背景 (The Background)

Today’s installment is all about the traps — usually hiding in plain sight — that tech companies use to help us part with more of our privacy and security than we should. We often overlook these seemingly benign requests, so let’s learn how to better identify them so that we can start saying “No!” when we see these requests, OK?

今天的文章主要是关于陷阱(通常隐藏在看不见的地方)，科技公司用来帮助我们摆脱我们应有的隐私和安全性的陷阱。 我们通常会忽略这些看似良性的请求，因此让我们学习如何更好地识别它们，以便我们可以开始说“不！” 当我们看到这些请求时，好吗？

“给我们您的电话号码”方法 (The “Give Us Your Phone Number” Method)

Websites — especially “free” social media and networking sites — rely on generating their profit by selling your data to advertisers. It’s a very lucrative business, something I talked about at length in Episode 15. That episode was focused on how the Google ecosystem works. I also talked about this concept in Episode 17, which detailed how the beanie-wearing CEO of Twitter had his own Twitter account hijacked.

网站(尤其是“免费”社交媒体和网络站点)依赖于通过将数据出售给广告商来产生利润。 这是一项非常有利可图的业务，我在第15集中谈到了很多。 那集中于谷歌生态系统如何运作。 我还在第17集中谈到了这个概念，其中详细介绍了戴着无檐小便帽的Twitter CEO如何劫持自己的Twitter帐户 。

What It Looks LikeCompanies have gotten very clever at selling you on why they need access to your phone number. Here are two of the more common reasons provided: security & notifications…

看起来公司已经很聪明地向您出售了为什么他们需要访问您的电话号码。 以下是提供的两个较常见的原因：安全性和通知…

There! Do you see? If you just give us your cellphone number then we can “keep your account secure” or “reset your password easily”.

那里！ 你有看到？ 如果您只给我们您的手机号码，那么我们可以“确保您的帐户安全”或“轻松重置密码”。

How It WorksWhen you willingly give any website your actual cellphone number, the company owning that website now has extra capabilities and data about you that they don’t need and shouldn’t have:

工作原理当您愿意为任何网站提供您的实际手机号码时，拥有该网站的公司现在会拥有不需要和不应拥有的有关您的额外功能和数据：

• The ability to message or call you. If a company has your phone number, then it’s only a matter of time before they use it.

  可以向您发送消息或给您打电话。 如果公司有您的电话号码，那么使用它们只是时间问题。

• The ability to target ads to you based on your area code. If your cellphone area code is 212, then either you live in New York City or you once did. That information is important to companies who wish to advertise to you.

  能够根据您的区号为您定位广告。 如果您的手机区号是212，那么您要么住在纽约市，要么曾经住过。 该信息对于希望向您做广告的公司很重要。

• The knowledge of which company provides your cellphone service. If you give me your cellphone number, this website can identify your cell service provider. If I know that, I’m one step closer to attempt SIM swapping your account. This is the same trick that malicious hackers used in August of 2019 to take control of the twitter account of the CEO of Twitter, Jack Dorsey.

  哪家公司为您提供手机服务。 如果您给我您的手机号码， 该网站可以识别您的手机服务提供商。 如果我知道这一点，那么我就可以尝试SIM卡交换您的帐户了。 这与恶意黑客在2019年8月用来控制Twitter CEO Jack Dorsey的twitter帐户的技巧相同 。

• Access to any public information linked to your number. Ever enter your cellphone number into Google, Yahoo, Bing, SmartPage or DuckDuckGo? It’s worth seeing just how much information is available about you all because you’ve willingly given your cellphone number to a website or other company.

  访问链接到您的电话号码的所有公共信息。 您是否曾经在Google，Yahoo，Bing，SmartPage或DuckDuckGo中输入您的手机号码？ 值得一看的是有多少关于您的信息，因为您愿意将手机号码提供给网站或其他公司。

If that sounds like it’s a lot of extra power and data that you’d rather not wish others to have: friend, I don’t blame you. Fortunately, there’s something we can do about it.

如果这听起来像是您不希望其他人拥有的大量额外功能和数据：朋友，我不怪您。 幸运的是，我们可以做一些事情。

The Actual TruthThe truth is that you can reset your password and have a VERY secure account without giving any company or website your personal cellphone number. There is no company on the planet that needs your personal cellphone number to maintain your security or safety. Literally: none. Therefore, there’s no need to willingly provide that information to any company. Literally: none.

