657 apps have been notified by the Ministry of Industry and Information Technology of how many violations are "eavesdropping"

In-depth｜657 apps have been notified of violations by the Ministry of Industry and Information Technology, how many are "eavesdropping"

　　Just finished chatting with someone, and soon will you receive relevant recommendations or advertisements in the App?

A few days ago, "Will the app eavesdrop?" has become a hot topic, and netizens are full of concerns about the safety of personal information behind the ridicule.

　　On February 5th, at the App Personal Information Protection and Supervision Symposium held by the Ministry of Industry and Information Technology, Vice Minister Liu Liehong said that after some instant messaging tools, input methods and map navigation apps use microphone permissions to read text input content, Exceeding the user's permission (using information) in "other ways" brings hidden risks.

　　In fact, collecting users' personal information in violation of regulations is the most common behavior in which App infringes users' rights.

The Paper (www.thepaper.cn) statistics the list of 11 batches of illegal apps that have been publicly notified since the Ministry of Industry and Information Technology launched a special rectification action, and found that 657 apps are "well-known", UC browser, 360 cleanup master, Dada Kuaisong, Yonghui Popular apps in various life scenes such as life, mango TV, QQ input method, etc. have been listed; among 16 types of apps, tool apps have been "called" by 15.68%.

Among the 167 apps that were removed, tool apps were also removed the most, accounting for 16.67%.

　　Statistics show that more than 50% of the issues involved in the 657 apps that have been notified are "violating the collection of user personal information", and "app forcing frequent and excessive requests for permissions" and "violating the use of user personal information". Each accounted for about 20% of the notified apps.

　　In addition, 11 batches of tests organized by the Ministry of Industry and Information Technology found that the notified apps came from 24 app stores, with Tencent App Store, Pea Pod, OPPO Software Store, 360 Mobile Assistant, and Xiaomi App Store as the main five application platforms, accounting for 24.60 respectively. %, 11.27%, 10.83%, 10.25%, 9.81%.

　　User personal information has always been regarded as "tang monk meat" by App service providers, whether it is in the "acquisition of customers" by commercial entities, or in the implementation of telecom fraud after the information is leaked, user personal information collected in violation of regulations All become basic data.

In recent years, various parties have sought "good prescriptions" in terms of legislation, supervision, industry self-discipline, technical dimensions, and user self-protection awareness by putting on "tightening curses" for illegal apps to prevent them from infringing on user rights.

Personal information becomes "Tang Monk Meat"

　　"Netizens reported that they had just talked about a certain topic and soon received relevant advertisements in a certain App. Users were very confused about this. This topic has also become the most concerned issue for users, and it ranked No. One."

　　On February 5th, at the App Personal Information Protection and Supervision Symposium held by the Ministry of Industry and Information Technology, Vice Minister Liu Liehong said that after some instant messaging tools, input methods and map navigation apps use microphone permissions to read text input content, Exceeding the user's permission (using information) in "other ways" brings hidden risks.

　　In fact, users’ personal information has always been regarded by App service providers as “Tang Seng Meat”.

The reporter's statistics found that in the 657 apps notified by the Ministry of Industry and Information Technology, more than 50% of the problems involved were "collecting user personal information in violation of regulations."

　　"Most of this is to collect users' economic status, consumption preferences, activity areas and other information, to carry out detailed portraits of users to support product development and update, or to accurately push advertisements." Deputy Division of the Cases Division of the Internet Police Corps, Guangdong Provincial Public Security Department Chang Huang Jianbang once pointed out the behavior of collecting user information beyond the scope.

　　The reporter combed and found that the Chengdu Intermediate People's Court judged an online infringement liability dispute case in October 2018, which confirmed that some apps will use the collected information to push advertisements in order to "get customers."

　　The court found that the developer of Zaodao App was Shanghai Hehe Information Technology Development Co., Ltd., which was also the developer of Scan Almighty King App. He Moulu had downloaded and registered Scan Almighty King App, and Hehe Company passed Scan Almighty King App. The App collects He Mouli's mobile phone number.

　　After obtaining the information, the company sent a text message to He Moulv with the content "[Zaodao] He Moulv. A former colleague rated you as "professional and reliable" and recommended 107 personal connections to you. There are 19 friends waiting for you.cc. co/OypRubuV3m complained about unsubscribing back to TD".

