The "book of rights" to ensure security, or the "arbitrary door" for stealing information

  ——Investigation on the status quo of App privacy agreements

  In the digital age, information technology is closely intertwined with production and life.

Mobile phone applications (Apps) are widely used in daily life, professional services, and social governance due to their convenience, professionalism, and other advantages. While bringing convenience to people, they also bring information security risks.

In recent years, there have been frequent incidents of app collection and use of user information in violation of laws and regulations. Reports have shown that over 70% of apps have excessive claims for rights, that is, obtaining user privacy rights in unnecessary circumstances, increasing the risk of personal information leakage.

How to balance the contradiction between the needs of informatization and digital development and the protection of personal information security has become an urgent problem to be solved.

In response, Guangming Daily, Wuhan University Law School, and Network Governance Research Institute formed a joint research team to conduct questionnaire surveys and in-depth interviews with 1,036 people, and analyze the privacy agreement status of 150 apps in 15 categories, and examine the privacy of individual users on apps. The use experience of the agreement, the specific manifestations of the infringement of user information rights and interests by the App privacy agreement, and the underlying reasons have been conducted in-depth investigations, and suggestions on how to further improve platform supervision and protect personal information.

  Open a newly installed App, the first thing that pops up is the "Privacy Agreement".

Do you have a few pages of agreement clauses rushed across at your fingertips without leaving a trace?

Did you quickly check "Agree, I have read these terms" without clicking on the content?

But have you ever thought that from the moment you click "Agree", you start "streaking" in the flood of information.

  App privacy agreement (also known as "Privacy Protection Guidelines", "Privacy Policy", etc.) is an agreement reached between users and companies on the collection and processing of personal information. The main content includes how the App collects, stores, and uses user personal information and related Security measures, as well as the rights of individuals to data and how to achieve them.

  As the first gateway for the App platform to collect and use user information, the privacy agreement is not only a "instruction" for the collection and use of personal information services, but also a "safety valve" to protect the interests of users.

But from a realistic point of view, the App platform is not optimistic about the protection of user privacy.

In May, the Office of the Cyberspace Administration of China issued a notice stating that 84 apps had problems in collecting and using personal information in violation of laws and regulations, including 36 apps for security management and 48 apps for online lending.

  How to treat a paper agreement and how to regulate it?

  1. The degree of standardization of privacy agreements is low, and the risk of infringement is high

  Lack of user risk awareness.

Xiao Wang is a sophomore majoring in law, and her mobile phone is full of various apps.

"Nowadays, social interaction, learning, and entertainment are all bound to mobile phones, and every bit of life cannot be separated from the screen between square inches." When asked whether she had read the privacy agreement carefully, she didn't care: "This kind of thing should not Someone will pay attention, I just skip it when I see this."

  The survey found that 77.8% of users "rarely or never" read the privacy agreement when installing the App, and 69.69% of the users would ignore the update prompt of the App privacy agreement.

Users generally do not pay much attention to the App privacy agreement, and are less sensitive to personal information rights, and there is a risk of privacy infringement.

  The App privacy agreement has a low degree of standardization.

Ms. Luo works in a state-owned enterprise and often uses news apps: "Many times I just want to install and use it quickly. I just clicked'agree' when I saw the privacy agreement. Occasionally, I opened it on a whim and found that the agreement is too long. Thousands of words, how can you read it."

  In the survey, 43.53% of users believe that the text of the privacy agreement is too small and the layout is too dense, making it difficult to read.

Among the 150 apps surveyed, nearly 30% (46/150) of apps have behaviors that create obstacles, deliberately hide and induce users to skip the privacy agreement, such as the font color is too light, the font size is too small, which makes it difficult to read; the text cannot be directly clicked Link, you need to cancel the default consent to jump to the interface, and so on.

Respondents' recognition of privacy agreements is at a low level.

  The infringement of personal information privacy by apps is widespread.

"There have been more and more strange calls recently. A sales call came up and reported my name, which shocked me. I don't know where I got my personal information." Many respondents in the survey They all said they have had similar problems. More than 60% of users of all ages have encountered threats such as spam messages and harassing calls. This is inseparable from illegal apps stealing user information and selling it to the middle and lower reaches of the gray industrial chain.

Some apps excessively request data access permissions, steal geolocation, address book, and other information that shouldn't be obtained, and provide them to third parties privately, and the middle and lower stream processes this information, causing personal information to flow to unscrupulous merchants.

