凱拉·馬修斯 譯/羅小凡 審訂/黃勤 Kayla Matthews

Most people share data without thinking about it. They provide information to companies while purchasing merchandise， signing up for email lists， downloading apps and more. They also expect the respective enterprises to safeguard those details.

Unfortunately， the businesses in question often fall short of the task， exposing valuable data. The resulting violation of privacy laws can lead to huge fines and eroded public trust.

Here are six recent examples of companies that failed to do everything they could to respect users privacy.

1. Zoom gave data to third parties without users knowledge

An April 2020 piece from The New York Times alleged that popular video conferencing site Zoom engaged in undisclosed data mining during user conversations. The coverage asserted that when a person signed into a meeting， Zoom transmitted their data to a system that matched individuals with their LinkedIn profiles. The incident happened via a subscription-based tool called LinkedIn Sales Navigator that Zoom offered customers to assist with their marketing needs.

Moreover， when someone signed into a Zoom meeting with an anonymous name， the tool still connected that person to their respective LinkedIn profile. Thus， the person had their real name revealed to a fellow user despite efforts to keep it private. Zoom promised to disable the tool and remove it from the companys offerings.

2. Google violated childrens privacy laws

Google is under fire for violation of privacy laws， recent reports say. A California federal court received a lawsuit from two children suing the tech giant through their father. The pair assert that the G Suite for Education platform unlawfully collects biometric1 data from kids who use it. If so， that action would likely mean Google disregarded the Childrens Online Privacy Protection Act （COPPA）， a federal mandate that requires getting parental consent before gathering data from minors under 13. Moreover， the company may face allegations of violations associated with state biometric laws. The issues could affect millions of kids and their privacy.

3. Hackers dump confidential law firm data

A law firms document management system （DMS） contains all the legal documents about its clients. Some include records spanning 10 to 20 years， making it especially necessary to protect the data. Privacy violations sometimes occur due to inadequate cybersecurity. For example， the Maze hacker group targeted Texas law firm Baker Wotring and published a “full dump” of the organizations data. The incident was a ransomware attack， and the leak likely happened when the cybercriminals did not receive the requested payment. The compromised records included case diaries， consent forms and more.

4. Facebook fined for its role in Cambridge Analytica data harvesting

Federal officials in the United States carried out a 16-month investigation and determined Facebook repeatedly misled its users and compromised efforts to safeguard privacy. That decision came after Cambridge Analytica used a third-party app to harvest data from a Facebook quiz for political purposes.

The Federal Trade Commission （FTC）2 fined Facebook $5 billion for the infractions， the largest amount ever imposed on a company for a consumer privacy regulation.

5. Ring doorbell app allegedly loaded with trackers

The Ring doorbell has an accompanying app that lets people see， hear and speak to individuals who arrive on their doorsteps—even without being home. Unfortunately， when the Electronic Frontier Foundation （EFF）3 investigated the Android version， it discovered numerous third-party trackers. The researchers say that Ring sent data to four outside entities， providing them with personally identifiable information.

The transmitted details include names， IP addresses and data from users device sensors. The EFF warned that recipients could combine all the information to get a unique user picture.

6. WhatsApp flaw sacrificed the privacy of top government officials

Privacy violations also happen if malicious parties exploit weaknesses in widely used apps. Such a situation unfolded when NSO Group4， an Israeli hacking tool developer， allegedly built and sold a product that allowed the infiltration of WhatsApps servers due to an identified weakness. This problem caused at least 1，400 users to have their mobile phones hacked within approximately two weeks in April and May 2019.

A sizeable segment of the identified victims were reportedly high-profile government officials located in at least 20 countries. Early investigative efforts failed to confirm the perpetrators5 that used the tool from NSO Group.

分享數(shù)據(jù)時(shí)，大多數(shù)人往往不假思索。購買商品、注冊(cè)電子郵箱列表、下載應(yīng)用程序等等，人們向公司提供了個(gè)人信息，同時(shí)也指望這些公司能夠保護(hù)好那些細(xì)碎信息。

不幸的是，相關(guān)企業(yè)往往失職，泄露了重要的數(shù)據(jù)。由此產(chǎn)生的違反隱私法的行為，可能會(huì)導(dǎo)致巨額罰款，并削弱其公信力。

下面介紹公司未能盡其所能尊重用戶隱私的6個(gè)近期案例。

1. Zoom公司在用戶不知情的情況下將其信息提供給第三方

《紐約時(shí)報(bào)》2020年4月的一篇文章稱，備受青睞的視頻會(huì)議網(wǎng)站Zoom在用戶對(duì)話期間秘密采集數(shù)據(jù)。報(bào)道稱，當(dāng)用戶登錄會(huì)議時(shí)，Zoom將其數(shù)據(jù)傳輸?shù)揭粋€(gè)系統(tǒng)，該系統(tǒng)將用戶與其領(lǐng)英平臺(tái)中的個(gè)人資料進(jìn)行匹配。事件由一個(gè)名為領(lǐng)英銷售導(dǎo)航的訂閱工具觸發(fā)。Zoom為客戶提供該工具，以滿足公司的營銷需求。