事实真相事实是，您可以重置密码并拥有一个非常安全的帐户，而无需向任何公司或网站提供您的个人手机号码。 这个星球上没有公司需要您的个人手机号码来维护您的安全。 从字面上看：没有。 因此，没有必要将信息提供给任何公司。 从字面上看：没有。

What to DoStart thinking of yourself as a spy. No: I’m not joking. I want you to classify yourself! Never give out your actual cellphone number to anyone: websites, banks, the PTA, government organizations, co-workers or, obviously, strangers. Instead, if you absolutely MUST provide a phone number on certain occasions, only provide those individuals or companies with a secondary phone number. You can obtain one of those for free from either of these providers:

做什么开始将自己视为间谍。 不：我不是在开玩笑。 我要你对自己分类！ 切勿将您的实际手机号码透露给任何人：网站，银行，PTA，政府组织，同事或显然是陌生人。 相反，如果您绝对必须在某些情况下提供电话号码，请仅向这些个人或公司提供辅助电话号码。 您可以从以下任一提供程序中免费获取其中之一：

• Google Voice works on all computers and Chromebooks, and on any mobile device running iOS or Android. The service is easy to use, integrates seamlessly into Google’s ecosystem, and offers some of the same powerful features that Google pioneered, including a powerful search engine and effective spam filtering for your phone calls.

  Google语音可在所有计算机和Chromebook以及运行iOS或Android的任何移动设备上使用。 该服务易于使用，可无缝集成到Google的生态系统中，并提供Google开拓的一些相同的强大功能，包括强大的搜索引擎和对电话的有效垃圾邮件过滤功能。

• Pinger Textfree is 100 percent free and available for iOS, Android, and over the web on any computer. The free version is funded by ads that display in various parts of the app when you’re texting and calling. There is, of course, a paid version without ads ($2.99/month) or with a reserved number ($4.99/month), but honestly, why bother for a burner number? Texting is totally free, but placing calls will cost you credits.

  Pinger Textfree是100％免费的，可在iOS，Android和网络上的任何计算机上使用。 免费版本由在发短信和打电话时显示在应用程序各个部分中的广告提供资金。 当然，有一个付费版本，没有广告($ 2.99 /月)或有保留号码($ 4.99 /月)，但是老实说，为什么要花一些钱呢？ 发短信是完全免费的，但拨打电话会浪费您的信用。

“But, David,” you ask because you’re fond of referring to me by my first name, “If I’m using a Google product, won’t they just harvest more data from me?”. Good question. Yes, they will. But again, you’re only giving out your secondary phone number to non-essential companies or people. You can still provide your actual cell phone number to those who are in your “inner circle” of trust. What Google captures with the other calls is, essentially, secondary information, not your most trusted data.

“但是，大卫，”您问，因为您很喜欢用我的名字称呼我，“如果我使用的是Google产品，他们会不会只是从我这里收集更多数据？”。 好问题。 是他们会。 但同样， 您只向不重要的公司或个人提供辅助电话号码 。 您仍然可以将您的实际手机号码提供给信任“内圈”中的人。 Google从其他电话中捕获的内容实质上是辅助信息，而不是您最信任的数据。

“仅使用Facebook”或“仅使用Google”方法 (The “Just Use Facebook” or “Just Use Google” Method)

Some websites offer “convenience” instead of security. There’s nothing wrong with that if the website is upfront with you about it that, but most aren’t. To me, “security” means taking responsibility for guarding your log-in information: your username & password.

一些网站提供“便利”而不是安全性。 如果该网站在您的眼前，这没什么不对的，但大多数情况并非如此。 对我来说，“安全性”是指负责保护您的登录信息：用户名和密码。

What It Looks LikeAs a “convenience”, many websites offer you the ability to log into their systems using your Facebook or Google Account to sign in. Here are two examples:

看起来很方便，许多网站为您提供了使用您的Facebook或Google帐户登录到其系统的功能。以下是两个示例：

How It WorksWhile it’s a convenience to not have to remember another user name and password, it’s also a liability. Giving Facebook & Google permission to log us into other websites opens all of us to a variety of consequences & trade-offs:

工作原理虽然不必记住其他用户名和密码是很方便的，但这也是一种责任。 授予Facebook和Google允许我们登录其他网站的权限，使我们所有人都有各种后果和权衡取舍：

• Giving Facebook & Google more information about you, in general. Remember, social media websites sites collect as much data about you as you allow them to. That’s their business. Giving them permission to log you into various websites provides them with much more data about who you are.