Relevant departments also stated that online infringement cases have become more and more closely integrated with apps, and cases of extortion and online fraud have frequently occurred through the theft of private information such as personal address books and short messages.

  2. What infringements may be caused by an irregular privacy agreement

  "Withdrawal if you disagree", the authorization cannot be effectively withdrawn, and the user's personal information autonomy is infringed.

"When downloading a new app, I also tried to click'disagree', but the result was that I could only log out, and I couldn't use the app, so I could only click to agree." Ms. Zhu said.

But the easy-click "Agree" also caused trouble to Ms. Zhu. She accidentally discovered that a navigation app was reading her gallery, and was shocked to find out how to close the authorization permission. After no results, she could only uninstall the app, "I I’m really scared because the photos are private information. I didn’t notice that it had gallery permissions, and I didn’t know where my photos would go."

  "I also want to refuse, but I can't refuse." This single-choice "consent" has become a form of no choice.

The investigation found that the negative options are not obvious, and the forced withdrawal by clicking "disagree" has greatly discouraged users' enthusiasm to read the privacy agreement carefully.

Even if you question the content of the agreement after reading it, you cannot continue to use it on the basis of "disagreement". This meaningless so-called "choice" has become the main driving force for people to give up reading the privacy agreement.

  "Consent" is only the first step in the loss of information autonomy.

More than half of the users said that once the app used agrees to the privacy agreement, it is not allowed to revoke some or all of the authorization.

Only 52.7% of the 150 App privacy agreement texts surveyed allow users to withdraw their consent, and only allow the withdrawal to be achieved by canceling the account, but it is very difficult to cancel the account and even the method of canceling is not clearly marked.

Mr. He plans to deactivate a certain shopping App. He used his ID number and mobile phone number when registering his account. He applied for cancellation of his account and unbind his ID card because he was worried about information leakage, but the App customer service asked him to provide a photo of his ID card for review. , Mr. He felt unable to accept the provision of such sensitive information and ultimately could not cancel his account.

  The ambiguity or lack of privacy agreement content is widespread, which violates the user's right of informed consent.

Platform operators need to clearly inform the collection of personal information, application for system permissions, the update/effective date of the privacy agreement, and the notification method for changes to the privacy agreement.

However, in the survey, only 60.7% of the apps that clearly explained the professional terms contained in the privacy agreement (such as personal sensitive information, commonly used device information, network connection information, express consent, cookies) accounted for only 60.7%, and many stated their use as "in order to ensure normal Ambiguous terms such as "use", incomplete coverage, and the use of ellipsis, etc., have all created obstacles to users’ understanding.

In the investigation, many users believed that the privacy agreement was full of professional legal terms, even if they wanted to read it, they couldn't understand it, so they simply gave up.

  In addition, when the content of the privacy agreement changes, many apps do not indicate the notification method of the agreement update, and users cannot know whether the content has been updated in time.

Among the beauty apps surveyed, 40% did not indicate the update status, and the standardization was poor.

  The purpose of use is vague, collection beyond the scope, and excessive use are infringing on user privacy.

Some apps use comprehensive terms when collecting information, and there are expanded or general expressions such as "including but not limited to", "for example," "other information that XXX needs to obtain from users", "related information, etc.".

These agreements that do not clearly indicate the purpose of collecting and using the user's personal information, and express a general agreement, provide a huge space for infringement of privacy.

  In addition, the 25 App privacy agreements contain many collection items that are obviously not related to legitimate business, which is also the hardest hit area for privacy violations.

For example, the address book permission appears in the information that the map navigation app must authorize. The interviewee said: "The map needs to be located is very reasonable, but it asks me for the content of the address book more than once."

  Data sharing norms are general, and the risk of information leakage is high.

When Ms. Wu and her friend chatted on their mobile phones and talked about hoping to go camping somewhere in the near future, she received repeated advertisements for mountain camping supplies in multiple shopping apps within a few hours, and even the scenic area ticket advertisement appeared, "I check However, the software clearly stated that it will not analyze the content of my chat, but I think the App not only reads it, but also shares it with other software.” This shocked her and was also very worried.

  Due to the needs of business development, many apps will realize information sharing and collaboration with multiple parties. Enterprises often require users to agree to provide information to a third party. Users' personal information is transferred and shared among multiple apps, and the risk of information leakage is unpredictable.