此外，當(dāng)用戶匿名登錄Zoom會(huì)議時(shí)，該工具仍會(huì)關(guān)聯(lián)他們?cè)陬I(lǐng)英平臺(tái)上的個(gè)人資料。因此，盡管用戶努力保密，其真實(shí)姓名還是會(huì)被透露給其他用戶。Zoom承諾禁用該工具并將其從公司的產(chǎn)品中刪除。

2. 谷歌公司違反兒童隱私保護(hù)法

據(jù)近期報(bào)道，谷歌公司因違反隱私保護(hù)法而受到猛烈抨擊。加州一家聯(lián)邦法院收到了兩個(gè)孩子通過父親提起的對(duì)這家科技巨頭的訴訟。二人稱，谷歌教育平臺(tái)非法收集兒童用戶的生物識(shí)別數(shù)據(jù)。如果此事屬實(shí)，該行為可能意味著，谷歌無視聯(lián)邦政府頒布的《兒童在線隱私保護(hù)法》。該法令要求在收集13歲以下未成年人的數(shù)據(jù)之前，必須征得其父母同意。此外，谷歌可能面臨違反加州生物識(shí)別法的指控。這些問題可能會(huì)影響數(shù)百萬兒童及其隱私。

3. 黑客盜取律所機(jī)密數(shù)據(jù)

律師事務(wù)所的文件管理系統(tǒng)包含客戶的所有法律文件。其中一些檔案的時(shí)間跨度為10至20年，因此保護(hù)這些數(shù)據(jù)尤為必要。網(wǎng)絡(luò)安全措施不足有時(shí)會(huì)導(dǎo)致侵犯隱私的情況。例如，“迷宮”黑客組織鎖定得克薩斯州的貝克-沃特林律師事務(wù)所為攻擊目標(biāo)，公開了該公司的“全部黑料”。這是一起勒索軟件引起的攻擊事件，很可能是網(wǎng)絡(luò)犯罪分子沒有收到贖金而泄露信息的。遭泄露的材料包括案件卷宗和知情同意書等等。

4. 臉書因參與劍橋分析公司數(shù)據(jù)收集而受罰

美國聯(lián)邦政府人員進(jìn)行了為期16個(gè)月的調(diào)查，確認(rèn)臉書一再誤導(dǎo)其用戶并破壞保護(hù)隱私方面的種種努力。這一判定裁決前，劍橋分析公司出于政治目的，使用第三方應(yīng)用程序從臉書的一個(gè)智力游戲中獲取數(shù)據(jù)。

美國聯(lián)邦貿(mào)易委員會(huì)對(duì)臉書的違規(guī)行為處以50億美元罰款，這是迄今為止因侵犯消費(fèi)者隱私而對(duì)一家公司處以的最高罰款。

5. 據(jù)稱“門鈴”應(yīng)用程序裝有跟蹤器

“門鈴”有一個(gè)附帶的應(yīng)用程序，能夠讓住戶即使不在家也能在有人到了家門口時(shí)看到、聽到并與之交談。不幸的是，電子前沿基金會(huì)調(diào)查其安卓版本時(shí)發(fā)現(xiàn)了許多第三方追蹤器。研究人員表示，“門鈴”向四個(gè)外部實(shí)體發(fā)送數(shù)據(jù)，提供個(gè)人可標(biāo)識(shí)信息。

發(fā)送出去的詳細(xì)信息包括姓名、網(wǎng)際協(xié)議地址和用戶設(shè)備傳感器上的數(shù)據(jù)。電子前沿基金會(huì)警告說，數(shù)據(jù)接收者可以結(jié)合所有信息，勾畫出用戶畫像，即掌握該用戶的個(gè)人情況。

6. 沃茨阿普應(yīng)用程序漏洞致政府高官隱私流出

惡意組織利用流行應(yīng)用程序的弱點(diǎn)也會(huì)帶來侵犯隱私的行為。據(jù)稱，以色列黑客工具開發(fā)商N(yùn)SO集團(tuán)制造并銷售了一款產(chǎn)品，該產(chǎn)品讓人借助已識(shí)別的弱點(diǎn)潛入沃茨阿普服務(wù)器，從而侵犯隱私。2019年4月至5月，約兩周時(shí)間內(nèi)，該問題導(dǎo)致至少1400名用戶的手機(jī)被黑客攻擊。

據(jù)報(bào)道，已確認(rèn)身份的受害者中，相當(dāng)大一部分是來自至少20個(gè)國家的高級(jí)政府官員。初步調(diào)查工作未能確認(rèn)使用NSO集團(tuán)工具的犯罪者身份。

（譯者單位：華中科技大學(xué)）