一旦它们需要对安全漏洞买单,它们能够想出各种行之有效的安全措施
----
实时交易核查,数据库的专家巡逻系统等等。这是一个宝贵的经验:让强势团体对风险负责,经济原因会迫使它提高系统安全性。
(这让我想到了我们的银行,什么都要和国际接轨,怎么不宣传宣传这条法案)
Second, stop using personal information to authenticate people. Watch how credit cards work. Notice that the store clerk barely looks at your signature, or how you can use credit cards remotely where no one can check your signature. The credit card industry learned decades ago that authenticating people has only limited value. Instead, they put most of their effort into authenticating the transaction, and they're much more secure because of it.
其次,禁止使用个人信息用作身份认证。让我们看看信用卡的工作方式,商店的收银员基本不会比对你的签名,信用卡产业
20
年前就意识到认证用户个人的作用有限。因此它们将努力都放在认证交易过程上,这大大提高了安全性
This won't solve the problem of securing our personal information, but it will greatly reduce the threat. Once the information is no longer of value, you only have to worry about securing the information from voyeurs rather than the more common--and more financially motivated--fraudsters.
这并不能完全解决个人信息保护的问题,但它可以降低个人信息泄露带来的危害。一旦这些信息没有价值,你就不必为它们的安全操心。
And third, fix the other economic problem: Organizations that expose our personal information aren't hurt by that exposure. We need a comprehensive privacy law that gives individuals ownership of their personal information and allows them to take action against organizations that don't care for it properly.
最后,解决经济问题。目前,机构泄露用户的个人信息并不会受到惩罚,我们需要通过立法来保护个人信息,支持用户从泄露他们个人信息的机构获取赔偿款。
"Passwords" like credit card numbers and mother's maiden name used to work, but we've forever left the world where our privacy comes from the obscurity of our personal information and the difficulty others have in accessing it. We need to abandon security systems that are based on obscurity and difficulty, and build legal protections to take over where technological advances have left us exposed.
通常人们常用信用卡卡号和母亲的婚前姓作为口令,但是我们总是想当然的认为了我们来自一个默默无闻的家庭,获取我们的个人信息是一件困难的事,因此这一口令能够保证安全。我们要摒弃这种想法,我们需要的一个用法律来代替技术层面的保护。