流氓不可怕,就怕流氓有文化。——袍哥张

2019年的篇文章,《虚拟服务提供商——安全、选择和各种考虑》,里面也提到signal的往事。现在已经人是物非。

另一篇提到vps的文章,听起来很福音的样子:《在各种坏消息和假消息充斥的时代传讲好消息》。

自从signal被封,有些大型的signal聊天群算是彻底失联。所以,大家都在寻找替代性的安全聊天工具。这个中间有些常识性的问题,比如怎样理解TOS的问题。虽然和技术关系不大,但和安全的关系还是有一些。

举个简单的例子,说明如何从一个软件的网站公开信息,比如TOS上,判断一个聊天软件是否安全。

有朋友询问“Sugram 畅聊版”是否安全。就以这个我从未听说过的软件为例,说明我的判断过程。

  1. 看看这个软件的介绍:

Sugram 畅聊版是一款为用户提供安全即时通讯服务的工具。

1. 畅聊:提供文本、语音、图片、视频、名片和位置等聊天方式。
2. 安全加密:五层端到端加密、全方位算法保障与安全防范。
3. 保护隐私:云端不保存通讯记录,服务器全球部署保证接入的速度和安全,同时提供阅后即焚和截屏提醒等保护用户隐私。
4. 简洁体验:专注即时通信,提供稳定的核心基础功能。

看起来是一个安全的加密聊天软件。关于这个介绍里的问题,待会儿再说。

2. 试着打开公司的网站。我使用brave浏览器(见简明网络安全(3)|浏览器安全),直接报告我说,这家公司的网站没有使用https认证:https://www.sugramapp.com/

因为我安装了httpsonly插件,Brave和firefox都直接拒绝让我打开sugramapp.com的网站,而是报告说不安全链接。

如果不是为了举例,到这里就结束了——一家开发加密聊天软件的公司,居然不使用https?这算是低级失误吧。

3. 用不那么苛求安全的edge浏览器打开公司网站。网站显示,开发商名叫“ 武汉珺苍琴网络科技有限公司”,有备案号,留了一个google邮箱。所以,应该是一家武汉的公司,但没有自己的公司邮箱。

4. 检查网站上的TOS——term of service,或者说服务条款。这是一个很重要的工作,你得看看一个加密聊天服务,到底如何承诺保护你的数据。

这家公司只提供了英文版的TOS,但也没关系,拉出来看看。下面的内容超长,所以我在每个大标题上提示一句,读者若不愿意细看,就看提示就好了。

Information Collection and Use 信息收集和使用(这是要看的重点)

We collect several different types of information for various purposes to provide and improve our Service to you.

Types of Data Collected (信息收集)

Personal Data (个人信息:这个软件要收集个体识别信息,比如电子邮件,电话号码,并用cookies来跟踪用户的使用情况,甚至可能收集其他方面的使用情况。总之,在这个说明上,并未说明这些数据的具体内容。)

While using our Service, we may ask you to provide us with certain personally identifiable information that can be used to contact or identify you (“Personal Data”). Personally identifiable information may include, but is not limited to:

Email address Phone number Cookies and Usage Data

Usage Data (自动采集你所有的身份数据,包括手机号,手机型号,唯一序列号,ip地址,操作系统,浏览器类型等等。

When you access the Service with a mobile device, we may collect certain information automatically, including, but not limited to, the type of mobile device you use, your mobile device unique ID, the IP address of your mobile device, your mobile operating system, the type of mobile Internet browser you use, unique device identifiers and other diagnostic data (“Usage Data”). 数据收集得十分全面。

Tracking & Cookies Data

We use cookies and similar tracking technologies to track the activity on our Service and we hold certain information.

Cookies are files with a small amount of data which may include an anonymous unique identifier. Cookies are sent to your browser from a website and stored on your device. Other tracking technologies are also used such as beacons, tags and scripts to collect and track information and to improve and analyse our Service. (这里说明,也许还会使用——几乎肯定会使用——其他技术来分析和跟踪用户。)

You can instruct your browser to refuse all cookies or to indicate when a cookie is being sent. However, if you do not accept cookies, you may not be able to use some portions of our Service.

