Recently, the speculation that take-away apps may "eavesdrop" users has attracted a lot of attention and discussion. Related companies quickly denied that it was an unwarranted guess to emphasize "monitoring users’ daily conversations and doing information analysis" and there was no corresponding product setting. Even so, this kind of discussion still shows that most users love and hate online applications such as App: they want to be more convenient and "know me better", but they are worried about knowing too much private information, so that they "know me too well".
For such problems, China’s Cyber Security Law, which came into effect in 2017, establishes that network operators must follow the principles of legality, legitimacy and necessity when collecting and using personal information. However, with more and more opportunities for users’ personal information to be collected and stored, all kinds of violations of users’ private information are still emerging one after another, and some privacy-related user data leakage incidents also occur frequently. App’s excessive request for permission, out-of-range collection and use of personal information are repeatedly prohibited.
In response to such practical problems, the recently concluded National People’s Congress also reported that the Personal Information Protection Law has been put on the legislative agenda of this session of the National People’s Congress. On March 15th, the State Administration of Market Supervision and the Central Network Information Office jointly issued the Announcement on Carrying out App Security Certification and its implementation rules, so as to standardize the behavior of App in collecting and using user information, especially personal information, and strengthen the security protection of personal information.
However, after an interview with China Youth Daily and Zhongqing Online reporter, we learned that these regulatory policies are not only promoting the improvement of privacy protection system, but also facing considerable resistance. All parties are also looking for, besides laws and regulations, what other market and technical forces can balance the contradiction between privacy protection and data efficiency?
Repeatedly banned! Nearly 70% of users have experienced excessive access to privacy rights by App.
After checking a lot of contents about IELTS in the search engine, the homepage of shopping App in Wuhan college student Lin Hai’s mobile phone was captured by IELTS-related books and materials. "I was surprised at first, then angry, and then scared." He described his feelings after discovering this fact.
At present, such phenomena are not uncommon. Another college student, Yang Xiaoye, installed a mirror App on her mobile phone. Inadvertently, she found that the App actually accessed her address book "legally". Another single-function flashlight App even asked for the recording permission of the mobile phone.
From July 17 to August 13, 2018, the questionnaire survey on "App Personal Information Disclosure" organized by China Consumers Association showed that 85.2% of the respondents said that they had experienced the disclosure of App personal information; 67.2% of the respondents said that the App they used obtained the privacy rights in the mobile phone when its function was unnecessary.
The survey also shows that the permissions to read location information and access contacts are the most common situations when installing and using mobile apps, and the permissions such as call records, SMS records, camera and microphone recordings are often required by apps.
Zhu Wei, deputy director of the Communication Law Research Center of China University of Political Science and Law, has a deep understanding of the behavior of App’s excessive access to privacy. He once installed and used a famous App on his mobile phone, but he uninstalled it because he often sent advertisements. However, after uninstalling, he can still receive SMS advertisements from the App platform from time to time, and sometimes even push corresponding advertisements according to his city. Zhu Wei guessed that this may be because when he first used this App, he allowed him to obtain too many privacy rights in the use agreement.
Wang Yuwei, a partner of Guantao Zhongmao (Shanghai) Law Firm, believes that because many enterprises have long-standing disadvantages, it takes time and economic costs for their own legal compliance and government law enforcement, and the economic benefits obtained from excessive collection of information are attractive. These factors have made it difficult to implement relevant laws.
Huang Xiaolin, head of the Data and Privacy Center of Tencent’s Legal Department, pointed out that the problem of App obtaining too many and excessive user rights has been around for a long time, and it is inappropriate for some apps to obtain users’ sensitive rights beyond the necessary scope. However, the reason for these phenomena is that the legal risks they face may be far less than the commercial benefits they can obtain.
Huang Xiaolin also added that there are many apps that integrate multiple functions and even have more functions in future iterative upgrades. In order to realize these functions, apps will ask for more permissions. In this case, it is necessary to make a specific judgment on the specific functions of each App to judge whether it has obtained excessive user rights and whether it is compliant.
How effective is it? App security certification began to be implemented.
In view of the phenomenon that App has excessively obtained privacy rights, on March 15th, the International Consumer Rights Day, the State Administration of Market Supervision and the Central Network Information Office jointly issued the Announcement on App Security Certification, and designated the China Network Security Review Technology and Certification Center (ISCCC) as the official certification body to formulate technical verification specifications according to the Information Security Technology Personal Information Security Specification for App security certification.