He Moulu sued the company for infringement of collecting personal information and sending commercial advertisements to him.

　　Another second-instance civil judgment on a privacy dispute judged in December 2020 directly disclosed that some apps would "collect user personal information in violation of regulations."

　　The court found that the purpose, method, and scope of information collected and used by Le Element Technology (Beijing) Co., Ltd., a developer of App "Daily Xiaoxiaole", were not clear, nor did they provide users with the relevant content of the "Privacy Policy". In the game login interface and the user's use of related functions, other methods have not been adopted to prompt the collection of user personal information.

Without the explicit authorization of the user Liu Mobo, there is a situation of "opening the mobile phone application authority in full and calling the user's personal mobile phone location information".

　　In addition to commercial activities, part of the user's personal information collected in violation of App regulations ultimately provides a breeding ground for telecommunications fraud.

　　According to an article released by the Beijing Municipal Public Security Bureau’s Cyber ​​Security Corps a few days ago, during the epidemic, there were some illegal apps in the name of epidemic surveillance, and there were problems such as unauthorized and over-range collection and use of personal information, which brought users Risk of personal information leakage and abuse.

Leakage of personal information is a key factor in the successful implementation of fraud. Under the premise of accurately grasping the personal information of users, criminals can fabricate more confusing fraud scenarios and implement fraud.

　　To this day, the Minister's mailbox of the Ministry of Industry and Information Technology can still receive complaints from users about the illegal collection of users' personal information by the App from time to time.

The reporter only retrieved the messages from February 2020 to February 2021 and found that Xiaomi’s mobile phone system comes with software, 58.com, Pinduoduo, Zhihu, Jingdong Mall, Thunder, QQ, NetEase Mail, Alibaba Cloud, etc. Apps appear in the complaint list.

　　In fact, with regard to the illegal collection and use of personal information by apps, the Secretariat of the State Internet Information Office, the General Office of the Ministry of Industry and Information Technology, the General Office of the Ministry of Public Security, and the General Office of the State Administration for Market Supervision have jointly issued the "Confirmation of App illegal and illegal collection and use of personal information Method" notice.

　　It clearly states that "the rules for collection and use are not disclosed, the purpose, method, and scope of the collection and use of personal information are not clearly stated, the collection and use of personal information without the user's consent is in violation of the necessary principles, the collection of personal information unrelated to the service provided, without consent Providing personal information to others, failing to provide functions for deleting or correcting personal information in accordance with the law, or failing to publish information such as complaints, reporting methods, etc." are six types of behaviors that violate the law and regulations to collect and use personal information.

　　Common phenomena in our lives such as "Using users' personal information and algorithms to push information directionally, without providing the option of non-targeted pushing information; requiring users to agree to open multiple permissions for collecting personal information at one time, and users who do not agree will not be able to use them" It is also considered illegal collection.

　　The reporter has noticed that the Ministry of Industry and Information Technology has published a piece of data that provides a glimpse into the seriousness of the illegal collection of personal information.

　　Among the 3480 reports about the illegal collection and use of personal information by apps, 26% of apps have no privacy clauses or the purpose, method, and scope of personal information collection are not specified in the privacy clauses; 31% of apps open to collect personal information after applying Users are not clearly informed of the relevant permissions; 20% of apps collect personal information that has nothing to do with business functions, such as financial lending apps that collect user address books; 19% of apps provide device IDs, application lists, etc. to others without user consent Personal information; 13% of apps forcefully request permissions that have nothing to do with business functions, such as calculators and flashlight apps that force geographic location permissions.

　　"Driven by commercial interests, some apps illegally obtain user input information such as voice, text, and pictures without the user’s consent, implement big data aggregation analysis, realize user portraits, and perform accurate advertising pushes, which make users generate Uneasy and even anxious.” Deputy Minister of Industry and Information Technology Liu Liehong said at the supervisory forum on February 5.

　　The user's uneasiness stirred up heated discussions in the public opinion field, and relevant departments showed the "supervisory blade".