Examples of Cookies we use: (这里并不是说明,而是举例。)

Session Cookies. We use Session Cookies to operate our Service. Preference Cookies. We use Preference Cookies to remember your preferences and various settings. Security Cookies. We use Security Cookies for security purposes.

Use of Data 这是对数据的使用,下面的说明几乎没有任何具体的地方。或者说,可以任意、无限地使用你的数据。

Sushine Tech Ltd. uses the collected data for various purposes:

To provide and maintain our Service To notify you about changes to our Service To allow you to participate in interactive features of our Service when you choose to do so To provide customer support To gather analysis or valuable information so that we can improve our Service To monitor the usage of our Service To detect, prevent and address technical issues

If you are from the European Economic Area (EEA), Sushine Tech Ltd. legal basis for collecting and using the personal information described in this Privacy Policy depends on the Personal Data we collect and the specific context in which we collect it.

Sushine Tech Ltd. may process your Personal Data because:

We need to perform a contract with you You have given us permission to do so The processing is in our legitimate interests and it is not overridden by your rights For payment processing purposes To comply with the law

Retention of Data (您的数据将会被保留下来……)

Sushine Tech Ltd. will retain your Personal Data only for as long as is necessary for the purposes set out in this Privacy Policy. We will retain and use your Personal Data to the extent necessary to comply with our legal obligations (for example, if we are required to retain your data to comply with applicable laws), resolve disputes and enforce our legal agreements and policies.

Sushine Tech Ltd. will also retain Usage Data for internal analysis purposes. Usage Data is generally retained for a shorter period of time, except when this data is used to strengthen the security or to improve the functionality of our Service, or we are legally obligated to retain this data for longer periods.

Transfer of Data (我加红了一个地名,Macao,这可不是五虎上将之一的马超,而是澳门。所以,世界各地的数据都将汇聚澳门,也就是说,会脱离美国或欧美的隐私保护法管辖。)

Your information, including Personal Data, may be transferred to – and maintained on – computers located outside of your state, province, country or other governmental jurisdiction where the data protection laws may differ from those of your jurisdiction.

If you are located outside Macao and choose to provide information to us, please note that we transfer the data, including Personal Data, to Macao and process it there.

Your consent to this Privacy Policy followed by your submission of such information represents your agreement to that transfer.

Sushine Tech Ltd. will take all the steps reasonably necessary to ensure that your data is treated securely and in accordance with this Privacy Policy and no transfer of your Personal Data will take place to an organisation or a country unless there are adequate controls in place including the security of your data and other personal information.

Disclosure of Data (数据披露:当然,根据澳门的法律或你懂的……)

Business Transaction

If Sushine Tech Ltd. is involved in a merger, acquisition or asset sale, your Personal Data may be transferred. We will provide notice before your Personal Data is transferred and becomes subject to a different Privacy Policy.

Disclosure for Law Enforcement

Under certain circumstances, Sushine Tech Ltd. may be required to disclose your Personal Data if required to do so by law or in response to valid requests by public authorities (e.g. a court or a government agency).

Sushine Tech Ltd. may disclose your Personal Data in the good faith belief that such action is necessary to:

To comply with a legal obligation To protect and defend the rights or property of Sushine Tech Ltd. To prevent or investigate possible wrongdoing in connection with the Service To protect the personal safety of users of the Service or the public To protect against legal liability

Security of Data (下面这段话的意思是:数据可能不安全,你不可以告我)

The security of your data is important to us but remember that no method of transmission over the Internet or method of electronic storage is 100 secure. While we strive to use commercially acceptable means to protect your Personal Data, we cannot guarantee its absolute security.