According to the investigation, the App privacy agreement contains unclear descriptions of third-party objects (commonly expressed as "affiliated companies", "trusted third-party partners", etc.), unclear expressions of sharing purposes, unclear expressions of the scope of shared information, etc., general expressions Allow enterprises to enjoy greater freedom at the data sharing level.

  3. What factors "connivance" privacy agreements infringe personal information security

  There are still difficulties and gaps in the legislation for the protection of personal information.

At present, my country's personal information protection system is still in the development stage, and there is a situation of general regulations and lack of details.

Legislation often homogenizes and protects personal information indiscriminately, ignoring the industry characteristics of various apps.

For example, beauty apps and e-commerce apps have significant differences in the scope and methods of collecting and using personal information. Beauty apps involve some facial features and other biological information, while e-commerce apps require more personal credit and payment. Permissions, etc.

  At the same time, the lack of hierarchical "package" authorization for personal information urgently needs to be refined.

Mr. Wang, who teaches in a university, was once authorized to "deceive" once. After activating a monthly membership of a reading App, he found that there was a monthly fee deduction. After many inspections, it was found that it was the first time to activate the interface. It was discovered that "automatic renewal" was checked by default, and the password-free payment was turned on, causing him to be deducted multiple times without knowing it.

Although the current "informed consent" system runs through the entire process of information collection, processing, and utilization, the one-time full authorization is completed when the app is started.

Only 22 of the 150 App privacy agreements surveyed described the scenarios for requesting the user's second authorization.

  The distribution of supervisory powers and responsibilities needs to be further improved.

App supervision involves multiple departments, and the decentralized supervision of "Kowloon Water Control" has led to cross-division of labor, leading to duplication of supervision and lack of supervision.

Some previously established App special governance working groups notified companies to remove the shelves for rectification by regularly publishing a list of illegal and illegal apps. This kind of non-continuous "movement governance" requires a long review model, slow response, and weak strength.

At the same time, the news propaganda for this kind of special governance is insufficient, and it is difficult for users to know the results of App governance and privacy risks without active inquiries.

  In addition, the technical level of the administrative department lags behind the overall market level, making it difficult to meet the current regulatory needs.

Some apps have relatively high technical professional barriers. In the process of performing their duties, there are many situations in which regulatory agencies are caught in a dilemma due to insufficient technical capabilities, and their own regulatory capabilities are limited.

  Unified industry standards and compliance guidelines have not yet been formed.

The investigation found that the App privacy agreement has not yet formed a unified and strict industry standard in terms of technical specifications and supporting services.

Problems such as insufficient standardization of privacy policies, differences in the censorship systems of major application stores, and personal information leakage have existed for a long time.

Different industries or companies of different sizes in the same industry are affected by economic scale and compliance capabilities, and the privacy agreements they formulate are significantly different.

Among the 150 apps, mobile financial apps that process more sensitive information have a more complete privacy agreement than the market average.

This difference in strength is also reflected in the industry standard formulation process, industry giants use their influence to participate in the formulation, and small and medium-sized enterprises lack the right to speak.

As the number of apps continues to expand, a set of operating guidelines that are generally applicable to app privacy policy compliance review needs to be formed urgently.

  The contradictory dilemma between commercial use and information services.

Ms. Chen, who went to school in Wuhan, once browsed an online loan app. After several months in a row, she received a large number of online loan advertisements on different apps. “The app pushed me too many online loan advertisements. Deeper.” She borrowed on multiple platforms under the temptation of advertisements, and unknowingly fell into the trap of online lending, with huge losses.

Personal information has become the new "gold" for industrial innovation and market competition, and it has also become a "shortcut" for fraudulent activities, information leakage, and data monopoly.

  In the 150 apps surveyed, only 3 privacy agreements clearly stated the way to close the personalized algorithm.

Clues such as shopping cart records, credit information, movie viewing and chatting, location positioning and other clues outline everyone's preferences in an all-round way, such as freely spread books at a glance.

As soon as the reminder text message comes, you may receive a loan message text message in the next second; if the test fails, I will immediately introduce you to the training institution; if you want to whiten, your phone will be filled with whitening product information immediately.

  In particular, as biometric authentication information such as fingerprints and faces are collected in large quantities, some industries and enterprises have exceeded their personal authorization in the use of data to carry out operations such as technological development and resource exchange.

