The gray industry chain of face information raises concerns about information leakage or causes major property losses

How to prevent frequent disclosure of private information

  □ Our reporter Han Dandong

  □ Lin Yinting, our intern

  In recent days, the media reported that the illegal acquisition of identity information such as faces and the illegal production of “photo activation” network tools and tutorials by the media has attracted widespread attention. According to reports, this information is sold on Taobao, Xianyu and other online trading platforms, and the facial information sold is not just a face photo, but also includes personal identification information such as ID numbers, bank card numbers, and mobile phone numbers.

  What legal responsibilities should be borne for the sale of private data such as citizen information? How can citizens better protect their privacy? A reporter from the Rule of Law Daily conducted an interview.

Selling personal information online

Wanton violation of citizens' privacy

  Facial feature information, as highly sensitive information, is associated with personal identity, finance, behavior, location, preference and other information. When the information is leaked, it may cause people's personal property and cause major losses.

  During the interview, Zheng Ning, director of the Law Department of the School of Cultural Industry Management of Communication University of China, believes that the threats to citizens’ daily lives caused by the sale of citizens’ private information are mainly as follows: When a single type of App is used illegally, you may receive spam, spam messages, harassing calls, and may even lead to forced online loans and financial accounts to be used for illegal purposes; second, personal property losses, illegal intermediaries often use human faces Information and bank cards, ID cards and other documents are used for loans, debts, or card overdraft consumption; third, citizens may encounter the harm of naked chat, naked loans, and leakage of private information.

  Why does the act of selling citizens' private information continue to be banned repeatedly? Zheng Ning believes that this is because of the seller’s profit-seeking psychology, and the cost of buying face information is extremely low, but the sold face data can be used to "hit the database", that is, try to use the same account number and password on different websites. Obtain other account information of the user, so as to achieve the purpose of precise advertising, precise marketing or precise fraud, so as to obtain high profits. In addition, the low cost of crime is also the reason why citizens' private information is repeatedly resold.

  According to Zhu Wei, deputy director of the Communication Law Research Center of China University of Political Science and Law, the sale of private information is due to market demand. From a technical point of view, this demand comes from the following aspects: the first is to "crash the database", which refers to cracking the user account with the user's identity information, face recognition information and other related information; the second is to Precise marketing, understand the individual's movement trajectory, through face comparison, you can grasp what website the person has been on, and what similar services have been used. After getting the person's relevant information, you can use big data and other technologies to compare the person's true identity Combine, implement precision marketing; the third is for precision fraud. Scammers collect personal information to understand the items purchased by individuals, and use refunds, refunds, and replacement of goods as excuses to fool citizens by clicking on the two provided by the fraudsters. Dimension code to carry out precise fraud. In addition, there are some personal purposes, such as spying on personal privacy.

Law helps information protection

The sales platform cannot shirk its responsibility

  Regarding the penalties for reselling citizens’ private information, Zhu Wei said that for reselling citizens’ private information, the Criminal Law provides for the crime of infringing on citizens’ personal information. The upcoming Civil Code will focus on “privacy and personal information "Protection" has a separate chapter for regulation, which shows that the country attaches great importance to the protection of personal information.

  Zheng Ning introduced that reselling personal information is suspected of constituting the crime of illegally obtaining citizens' personal information. According to Article 253 of the Criminal Law, anyone who violates relevant state regulations by selling or providing citizens’ personal information to others, and the circumstances are serious, shall be sentenced to fixed-term imprisonment of not more than three years or criminal detention, together with a fine or a fine; where the circumstances are particularly serious , Sentenced to fixed-term imprisonment of not less than three years but not more than seven years, and fined. At the same time, Article 41 of the Cybersecurity Law stipulates the basic principles for the collection and use of personal information: network operators should follow the principles of lawfulness, fairness, and necessity in collecting and using personal information, publicly collecting and using rules, and expressly collecting and using personal information. The purpose, method, and scope of the information are subject to the consent of the person being collected. Network operators must not collect personal information irrelevant to the services they provide, and must not collect and use personal information in violation of the provisions of laws, administrative regulations and the agreement between the parties, and shall handle its storage in accordance with the provisions of laws, administrative regulations and the agreement with users Personal information. Article 1035 of the Civil Code stipulates that the processing of personal information shall follow the principles of lawfulness, fairness and necessity, and shall not excessively process it, and shall meet the following conditions: (1) The natural person or his guardian’s consent is obtained, but the law, Except as otherwise provided by administrative regulations; (2) Disclosure of information processing rules; (3) Explicitly express the purpose, method and scope of information processing; (4) Not violating laws, administrative regulations and agreements between the parties. Article 50 of the Consumer Rights Protection Law stipulates that if a business operator infringes on the personal dignity of consumers, infringes on the personal freedom of consumers, or infringes on the rights of consumers to be protected according to law, they shall stop the infringement, restore their reputation, eliminate the impact, and apologize , And compensate for the loss.