Our Policy on “Do Not Track” Signals under the California Online Protection Act (CalOPPA) (我们不支持”别跟踪我“标签,说了也白说,继续跟踪你)

We do not support Do Not Track (“DNT”). Do Not Track is a preference you can set in your web browser to inform websites that you do not want to be tracked.

You can enable or disable Do Not Track by visiting the Preferences or Settings page of your web browser.

Your Data Protection Rights under the General Data Protection Regulation (GDPR) (欧盟之内,可以找我们删除数据。但有点麻烦)

If you are a resident of the European Economic Area (EEA), you have certain data protection rights. Sushine Tech Ltd. aims to take reasonable steps to allow you to correct, amend, delete or limit the use of your Personal Data.

If you wish to be informed about what Personal Data we hold about you and if you want it to be removed from our systems, please contact us.

In certain circumstances, you have the following data protection rights:

The right to access, update or delete the information we have on you. Whenever made possible, you can access, update or request deletion of your Personal Data directly within your account settings section. If you are unable to perform these actions yourself, please contact us to assist you. The right of rectification. You have the right to have your information rectified if that information is inaccurate or incomplete. The right to object. You have the right to object to our processing of your Personal Data. The right of restriction. You have the right to request that we restrict the processing of your personal information. The right to data portability. You have the right to be provided with a copy of the information we have on you in a structured, machinereadable and commonly used format. The right to withdraw consent. You also have the right to withdraw your consent at any time where Sushine Tech Ltd. relied on your consent to process your personal information.

Please note that we may ask you to verify your identity before responding to such requests.

You have the right to complain to a Data Protection Authority about our collection and use of your Personal Data. For more information, please contact your local data protection authority in the European Economic Area (EEA).

Service Providers (下面的话大概说,我们和商业伙伴共享数据)

We may employ third party companies and individuals to facilitate our Service (“Service Providers”), provide the Service on our behalf, perform Servicerelated services or assist us in analysing how our Service is used.

These third parties have access to your Personal Data only to perform these tasks on our behalf and are obligated not to disclose or use it for any other purpose.

Payments

We may provide paid products and/or services within the Service. In that case, we use thirdparty services for payment processing (e.g. payment processors).

We will not store or collect your payment card details. That information is provided directly to our thirdparty payment processors whose use of your personal information is governed by their Privacy Policy. These payment processors adhere to the standards set by PCIDSS as managed by the PCI Security Standards Council, which is a joint effort of brands like Visa, MasterCard, American Express and Discover. PCIDSS requirements help ensure the secure handling of payment information.

The payment processors we work with are:

Apple Store InApp PaymentsTheir Privacy Policy can be viewed at https://www.apple.com/legal/privacy/enww/ Google Play InApp PaymentsTheir Privacy Policy can be viewed at https://www.google.com/policies/privacy/ WeChatTheir Privacy Policy can be viewed at https://www.wechat.com/en/privacy_policy.html AlipayTheir Privacy Policy can be viewed at https://render.alipay.com/p/f/agreementpages/alipayglobalprivacypolicy.html

Our Service may contain links to other sites that are not operated by us. If you click a third party link, you will be directed to that third party’s site. We strongly advise you to review the Privacy Policy of every site you visit.

We have no control over and assume no responsibility for the content, privacy policies or practices of any third party sites or services.

Children’s Privacy

Our Service does not address anyone under the age of 18 (“Children”).

We do not knowingly collect personally identifiable information from anyone under the age of 18. If you are a parent or guardian and you are aware that your Child has provided us with Personal Data, please contact us. If we become aware that we have collected Personal Data from children without verification of parental consent, we take steps to remove that information from our servers.

Changes to This Privacy Policy

We may update our Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page.

We will let you know via email and/or a prominent notice on our Service, prior to the change becoming effective and update the “effective date” at the top of this Privacy Policy.

You are advised to review this Privacy Policy periodically for any changes. Changes to this Privacy Policy are effective when they are posted on this page.

