Unreasonable request for user rights deserves vigilance

Sixteen apps infringing users' rights and interests were notified

  Reporter Bai Chuxuan

  Our reporter Wen Lijuan

  The issue of cross-border claims of mobile apps has once again attracted attention.

  Recently, the Ministry of Industry and Information Technology’s Information and Communications Administration website has published the “App Notification on Infringement of User’s Rights and Interests (First Batch in 2020)” (hereinafter referred to as the “Notification”). Dangdang, Dadao, WiFi Manager, e 16 apps including Zhihu Daily were named. Earlier, the Ministry of Industry and Information Technology had published two batches of apps that violated the rights and interests of users (a total of 56 models) in December 2019 and January 2020, respectively, and removed three overdue apps that were not corrected.

  The "Notice" shows that infringements include illegal collection of user personal information, illegal use of user personal information, unreasonable request for user rights, and obstacles for user account cancellation. Among them, unreasonable request for user rights is the main form, including excessive request for rights, not giving permission for permission to use and frequent application for rights.

Permission content is varied

Cross-border claims are quite common

  "Legal Daily" reporter learned from the website of the Internet Information Office that as of the end of December 2019, the number of apps monitored in the domestic market was 3.67 million, and the total number of third-party application stores in my country's application distribution reached 950.2 billion times.

  "Apps want to get your location, contacts, camera permissions..." After downloading a new app, when you open the software, there will usually be content related to requesting permission. Common application permissions include storage permissions, location permissions, address book permissions, SMS permissions, camera permissions, microphone permissions, calendar permissions, etc.

  The acquisition of some user rights can guarantee the normal use of the App. For example, navigation software needs to obtain location permission to locate and help navigation, retouching software needs to obtain camera permission to use specific photos, and voice communication software needs to obtain microphone permission and camera permission to support voice and video calls.

  Access to some user rights can help the App to be more convenient to use. For example, social software can find more contacts by obtaining the address book permission, and need to obtain the SMS permission through the SMS verification app to automatically fill in the verification code. However, there are some user rights that are unreasonable.

  Mobile user Mr. Zhang told the "Legal Daily" reporter that after downloading a social app, he was asked to obtain more than 10 permissions including location, address book, SMS, camera, album, video, microphone, etc. Many of them involve privacy, but if Without authorization, the software cannot be used, confusing him.

  Mobile phone user Ms. Zhao said that while using a video app, although communication and positioning are not used, the software still requires permission to make calls and location permissions.

  Searching on Baidu's homepage with the keyword "requesting user permissions", there are a lot of related discussions on major websites and forums.

  On May 15th, the "Information" was published on the website of the Information and Communication Administration, and 16 apps were named. Among them, Dangdang, e-generation driving, Qianqian music, Hui car rental, TV home, color TV, Qi Mao free novels, WiFi housekeeper, Dajie and Heyou have unreasonable behavior of asking for user rights.

  A reporter from “Legal Daily” downloaded the “Hui Rent-a-Car” app to experiment, and found the pop-up window of “'Hui Rent-a-Car' would like to send you a notification', followed by the “Allow'Hui Rent-a-Car' to use wireless data” pop-up window and Before using, remind to read the "Terms of Use" and "Privacy Policy" pop-ups. Here you can only choose "Agree, continue to use" and "Disagree, quit."

  Zheng Ning, deputy director of the Faculty of Law of the Faculty of Communication, China University of Communications, told the Legal Daily reporter that generally, during the installation and use of the app, only the necessary permissions can be sought from the user's consent. Among the mobile phones using the Android system, the following permissions are most commonly called. The first is "read the list of installed applications", so that you can understand and analyze the user's usage habits; the second is "read the local "Identification code" is mainly used to determine the identity of the user; the third is "read location information", by acquiring the location, to collect the user's range of activities, such as navigation software must obtain this permission.

  "If the information collected by the mobile App is not related to the services it provides, it will constitute a cross-border claim." Zheng Ning said.

Cannot be used without authorization

Users can only be forced to accept

  Application permissions are the most direct way to collect personal information of mobile phone users. Once the use of specific user permissions is agreed, personal information may be obtained at any time, which is not conducive to the protection of personal privacy.

  The "2019 China Privacy Risk Index Analysis Report" released by the team of Professor Meng Xiaofeng of the Network and Mobile Data Management Laboratory of Renmin University of China shows that the average installed number of apps in 2019 increased by 14.81% year-on-year, and the average user permission data leakage increased by 15.46% year-on-year. At present, the risk of personal privacy leakage of Chinese users has not been effectively controlled, and it is still increasing substantially. The overall privacy growth rate is positively correlated with the average number of user App installations and the average user permission data leakage.