China Youth Daily Zhongqing Online reporter learned that the above-mentioned App security certification related channels were officially opened on March 21st. Certification adheres to the principle of voluntariness and follows the mode of "technical verification+on-site verification+post-certification supervision". Search platforms and App stores will be encouraged to give priority to the recommendation of certified apps. The specific technical verification specifications for personal information security in App have been formulated and will be made public to the institutions involved in the verification.
As a privacy protection practitioner of Internet companies, Huang Xiaolin is relatively optimistic about the above-mentioned App certification. "It will have a more positive effect on the whole industry, on individuals and privacy protection (in this respect), and will lead enterprises to pay more attention to this aspect."
Huang Xiaolin also pointed out that there are a large number of apps on the market at present, and it remains to be seen whether enterprises can spend enough time and economic costs to participate. However, for apps and companies that occupy most market share, this is a process of self-correction, which may promote enterprises to be more compliant from the source. He expects that this kind of App security certification can be more automated, efficient and even as popular as anti-virus software with the help of more technical means, thus further promoting the compliance operation of App.
As a lawyer who has long been concerned about the field of privacy protection, Wang Yuwei said that the practice of App security certification belongs to the governance method of market regulation, which will make the means of privacy governance more diversified. However, he also pointed out that although the framework of the App security certification has been set, there are still many places where the boundaries are not clear enough. For example, the concept of major information security incident appeared in the detailed rules, but the current law has no clear provisions on how to define major information security incidents.
Relevant personnel of China Cyber Security Review Technology and Certification Center (ISCCC) told China Youth Daily and Zhongqing Online reporter that there is no clear definition of the above concepts at present, and some personal information security-related assessment guidelines will be used as the criteria for judging. Judging from the open rules, the main supervision means for certified apps are still self-inspection by enterprises, supplemented by social supervision, but the supervision by third parties is very limited. At the same time, because the certification is voluntary, how to manage the apps that have not passed the certification has not been completely and effectively solved.
Encourage checks and balances! The technical community seeks solutions.
For the privacy protection problem brought by the development of big data technology, the technical community is also paying attention to and studying the corresponding solutions.
On March 23rd, at the china computer federation Youth Computer Science and Technology Forum (CCF YOCSEF), "In the era of artificial intelligence, must privacy and efficiency be irreconcilable?" During the special discussion, some technicians said that privacy protection based on blockchain technology has been tried in Hangzhou and other places. The general idea is to use public chain to carry out data transactions and alliance chain to carry out data encryption protection.
For the application of blockchain technology in the field of privacy protection, Meng Xiaofeng, a professor at China Renmin University, pointed out that decentralized and traceable blockchain technology is a direction of privacy protection that can be studied, which is conducive to traceability and accountability after privacy disclosure. However, due to the immature technology and low efficiency, the application of blockchain technology in the field of privacy protection is still in the exploratory stage, and the use cost of blockchain is also high, so it is uncertain whether the regulatory authorities or enterprises will adopt it.
As a practitioner in the technical field, Pei Zhiyong, director of the 360 Industry Security Research Center, believes that it is technically feasible to use blockchain or big data technology to monitor privacy leaks, but in practice, it faces the problem of high cost and still needs a lot of human resources.
At the above-mentioned symposium, Pei Zhiyong put forward an idea to introduce the "three-way principle of checks and balances" currently applied in the field of cloud computing into App security supervision: separate the owner, operator and manager of personal data related to privacy, avoid a subject being both a referee and an athlete, commercialize this ability of checks and balances, and encourage the rapid development of an industry that can check and balance enterprises’ use of user data, thus forming a long-term and sustained market-oriented supervision.
As a legal scholar, Zhu Wei recognized the above viewpoints put forward by Pei Zhiyong. "You can’t be an athlete and a referee alone, neither can the government nor the enterprise." He believes that the upcoming personal information protection law needs to make a bottom line, so that the protection of personal information can truly return to the individual rights itself. On this basis, through mutual competition and checks and balances between enterprises, more and more feasible methods can be found. (Reporter Wang Lin Intern Sun Ji)