这个软件还有一个用户协议(中文的),其中有这样的条款:

五、服务使用规范

4、您承诺不会利用本服务进行任何违法或不当的活动,包括但不限于下列行为:

4.1 上载、传送或分享含有下列内容之一的信息:

(a) 反对宪法所确定的基本原则的;

(b) 危害国家安全,泄露国家秘密,颠覆国家政权,破坏国家统一的;

(c) 损害国家荣誉和利益的;

(d) 煽动民族仇恨、民族歧视、破坏民族团结的;

(e) 破坏国家宗教政策,宣扬邪教和封建迷信的;

(f) 散布谣言,扰乱社会秩序,破坏社会稳定的;

(g) 散布淫秽、色情、赌博、暴力、凶杀、恐怖或者教唆犯罪的;

(h) 侮辱或者诽谤他人,侵害他人合法权利的;

(i) 含有虚假、诈骗、有害、胁迫、侵害他人隐私、骚扰、侵害、中伤、粗俗、猥亵、或其它道德上令人反感的内容;

(j) 含有中国法律、法规、规章、条例以及任何具有法律效力之规范所限制或禁止的其它内容的;

……

4.11 违反遵守法律法规、社会主义制度、国家利益、公民合法利益、公共秩序、社会道德风尚和信息真实性等“七条底线”要求的行为;

4.12 从事任何违反中国法律、法规、规章、政策及规范性文件的行为。

……

7、您同意并接受我们无须时时监控您上载、传送或分享的资料及信息,但我们有权对您使用服务的情况进行审查、监督并采取相应行动,包括但不限于删除信息、中止或终止服务,及向有关机关报告

8、您承诺不以任何形式使用本服务侵犯我们的商业利益,或从事任何可能对我们造成损害或不利于我们的行为。

9、您了解并同意,在我们服务提供过程中,我们及其关联公司或其授权单位和个人有权以各种方式投放各种商业性广告或其他任何类型的推广信息,同时,您同意接受以电子邮件或其他方式向您发送的上述广告或推广信息。

……

好了,回头说说应用商店里的软件介绍:

Sugram 畅聊版是一款为用户提供安全即时通讯服务的工具。

1. 畅聊:提供文本、语音、图片、视频、名片和位置等聊天方式。
2. 安全加密:五层端到端加密、全方位算法保障与安全防范
3. 保护隐私:云端不保存通讯记录,服务器全球部署保证接入的速度和安全,同时提供阅后即焚和截屏提醒等保护用户隐私。
4. 简洁体验:专注即时通信,提供稳定的核心基础功能。

五层端到端加密?我没听说过这种技术,听起来就像纳米技术鸡蛋或量子技术钢笔一样。到底用了哪五层端到端加密,还可以将你所有的信息全部保存下来?顺便说一句,知道什么叫端到端加密吗?这真是忽悠得厉害。

云端不保存通讯记录?阅后即焚?呵呵,请仔细阅读TOS吧。我不多说了。
图片

网络安全,首先需要软件安全。使用一个忽悠人的流氓软件,当然也是一种有胆有识的尝试。

我从前还评论过另一个安全产品的TOS。那款产品号称基于区块链的安全vpn路由器,一边上网,还能一边挖矿。我看了一下TOS,发现什么信息都会采集——事实上,既然你都被人当作矿工了,高价卖一个路由器(其实是矿机)给你,用你家的电为他挖矿,你还想着区块链安全访问外网,还能匿名和保护隐私,是不是有点太那个了?……但这款产品号称一个硅谷的基督徒企业家开发的,而我的文章发出来不到24小时,就被投诉封掉了。我也不知道是动了谁的奶酪了,只能一笑置之,希望不要有人真的觉得安全可靠,就送给敏感地区的宣教士用去了。

算了,不多说了。一句话,即使signal被封掉了,也不要病急乱投医,至少好好读一读软件的TOS。简明网络安全(5)|电子邮件才是安全的王道,或者简明网络安全(6)|使用虚拟专用网的11个理由以及其他