　　Under the hot discussion of "whether the App is eavesdropping on users", on February 5, the Ministry of Industry and Information Technology announced for the first time "microphones, address books, and photo albums of recent social concern" in the "2nd batch of 2021, 11th batch" notification. Permission issues" publicly notified 26 apps that had not completed rectification, such as QQ Input Method, Ink Weather, WeChat Business Input Method, Voice Bar and other apps that were named for collecting personal information in violation of regulations or beyond the scope.

　　This is also seen as a clear signal from the supervisory authority that "regulation is becoming stricter and responding to concerns" regarding the illegal collection of user personal information.

Over 50% of "violating the collection of user personal information" in illegal apps

　　In response to app infringement of users represented by illegal collection of user personal information, the Ministry of Industry and Information Technology decided for the first time in November 2019 to organize a special rectification action for App infringement of user rights.

This action also moved "in-depth" in July of the following year.

　　In July 2020, the "Notice of the Ministry of Industry and Information Technology on Carrying out a Special Rectification Action to Promote App Infringement of Users’ Rights and Interests" further clarified that the targets of the rectification are "App service providers, software tool development kit (SDK) providers, and application distribution platform".

　　"Enterprise self-examination and self-correction, supervision and inspection, and result disposal" are the three stages of the special rectification action carried out by the Ministry of Industry and Information Technology for app infringement of users' rights and interests, and it is also a step to put a "tightening curse" on illegal apps.

　　The subject of self-inspection and self-correction is the App service provider and the distribution service provider, which is an active behavior; the supervision and inspection is carried out by the Ministry of Industry and Information Technology to organize a third-party testing agency to conduct technical testing and inspection of the App. Big App product and distribution platform.

　　In the result disposal stage, the Ministry of Industry and Information Technology will uniformly notify the problematic apps and deal with them in accordance with laws and regulations. Specific measures include ordering rectification, making public announcements, organizing app removals, stopping app access services, and subjecting them to administrative penalties. Violating entities are included in the list of bad business operations or dishonest telecommunications business.

　　The Paper has incomplete statistics. Since the Ministry of Industry and Information Technology launched a rectification action in November 2019, 11 batches of 657 apps that infringe on user rights have been reported to have been "named."

　　The frequency of notifications is basically once a month, and the number of notifications shows an "M" shape.

The two peaks appeared on October 27, 2020 and January 22, 2021. The highest number of single notifications was "the first batch in 2021, the 10th batch in total", and 157 apps were "on the list."

　　The 657 notified apps involved 16 categories including education, life services, games, social, medical and health, among which tools are the most, accounting for 15.68%; education, life services, live video, games Category, transportation category, e-commerce shopping category, social category followed closely, accounting for between 7%-9%; maternal and child parent-child category, recruitment category is less, accounting for less than 2%.

　　Most apps can be rectified in time after being notified, and there are fewer cases of being notified again, but 26 apps including 360 Cleanup Master, Dingda Travel, Qianqian Music, etc. were named twice.

　　Judging from the issues involved in the notified App, the November 2019 "Gongxin Guanhan [2019] No. 337" notice of rectification work divides the issues involved in illegal apps into "violating collection of user personal information, illegal use of user personal information, and unreasonable request. The first five batches of notifications also followed this statement in the four categories and eight subcategories of "user rights and difficult account cancellation."

　　In July 2020, the "Ministry of Industry and Information Technology Xinguanhan [2020] No. 164 No. 164" rectification action notice divided the problem into "App, SDK processing user personal information in violation of regulations, setting barriers, frequent harassment of users, deception and misleading users, application distribution platform responsibility The four major categories and ten sub-categories of “inadequate implementation”, the last five batches of circulars also followed the adjusted problem statement.

　　Combining the above two classifications and taking into account the convenience of statistics, the reporter divided the issues involved in illegal apps into “violating the collection of user personal information, using user personal information in violation of regulations, app forcing frequent and excessive requests for permissions, deceiving and misleading users, and failure to implement the responsibility of the application distribution platform. In place, set up barriers for user account logout "6 categories.

　　According to incomplete statistics, the number of problems in most apps is controlled within 3 categories, but 15 apps such as King Glory Assistant, Flash Delivery, and Bingo Elimination have violations of 5 categories or more.

More than 50% of the violating apps involved "collecting user personal information in violation of regulations", while the issues of "App forcing frequent and excessive requests for permissions" and "violating the use of user personal information" accounted for about 20% of the reported apps. The remaining problems are relatively small.

