Hacking Book | Free Online Hacking Learning


360 chief privacy officer on the game between big data and personal privacy

Posted by forbes at 2020-03-12

Lei Feng net press: This article is compiled by exclusive interview with Lei Feng net (official account: Lei Feng net), and no permission is strictly prohibited. The paper is divided into two parts: the first part is "360 Chief Privacy Officer talks about the game between big data and personal privacy", and the second part is "new development of network security in the era of artificial intelligence"

Currently, he is the Chief Privacy Officer of Qihu 360 Technology Co., Ltd. and the president of China Internet Security Conference 2013. In July 2009, he joined Beijing Qihu Technology Co., Ltd. as vice president, responsible for the technical team management of the company's website technology, technical operation and maintenance, data analysis and mining, cloud killing, cloud storage and other businesses.

He graduated from the Department of computer science and engineering, Xi'an Jiaotong University in 1992. Since January 2003, he has successively served as 3721 technology development director, Yahoo China Technology Development Director, Yahoo China CTO and Alibaba Yahoo China Technology Development Department Director. He also served as MySpace CTO and coo.

Currently, he also serves as Deputy Secretary General of CCF, chairman of YOCSEF, and chairman of this year's CNCC Prelude tech frontier & Rockstar.

The following is the edited interview record:

1. First of all, we start from a recent social hot spot - Telecom fraud. During last month's national cyber security week (September 19-25), 360 released the 2016 China Telecom fraud situation analysis report. How does 360 view the internal connection between telecom fraud and cyber security?

First of all, for example, in the case of Xu Yuyu, the fraud Gang actually had her basic information in advance. In fact, many of this information was obtained through Internet channels. Although the last is through the phone, SMS fraud, but the network has become a source of information for Telecom fraud.

Secondly, many of the overseas telecommunication fraud gangs also carry out fraud through the network. In their overseas dens, they call domestic fraud calls through VoIP. VoIP is actually a way of using the network for voice communication, which can be simply considered as network phone. Then they can hide the phone source by setting the VoIP gateway, which is different from the traditional telecommunication service.

Finally, the collaborative division of labor among fraud organizations is often carried out on the Internet platform, and different criminals may be distributed in different places, through the network to coordinate fraud.

Therefore, the Internet has actually become a tool or channel for fraud.

2. Since the Internet may be used by lawbreakers, what measures can the industry take to deal with it?

As far as I know, there is cooperation among Internet companies, operators, financial services, public security, etc., but the degree of cooperation still needs to be improved. Recently, the central government has also attached great importance to this issue, and the public security has invested more efforts. The strength of cooperation is increasing and the efficiency is improving, which should be helpful for the prevention of such cases It will help a lot.

3. As far as the current level is concerned, how long is the way to go in the future?

This problem is difficult to analyze quantitatively. 80% of the problems may be solved soon, but to solve the last 20% thoroughly, it often takes multiple time and energy.

However, according to what I learned later, I am optimistic. I believe that the trend of frequent Telecom fraud will soon be curbed.

4. We know that 360 mobile phone guard has comprehensively improved the risk call reminder mechanism, launched the suspicious call reminder function, and 360 search has also provided the exclusive telecommunication fraud query function. What technologies are used behind these applications?

First, we can think of it as "crowdsourcing". A large number of terminal applications from 360 can be installed, and users can feedback information. For example, when a user receives a phone call suspected of fraud, it may be marked directly in our application after hanging up. Then other users will get relevant reminders when they receive the same number.

Second, we can use big data analysis to judge. Taking SMS as an example, ordinary users generally don't mass send the same bank account in a large area, while fraudulent SMS often use Guangfa network, so we can analyze it according to the number of messages sent; whether short links or web pages are embedded in the content of SMS, we can also judge whether it is possible to cheat SMS through these features; in addition, we can also analyze SMS If the webpage of link jump is fake, for example, the domain name and IP address of industrial and Commercial Bank of China are determined. If the webpage suddenly jumps to a North American domain name, but its appearance is very similar to the official website of industrial and Commercial Bank of China, then we can conclude that it is a fraud website.

5. You just mentioned that 360 has accumulated a large number of end users through free security services, and end customers continue to send data to the cloud. How do you use it?

Then the first type is data such as bank account. We have cooperation with the bank. If the account appears in the fraud information, we will submit it to the bank for special processing to prevent the user's property from being damaged.

