還能信賴大企業保護隱私嗎

Yahoo has confirmed that it is the victim of a cyber security breach affecting at least 500m accounts, perhaps the largest in history.

雅虎(Yahoo)證實，該公司遭遇也許是史上最大規模的的網絡安全侵入，至少影響5億賬戶。

Data breaches of email and social media accounts, retail stores, health insurance companies and even governments are now routine.

如今，電子郵件、社交媒體賬戶、零售店、醫療保險公司、甚至政府的數據被竊已成家常便飯。

The lesson to be learnt from the Yahoo breach may be that, when it comes to cyber security, we are not learning the right lessons.

雅虎事件的教訓或許是，在網絡安全方面，我們沒有汲取正確的教訓。

Following major breaches, companies often deflect responsibility by pointing the finger at state-sponsored actors, as Yahoo did.

在遭遇重大侵入後，企業往往將矛頭指向國家支持的黑客來躲避責任，雅虎正是這麼做的。

Certainly, states do engage in this kind of activity and in some cases leave enough of a trail to be blamed.

政府肯定在從事這類活動，在某些情況下還留下了足夠的痕跡，難以推脫責任。

But there is also reason to be sceptical of Yahoo’s claim.

但人們也有理由懷疑雅虎的說法。

Presenting breaches as nation-state attacks suggests that there was nothing the company could have done to defend its users.

將黑客侵入事件形容爲國家發動的攻擊，字裏行間等於在說雅虎沒辦法捍衛用戶隱私。

It is better PR to blame a foreign intelligence service than for a company to admit it lacked basic security features.

企業指責外國情報機構，而不是承認自己缺乏基本的安全措施，顯然是更好的公關戰略。

It also puts companies on a stronger legal footing against users who may seek to sue them.

這也使企業面對可能起訴自己的用戶在法律上處在更有力的地位。

The trouble is that most cyber security breaches — including those by nations — exploit known vulnerabilities, such as where a patch was either not developed or deployed.

問題是，多數網絡安全侵入——包括國家發動的侵入——利用的是已知的漏洞，比如針對漏洞的補丁尚未開發或應用。

Most breaches are preventable yet attacks continue to increase in number and scale.

多數侵入都是可阻止的，然而攻擊的次數和規模繼續升級。

The woeful state of cyber security is, simply, a market failure.

簡單地說，網絡安全的糟糕狀態是市場失靈的表現。

The reasons are numerous and complex.

原因有很多，而且較爲複雜。

Consumers are unable to make informed judgments about security when choosing where to entrust their information.

當選擇把信息委託給哪一方時，消費者無法對安全作出明智的判斷。

Companies hesitate to share cyber threat information with industry competitors.

企業不願與業內競爭對手分享網絡威脅信息。

Threats are distributed such that the relative probability that any one company will be the victim of a breach remains low.

威脅的分佈方式意味着任何一家企業遭遇侵入的相對機率仍然較低。

The bottom line is that companies do not have adequate economic incentive to invest in security infrastructure.

歸根結底，企業沒有足夠的經濟動機去投資網絡安全基礎設施。

Governments must find ways to encourage companies to undertake more responsible practices.

政府必須找到方法鼓勵企業採取更負責任的做法。

One way will be by developing liability mechanisms to impose costs on organisations that fail to protect customers’ data.

一個方法是建立賠償責任機制，對沒能保護客戶數據的組織施加懲罰。

And where the consequences of cyber security breaches are especially dire — networked medical devices or autonomous vehicles, for example — governments will need to enact robust regulatory standards to ensure safety.

同時，在網絡安全侵入後果尤其可怕的領域——比如聯網的醫療裝置或自動駕駛汽車——政府需要實行健全的監管標準以確保安全。

But companies are not the only problem.

但是企業並非唯一的問題。

Consumers are largely unwilling to accept even minor inconveniences for better security.

消費者大多不願爲了提高安全而接受輕微的不便。

Systems remain unpatched because individuals cannot be bothered to install updates.

系統一直沒有裝上補丁，因爲用戶懶得安裝更新。

Users chafe against imposed security measures like the rejection of weak passwords.

用戶對拒絕脆弱密碼的安全措施感到煩躁。

Conscientious companies walk a fine line between encouraging customers to be safe and imposing burdens that individuals will circumvent with even more vulnerable workarounds, or running the risk of driving users to more convenient and less secure platforms.

有責任心的企業在兩大風險之間艱難把握平衡：一是鼓勵客戶保證安全，加大安全負擔，而人們會以更加脆弱的變通方法躲避這些負擔，二是把用戶趕到比較便利、但不那麼安全的平臺。

Until we address failures at corporate and collective levels, the lesson of the Yahoo breach for the individual is that cyber security is every man for himself.

在我們解決企業和集體層面的問題之前，雅虎數據被竊事件對個人的教訓是：網絡安全是每個人自己的事。

When people cannot rely on large companies to protect personal information, the only responsible approach is to presume breaches are inevitable and try to mitigate the damage.

當人們無法依靠大企業來保護個人信息時，唯一負責任的辦法是假設數據被竊是不可避免的，然後嘗試緩解損害。

Not reusing passwords prevents a single attack from compromising multiple accounts.

不重複使用同一密碼可以阻止單次攻擊影響多個賬戶。

Adopting two-factor authentication features reduces individual risk.

採用雙重身份認證可以降低個體風險。

And users should consider what information to store and share online.

同時，用戶應該考慮在網上儲存和分享什麼信息。

But ultimately self-help will fall short.

但是，自救終究不夠。

We have limited choice about what data about us are produced and stored and participating in modern society necessitates volunteering a great deal more.

對於有關我們的哪些數據被生成和存儲，我們的選擇有限，而參與現代社會意味着有必要自願提供多得多的信息。

Preventing large-scale data breaches is similar to countering disease epidemics — individual practices can protect us only so much and, where we are unable to wall ourselves off, large-scale institutional responses are required.

阻止大規模數據泄露事件類似於抗擊傳染病——個體行爲只能在一定程度上保護我們，當我們無法隔離自己時，便需要採取大規模的制度性迴應了。