　　After each batch of notifications is issued, the Ministry of Industry and Information Technology will organize a third-party inspection agency to review and re-inspect, and re-notify the apps that have not completed rectification as required or have not rectified after the deadline, and will be removed for processing.

　　According to incomplete statistics, the reporter found that the multi-batch delisting list published on the official website of the Ministry of Industry and Information Technology involved a total of 169 apps, and Strawberry Video was the only app that was notified twice.

The tools category is still the largest among the removed apps, accounting for 16.67%; life services, e-commerce shopping, games, video live streaming, and social apps follow closely behind, accounting for 8%-11%; rectification notice Educational apps that appear more frequently in China are less likely to be removed.

　　In addition, eleven batches of inspections organized by the Ministry of Industry and Information Technology found that the notified apps came from 24 app stores, with Tencent App Store, Pea Pod, OPPO App Store, 360 Mobile Assistant, and Xiaomi App Store as the main five application platforms, each accounting for 24.60%, 11.27%, 10.83%, 10.25%, 9.81%.

　　In this regard, the Ministry of Industry and Information Technology has urged relevant platform companies to strictly implement the requirements of the "Interim Provisions on the Management of Preset and Distribution of Mobile Smart Terminal Application Software" and implement the main responsibility of the enterprise.

　　"A total of 620,000 apps have been technically tested, and 2,234 apps that violate regulations have been ordered to carry out rectification." On January 26, 2021, the Ministry of Industry and Information Technology held a press conference on the development of industry and informatization in 2020. Bureau Director Zhao Zhiguo released the data of special operations carried out for two consecutive years.

　　However, according to public information, the number of apps detected in my country's domestic market exceeds 5 million, and this number is also growing.

In this regard, the national App technology testing platform developed by the China Academy of Information and Communications Technology has been launched, trying to integrate the technology testing capabilities of leading companies and strive to achieve the goal of testing 1.8 million apps throughout the year by 2021.

Low cost of illegality?

App governance requires a combination of punches

　　How to put a "tightening curse" on illegal apps to prevent the infringement of user rights.

In recent years, many parties have tried to seek "good prescriptions" in terms of legislation, supervision, industry self-discipline, technical dimensions, and user self-protection awareness.

　　The reporter noted that in addition to raising the "supervisory blade", in recent years, the "Cyber ​​Security Law", the "Personal Information Protection Law", the "Data Security Management Measures", the "Measures for the Security Evaluation of Personal Information Outbound", and the "Regulation of the Internet Information Service Market" The promulgation and improvement of a series of laws and regulations, such as Several Regulations on Order, “Provisions on the Protection of Personal Information of Telecommunications and Internet Users,” and “Interim Provisions on the Management of Application Software Preset and Distribution of Mobile Smart Terminals,” are also trying to tighten the “system fence” of personal information protection. To standardize order.

　　The latest news also shows that there are a large number of phenomena such as compulsory authorization of apps, excessive claims, and the collection of personal information beyond the scope. The problem of illegal and illegal use of personal information is prominent. The "Interim Regulations on the Management of Personal Information Protection for Mobile Internet Applications" will be issued soon.

　　There are 22 articles in the "Interim Regulations".

App developers, App distribution platforms, App third-party service providers, manufacturers of mobile terminal telecommunications equipment, and network technology service providers are targeted for key supervision services, and the general requirements and requirements for personal information protection that should be followed by five types of entities are specified. Obligations.

If the relevant entity violates the regulations, it will be rectified in accordance with the notice, publicly notified, removed from the shelf, and disconnected from the access process.

　　In addition, in response to the phenomenon of evasiveness, obstruction, and deliberate delay in the rectification process of some companies, the supervisory authority convened the principals of major commercial entities who have a large amount of Internet user information and urged them to publicly express their opinions on this.

　　On November 27, 2020, at the National App Personal Information Protection Supervision Conference, Suning Holdings, Ant Group, iQiyi, 360, Xiaomi Group, Sina Weibo, Kuaishou, Bilibili, Didi, Alibaba Group, The principals of 11 Internet companies including Baidu Group have made public commitments on strengthening user rights and personal information protection, standardizing information collection and use models, establishing and improving complaint feedback mechanisms, and implementing corporate responsibilities and legal obligations.