  The “Privacy Risk Index Analysis Report” released by the team in 2018 once pointed out that there are nearly 40 types of permissions for the App, but most of the permissions do not match the normal needs of the App to realize the functions.

  It can be seen in the Bulletin that unreasonable requests for user rights include not giving permission to use and excessively requesting rights. In addition, frequently applying for permission is also an unreasonable request for user permissions.

  From the perspective of App developers, obtaining user rights can provide users with more accurate "customized" services under the support of big data. Therefore, in order to attract users and tap user needs, applying and using system permissions to collect personal information to analyze user information has become a norm in the era of big data and the Internet.

  However, driven by commercial interests, some developers and merchants may unreasonably request user rights and infringe on the privacy rights of users.

  An App service provider told the "Legal Daily" reporter: "In the era of big data, of course, the more permissions you get, the more personal information you collect." He used mobile phone handset permissions as an example. After the item that you want to buy recently, the App can obtain the information through the handset, and then can push the corresponding advertisement when the user uses it.

  If the user's account password, contact list, photos, videos, etc. stored in the mobile phone are unreasonably obtained by the App, the user will face the risk of being "data hijacked". Take contact acquisition as an example. While the contact information is leaked, users and related contacts may receive harassing calls, spam messages, and may even face fraud and extortion after the data is maliciously leaked.

  It is worth noting that the survey questionnaire of the Beijing Consumers Association shows that 41.16% of the people never read the authorization notice before installing or using the mobile app. The “Report on the Investigation of App Personal Information Leakage” released by the China Consumers Association also shows that “No authorization is impossible” is the main reason why respondents never “read”.

  According to the survey results, among the 26.2% of respondents who never read application permissions and user agreements or privacy policies, the reason why they never choose to read is mainly because it is useless without authorization and can only be forced to accept (accounting for Than 61.2%).

  In this regard, Chen Jiang, associate professor of the School of Information Science and Technology at Peking University, believes that this aspect is because some users do not understand the importance of application permissions for personal privacy rights; on the other hand, in many cases, if the user does not provide permissions, the App will Directly quit or automatically stop the service.

Urgent need to improve the legal norms

Protect citizens' information security

  The Cyber ​​Security Law clearly stipulates that it is necessary to strengthen the protection of personal information, stipulate that network operators should collect and use personal information, follow the legal, legitimate and necessary principles, publicly collect and use rules, and express the purpose, method and scope of the collection and use of information , And with the consent of the person being collected. You cannot collect personal information that is not related to the services it provides, nor can you collect and use personal information in violation of legal regulations or agreements with users.

  On January 25, 2019, the "Announcement on the Implementation of Special Governance for the Collection and Use of Personal Information for App Illegal and Illegal Application" was released, and it was decided to organize a nationwide special management for the collection and use of personal information for illegal and app App from January to December 2019. Since then, in order to implement the deployment of the announcement, the relevant departments have established a special app governance working group.

  Since then, the "Guide to the Protection of Personal Information on the Internet", "Identification Methods for App Illegal Collection and Use of Personal Information", "Code for Information Security Technology and Personal Information Security", "Special Action Plan for Improving the Capability of Network Data Security Protection in the Telecommunications and Internet Industry" and other issues have been issued, Identified and governed the illegal collection of personal information by App.

  A reporter from Legal Daily found that in order to strengthen the protection of personal information, from 2019 to the present, "Basic Specifications for Collecting Personal Information on Mobile Internet Applications (Apps) (Draft)", "Data Security Management Measures (Draft for Comment)", "Personal Information Notification Consent Guide (Consultation Draft), "Cybersecurity Standard Practice Guide-Mobile Internet Application (App) Self-assessment Guide for Collecting and Using Personal Information (Consultation Draft)", "Network Security Standard Practice Guide-Mobile Internet Application (App) Individual "Guidelines for Information Security Prevention (Draft for Comment)" have also been issued.

  Yang Lixin, a professor at the School of Law of Renmin University of China, believes that at present, infringement of citizens’ personal information constitutes a crime before they can be held criminally responsible, but sanctions for general infringements are still weak, and more specific legislative measures should be taken to identify violations of personal information as Infringements shall be investigated for damages.

  Wu Shenkuo, Executive Director of the International Center for the Rule of Law of the Network of Beijing Normal University and Secretary-General of the Research Center of the China Internet Association, also believes that it is necessary to strengthen and improve the legislation. The laws and regulations are relatively scattered, so the promulgation of the Personal Information Protection Law and the Data Security Law cannot be delayed."

  Wu Shenkuo said that bad network operators are a major threat to user information security, and effective supervision measures should be formulated and implemented against these operators, and the punishment of deterring network operators should be increased to restrain behaviors that jeopardize citizens’ information security at the source . In addition, users should also pay attention to personal information security, improve information security awareness, and enhance personal information protection capabilities.