The second category is mainly short link data. For example, a short link is included in the message received by a user, and an APK is downloaded after clicking on it, which is likely to be a Trojan horse. After we get the short link, we will just download the APK, and then automatically analyze whether the APK file is determined to be a Trojan virus through the machine program. If so, we will remind the user accordingly, and other users will be reminded when they receive the same short link in the future. We all know that if the Trojan does enter the user's mobile phone, the consequences will be very serious, whether it is the address book or other information will be at a glance. Even can steal the user's information, in the name of the user fraud and so on. If we can identify the Trojan automatically and prevent the Trojan program from running, it is very helpful to users.

The third type is the user's host number. If the user receives the fraud call and marks the relevant number, we will analyze the big data of these marked data, and other users will be prompted when they receive the same host number.

6. Big data and sharing economy bring us a lot of opportunities, but it is also a "double-edged sword". Personal information security is facing more and more challenges. Some people say that this is a game between big data and personal privacy. What do you think of it as the Chief Privacy Officer of Qihoo 360?

This issue is mainly discussed from two aspects.

First, big data and sharing economy make people's lives more convenient, and the personalized services provided to people will be more intimate. But the disadvantage is that your personal information may be used, and even the analysis based on big data can predict what you will do next. If I remember correctly, Gartner published a report, which said that 80% of users would be willing to use their personal information in 2017 in exchange for cheaper and more convenient services. I think it's because of human nature. When people have access to certain facilities, they may actively transfer some of their information. So when big data brings some benefits to people so that they can get better experience and cheaper service, people are often difficult to refuse.

Second, if information is leaked and maliciously used, it will cause great harm, and people will live in a glass box. This seems to be a problem that this society has to face in the process of evolution, and its solution is not a simple way.

So I think the game between the two will finally reach a balance point. For example, the West often mentions the right to privacy, which is often called privacy or privacy information in China, which is not very accurate in my opinion. "Privacy", the right of privacy, should be a right. That is to say, when you want to live alone and unknown, when you don't want others to know your information, you have the right to choose. But in today's society, you may not be able to choose and achieve at all. Even if you don't want to, others can know it through other ways. For example, your health, your income and so on. You don't want others to know. Can you do it? This is what I call the right to privacy. I think it should give people the right to choose themselves. Of course, it's not mandatory for you to live in an unknown way. For example, those online red anchormans, who have to live their meals and sleep, have given up their privacy rights. They just want to show it to the audience. In this case, we respect their choice rather than force them to disclose their information.

The final solution to this problem, first of all, should be to have the protection of laws and regulations, after the promulgation of relevant regulations, then ask information service providers how to comply with laws and regulations. For example, whether the information collected is related to the services provided. If I go to dinner and have to collect the marital status, it doesn't make any sense. If you log in to a marriage website, it is necessary to know your marriage status, income status and other information, because the services provided to you need to use these information. Moreover, before collecting user information, whether the user is informed clearly and whether the purpose of the information is explained. Third, if the user is not willing to provide relevant information, the service provider can choose to refuse to provide relevant services, but can not obtain information without the user's permission. Fourth, whether the collected information is properly kept and cannot be spread at will. Fifth, whether the use of information is within the agreed scope. If you provide personal information to the marriage website, but the marriage website sells the information to the advertising company, it belongs to the use of user information beyond the authorization of the user. Sixthly, when the user information is inaccurate, whether the user can correct it or not is not well done in many places. Once the information is submitted, even the error information, there is no chance to modify it. Finally, how information is destroyed and how it can be safely destroyed. For example, if the device storing information is sold as a second mobile phone, the buyer may get the information inside.

7. So how does the industry destroy it now?

If it is very sensitive data, the disk will be removed for degaussing. The other is to use the method of physical damage, drilling or smashing.

This is the end of the first "360 Chief Privacy Officer talks about the game between big data and personal privacy". Please look forward to the next "new development of network security in the era of artificial intelligence".

No. 1: on October 19, Mr. Tan Xiaosheng will attend the security sub forum of 2016 China Computer Conference. We will present a non CCF membership ticket worth 2300 yuan. With this ticket, 16 guests including Mr. Tan can participate in wonderful special reports, 30 forums and 50 activities (except the dinner party). Please check the following code for the CNCC code in the background of the official account. We will choose one from the applicants every day.

You can also click the CNCC conference registration link to sign up~~

Recommended reading:

CNCC personage interview with Tan Xiaosheng (2) | new development of network security in the era of artificial intelligence