　　"We must take the rectification of App infringement of users' rights and interests as the core work of each company, and the top leader should take the overall responsibility." At the supervisory forum on February 5, Liu Liehong said that there are no orders, incomplete rectification, and recurring. Companies and apps that engage in technological confrontation have adopted measures such as cessation of access, administrative penalties, and credit management to deal with problems.

　　However, actual cases reflect that only relying on supervision, legislation, and enterprises consciously fulfilling the main responsibility cannot be done once and for all.

　　At the supervision symposium on February 5, Liu Liehong also frankly confessed that it is necessary to make a good combination of comprehensive governance and the collective efforts of the whole society.

"Multi-party governance and coordinated efforts." During the reporter's interview, a number of experts in the field of protecting users' personal information security also gave common opinions.

　　"The current situation is that we have enacted the law, but the law is too loose." In an interview with The Paper, information security expert He Zhanqiang believed that the introduction of laws and regulations is only the first step in rectifying illegal apps to minimize the possibility of personal information leakage. Improving the penalties of relevant laws and regulations is the key.

　　He believes that the deterrence of issuing an announcement every month is indeed limited. Many App developers can continue to go online after changing the version. The heaviest is only a fine of several hundred thousand yuan. The cost of violations is far lower than the cost of it. Revenue, and many App operators with state-owned backgrounds also have violations of regulations, which is also one of the reasons for "lacking legislation."

　　"Some App developers have violated the law. It is useless to rely solely on the Ministry of Industry and Information Technology to report them. Substantive penalties are required, such as fines, market bans, and even sentencing." Fu Liang, an independent communications expert, said frankly to The Paper.

　　According to Liu Qicheng, editor-in-chief of All Media of Communication World, in addition to the small penalties, users do not pay attention to their own data leakage issues, which also provides gaps for apps' repeated violations. Robin Li's controversial view of "privacy for convenience" can be seen everywhere in China.

Users need to have a sense of self-protection and rights protection, reduce the use of non-essential apps, and unite to say "no" to unscrupulous manufacturers that request excessive information.

　　In an interview with the media, Liu Quan, director of the Cyber ​​Security Institute of CCID Think Tank, suggested that the boundaries of personal information collection should be further refined, and the scope of obtaining user permissions for apps of different types and different application scenarios should be “clarified” through supporting standards and specifications, and guide Developers only obtain permissions related to business functions, reducing the discretionary space of operators.

It is also possible to establish a reward and punishment mechanism to allow application stores to actively participate in the review work.

　　From a technical perspective, it can be considered from the mobile terminal system, such as prohibiting automatic opening of permissions before App installation, and monitoring the opening of permissions through application logs after installation.

If the App has illegal collection of personal information such as "eavesdropping" and "peeking", the system will prompt the user in some way.

　　Similarly, the "China Electronics News" wrote after synthesizing the opinions of multiple experts that in terms of personal privacy data protection, data exporters, data collectors and platform regulators all need to bear corresponding responsibilities.

　　For App developers and operators, on the one hand, they should strengthen self-discipline, carefully study relevant laws and regulations, and strictly abide by basic principles such as informed consent and minimum necessity; on the other hand, they should also raise awareness of network security to prevent data theft and illegal crawling. , Security risks such as collection and transmission leakage.

As for the application store platform, it is necessary to further establish a sense of responsibility, standardize the App review and release mechanism, strengthen the operating system authority management capabilities, and actively apply new technologies to improve supervision efficiency.

　　For individual users, it is necessary to strengthen their self-protection awareness during the use of the App, treat the collection and use of personal information with caution, and be good at rejecting unnecessary permission applications.

　　"App users should increase their awareness of personal information protection and become a conscious of surfing the Internet." A graduate student in the direction of artificial intelligence from Xi'an Jiaotong University confided to reporters that he ruled out secretly reading user information. He now opens the app and sees that he wants to read To obtain information such as address book, location, camera, photo, microphone, etc., you will first think about whether it is a necessary condition for normal use of the App. Some are completely excessive claims, and disagreement will not affect normal use.

"Doing so is to'lock up' personal information."

　　(Source of original data for this article: official website of the Ministry of Industry and Information Technology)

　　The Paper Journalist Zhao Siwei and intern Duan Jingwen