  通常，向Facebook和Google提供有关您的更多信息。 请记住，社交媒体网站会收集您允许的尽可能多的有关您的数据。 那是他们的事。 授予他们登录到各种网站的权限，可以为他们提供有关您的身份的更多数据。

• Giving Facebook & Google more information about you, in specific. We all have stories and information about ourselves that we guard more carefully. For example, are you a recovering alcoholic? Do you belong to a MeetUp group for recovering alcoholics? If you log into the MeetUp website using Facebook or Google, are you 100% sure about which data you’re sharing with those companies?

  具体来说，向Facebook和Google提供有关您的更多信息。 我们都有关于自己的故事和信息，我们会更加谨慎地对待。 例如，您是正在戒酒的人吗？ 您是否属于MeetUp小组中的酗酒者？ 如果您使用Facebook或Google登录MeetUp网站，您是否100％确定要与这些公司共享哪些数据？

• Facebook & Google can target you more specifically. With the extra data you willingly provide, Google and Facebook can then target you with even more precise ads for products, political issues & political candidates. Those ads have proven to create a more divisive political atmosphere and, in some cases, allowed foreign governments to influence our last major election cycle.

  Facebook和Google可以更具体地定位您。 利用您愿意提供的额外数据，Google和Facebook可以为您提供针对产品，政治问题和政治候选人的更为精确的广告。 事实证明，这些广告营造了更加分裂的政治氛围，在某些情况下，还使外国政府能够影响我们的上一个主要选举周期。

• You open yourself to security vulnerabilities. If the websites you log in to hand off the security of your account to Facebook & Google, then those social media companies are now responsible for safeguarding your data. Only, they don’t. Facebook, in particular, is fucking awful at keeping their site secure. Last year, a study associated with Princeton’s Center for Information Technology Policy found many security vulnerabilities with the Facebook login mechanism. Those security vulnerabilities can allow for malicious websites or hackers to capture even more additional information about you.

  您向安全漏洞敞开大门。 如果您登录的网站将帐户的安全性移交给Facebook和Google，则这些社交媒体公司现在有责任保护您的数据。 只是，他们没有。 尤其是 Facebook，在确保其网站安全方面表现得很糟糕 。 去年，与普林斯顿大学信息技术政策中心相关的一项研究发现，Facebook登录机制存在许多安全漏洞 。 这些安全漏洞可能允许恶意网站或黑客捕获有关您的更多其他信息。

“The researchers found that sometimes when users grant permission for a website to access their Facebook profile, third-party trackers embedded on the site are getting that data, too. That can include a user’s name, email address, age, birthday, and other information, depending on what info the original site requested to access.” — from the WIRED article on the same study.

“研究人员发现，有时当用户授予网站访问其Facebook个人资料的权限时，嵌入在网站上的第三方跟踪器也会获取该数据。 其中可以包括用户的姓名，电子邮件地址，年龄，生日和其他信息，具体取决于原始网站要求访问的信息。” —来自 同一研究 的WIRED文章 。

Oh, and that doesn’t also count the 30 million Facebook users who had their account info compromised due to a security breach. #FuckFacebook

哦，这还不算3000万名 因安全漏洞而使帐户信息受到损害的Facebook用户 。 #FuckFacebook

The Actual TruthThere is no reason that you need to use Facebook or Google to login into non-Facebook or non-Google websites. Literally: none. Doing so means that you are willingly providing those companies with extra information about you that they don’t need. Don’t help them.

实际情况您无需使用Facebook或Google即可登录非Facebook或非Google网站。 从字面上看：没有。 这样做意味着您愿意为那些公司提供不需要的关于您的额外信息。 不要帮他们

What To DoInstead of logging in with social media accounts, use a well-respected, well-reviewed password manager. If possible, choose an application that’s built entirely on “open source” software, so named because its source code is open for anyone — anyone!! — to view. The security community considers open-source software to be safer than traditional, commercial software precisely because anyone can see it and suggest code improvements.

做什么除了使用社交媒体帐户登录外，请使用受人尊敬且经过严格审查的密码管理器。 如果可能，请选择一个完全基于“开源”软件构建的应用程序，之所以这样命名，是因为其源代码对任何人都开放！ - 查看。 安全社区认为开源软件比传统的商业软件更安全，这恰恰是因为任何人都可以看到它并建议改进代码。

In my opinion, the best open-source password manager available is Bit Warden. It’s 100% free, and available for every major operating system and browser. After using LastPass for nearly a decade, I’ve been using BitWarden for the past three months on my computer and smartphone and I like how well it works in most (but not all) cases, compared to LastPass. Grab it and use it to manage all of your user names and passwords so you don’t have to rely on your brain or on Facebook to do it for you.