The industry’s high dependence on data conflicts with the public’s basic needs for basic services and personal information security.

Relying solely on corporate self-discipline can hardly break the dilemma between commercial use and privacy leakage.

  4. The privacy agreement governance system needs to be comprehensively improved

  Construct an institutional framework for the rational use and protection of App personal information from the three levels of comprehensive government governance, Internet platform obligations, and user information subject rights.

Relevant laws and regulations should be improved, and special regulatory agencies should be set up.

Prior to this, relevant departments have stated that they will issue and implement the "Interim Provisions on the Management of Personal Information Protection in Mobile Internet Applications" on the basis of fully absorbing the opinions of all sectors of society.

Uniform and detailed regulations on App privacy agreement text in terms of presentation methods, corporate rights and responsibilities, etc., to further construct a practical compliance review guide, or to open a breakthrough in the dilemma of privacy agreements.

  The platform side must put the implementation of the operator’s reminder obligation and the improvement of privacy protection technology on the agenda.

Specifically, first, the protection of personal information should be clearly stated in the privacy agreement.

Secondly, when modifying or terminating the terms of service or exempting from liability, users must be reminded in a reasonable way, using privacy-enhancing technology to integrate substantive privacy protection into corporate operations.

Furthermore, in terms of user experience, implement the principle of "informed consent", improve the selection mechanism, and set up a reasonable consent and withdrawal mechanism.

The status of the user subject should be fully protected, and the user should have the right to refuse requests for information collection and other requests made by the App. After the user refuses to authorize, the App should continue to provide other basic service functions. The user agrees to all requests.

Different levels of sensitivity of personal information should be classified, and the number, time, and methods of obtaining authorization for different levels of information should be differentiated.

  Improve the special legislation and market supervision rules for personal information protection, and promote the establishment of a new type of personal information protection and data security system by setting up special chapters to protect disadvantaged groups and adding new data rights.

Limited by the level of cognition and other reasons, the personal information of the elderly and minors is more likely to be violated by irregular privacy agreements, and legislative protection needs to be strengthened.

For the processing of personal information of minors under the age of 14, the draft personal information protection law has stipulated that the principle of "minors + parents" dual consent shall be applied.

At the same time, a similar inclined protection system should also be set up for vulnerable groups such as the elderly to strengthen the protection of specific users.

Scholars in the industry believe that legislation should be in line with the relevant provisions of the Civil Code, clarify all types of new data rights in personal information processing activities, including the right to know, the right to inquire, the right to correct, the right to delete, etc., and establish the acceptance of applications for individuals to exercise their rights And processing mechanism.

  Develop App privacy agreement guidelines to provide operational guidelines for companies, individuals, and market regulators.

The guidelines should stipulate the various norms that privacy agreements comply with in different contexts, which can not only provide a scientific basis for law enforcement officers to review and supervise, but also provide clear and reliable references for App developers and operators to help companies reduce the cost of information compliance. , Quickly benchmark against national and industry safety regulations.

Individuals can also judge the potential infringement risks of privacy agreements in accordance with this guide, and enhance their self-protection awareness of information security, which is conducive to the benign interaction between regulatory agencies, enterprises and individuals.

  Pre-review and supervision, starting from the source of App download and distribution to purify the market environment.

On July 4, due to serious violations of laws and regulations regarding the collection and use of personal information in the "Didi Travel" app, the Cyberspace Administration of China notified the app store to remove the "Didi Travel" app in accordance with the relevant provisions of the "Network Security Law of the People's Republic of China". It is required to make serious rectifications and effectively protect the personal information security of users.

The survey found that the current post-monitoring of apps on the app store is mainly liquidity ex-post supervision, and consideration should be given to shifting the focus of review from post-supervision to pre-supervision, and regulation should be carried out at the front end of app store downloads.

It is recommended that relevant departments work with application stores to study and formulate App online review and management standards, and use big data, artificial intelligence and other technologies to continuously improve the automatic detection capabilities, monitoring capabilities and data analysis capabilities of the App technology detection platform.

  (Author: Guangming Daily and Wuhan University Joint Research Team Members: Yuan Kang, Zhang Suhua, Ma Shanshan, Wang Jing, Wang Wenjuan, Shen Pengfei, Cui Chang)