我认为，最好的开源密码管理器是Bit Warden 。 它是100％免费的，并且适用于每个主要的操作系统和浏览器。 在使用LastPass近十年后，过去三个月来我一直在计算机和智能手机上使用BitWarden，与LastPass相比，我喜欢它在大多数(但不是全部)情况下的性能。 抓住它并使用它来管理您的所有用户名和密码，这样您就不必依靠大脑或Facebook来为您完成此操作。

To ConsiderAt their most recent keynote address, Apple announced that they, too, would be offering a simplified, convenient log-on button to help consumers. It’s called, simply “ Sign-in with Apple” and it will look like this:

考虑一下在最近一次的主题演讲中，Apple宣布他们也将提供一个简化，方便的登录按钮来帮助消费者。 简称为“用Apple登录”，它看起来像这样：

Apple’s claims to be offering both convenience and privacy for consumers with their offering, claiming they won’t track which apps you’re using or where you have accounts. Developers (and supposedly Apple) do not see any of your data that you don’t agree to provide and the company is making it very easy to hide your personal email address so others won’t have access to it:

苹果公司声称将通过其产品为消费者 提供 便利和隐私，并声称他们不会跟踪您正在使用哪些应用程序或您在哪里拥有帐户。 开发人员(可能是Apple)看不到您不同意提供的任何数据，并且该公司正非常轻松地隐藏您的个人电子邮件地址，以便其他人无法访问它：

Sounds like an interesting option. In fact, it’s worth watching the Wall Street Journal video below for a deeper dive on how Facebook, Google, & Apple’s system will work:

听起来像是一个有趣的选择。 实际上，值得观看下面的《华尔街日报》视频，深入了解Facebook，Google和Apple系统的工作方式：

If Apple has done its work correctly — and the longterm reviews are yet to be seen — consumers will get a convenient login but with deeper security and privacy than either Google or Faceturd can provide. For me, that’s worth exploring. To see how the process works on iOS 13, MacRumors has an excellent write up (with pictures!!) to help make things nice ‘n easy.

如果Apple正确地完成了其工作-并没有进行长期审查-消费者将可以方便地登录，但其安全性和隐私性将比Google或Faceturd所提供的更深。 对我来说，值得探索。 若要查看该过程在iOS 13上的工作方式， MacRumors具有出色的文字记录 (带有图片！)，可帮助您轻松完成工作。

Until Apple’s new system is proven to be a game-changer, I’ll share what I use:

在事实证明苹果的新系统将改变游戏规则之前，我将分享我的使用经验：

我最喜欢的电子邮件工具 (My Favorite Email Tool)

I spoke at length about 33mail in my previous articles. The company offers unlimited, free, customizable email addresses. Even better, their system and interface is simple and has helped me to nearly halt spam instantly. In fact, after using their free plan for months, I decided to sign up for the company’s premium service for $1/month. It was worth it. That tier provided me with: no advertisements in forwarded emails, use of my own customized domain, and a higher monthly data cap so I could send/receive more emails using their system. Here’s how it works…

在之前的文章中，我谈到了33mail 。 该公司提供无限，免费，可自定义的电子邮件地址。 更好的是，它们的系统和界面很简单，并帮助我几乎立即阻止了垃圾邮件。 实际上，在使用他们几个月的免费计划后，我决定以每月1美元的价格注册该公司的高级服务。 值得。 该层为我提供了：在转发的电子邮件中没有广告，没有使用我自己的自定义域，并且每月的数据上限更高，因此我可以使用其系统发送/接收更多电子邮件。 运作方式如下...

Not bad for a free service… Give them a test-drive to see if it doesn’t help you stop spam in its tracks.

免费服务还不错……给他们一个测试驱动器，看看它是否无助于阻止垃圾邮件的出现。

And… that’s a wrap for today’s installment, my friends. Thank you all, once again, for reading.

而且...我的朋友们，这是今天分期付款的礼物。 再次感谢大家阅读。

链接到其他热门帖子 (Links to Other Popular Posts)

Click here for my guide on how to choose a privacy-focused VPN.If you’re looking to set up a VERY secure iPhone, click here.For a deeper dive into using 33mail, click here.Click here for a crash course on how to keep your devices updated.

单击此处获取有关如何选择针对隐私的VPN的指南。如果您要设置非常安全的iPhone， 请单击此处 。要深入了解使用33mail， 请单击此处 。 单击此处以获取有关如何保持设备更新的速成课程。

© 2020 David Koff

©2020大卫·科夫(David Koff)

Published originally on Substack

最初在子堆栈上发布