  Do platforms that resell citizens' private information need to bear relevant legal responsibilities? In this regard, Zhu Wei said that this is suspected of illegal and illegal sales. According to the provisions of the E-commerce Law, the platform has the obligation to stop the operator who knows and knows that the operator on the platform is engaged in illegal business. If this obligation is not fulfilled, the platform will assume responsibility. At the same time, the platform must set up reporting channels. The sale of personal privacy involves criminal offenses. The platform should be handed over to the public security organs for handling. If there is no reporting channel, the platform must also bear joint liability.

  In addition, it depends on who the seller is. If the seller is the platform party, then there is no doubt that the platform party is the offender. If the operator on the platform is the seller, it mainly depends on whether the platform is aware of the operator’s behavior, except In addition, it also depends on whether the operator has left true identity information. If not, the platform party shall also be jointly and severally liable in accordance with the provisions of the e-commerce law. On the one hand, the responsibilities of the platform are based on the responsibilities of the e-commerce platform operators stipulated in the E-commerce Law, including the qualification review of the operators on the platform, the retention of identity information, the reporting of violations of laws and regulations, and the responsibility for knowing and knowing. Based on the Cyber ​​Security Law, the platform party has the responsibility to ensure cyber security. If the platform fails to fulfill its cyber security obligations, knowing that the operator is selling personal information and letting it go, to a certain extent, it can be regarded as a crime of assistance.

  Zheng Ning said that the second paragraph of Article 36 of the Tort Liability Law stipulates that if network users use network services to commit infringements, the infringed party has the right to notify the network service provider to take necessary measures such as deleting, blocking, and disconnecting links. If the network service provider fails to take necessary measures in time after receiving the notice, it shall be jointly and severally liable with the network user for the enlarged part of the damage. The third paragraph stipulates that if a network service provider knows that a network user uses its network service to infringe on the civil rights of others, and fails to take necessary measures, it shall bear joint and several liability with the network user. The Civil Code also stipulates that if network service providers know or should know that network users use their network services to infringe the civil rights of others, and fail to take necessary measures, they shall bear joint and several liability with the network users. The E-Commerce Law stipulates that if an e-commerce platform operator discovers that it sells or provides goods or services that are prohibited by laws or administrative regulations, it shall take necessary disposal measures in accordance with the law and report to the relevant competent authority. All e-commerce platforms should conscientiously fulfill their supervision obligations, use big data technology to monitor, promptly detect and remove non-compliant products, and cut off the interest chain of selling facial information.

Improve the information protection system

Establish information protection awareness

  Regarding how to eradicate the problem of privacy leakage and sales, Zheng Ning believes that it should start from the three aspects of the national government, enterprises, and individuals. The state should improve the legal system of citizens' biological information protection as soon as possible, accelerate the legislative process of the personal information protection law, and build a sound individual Information rights relief and protection system, clarify the scope of collection and use of personal information; in terms of law enforcement, increase administrative penalties for illegal collection and use of citizens’ personal information by enterprises, and increase the illegal cost of infringing on citizens’ personal information; become a person in the government itself When collecting facial information, the government must have a clear legal basis and follow the principle of reasonableness and necessity, and limit the excessive expansion of public power, so as to minimize the violation of citizens' personal information rights. When companies collect and use facial data, they should abide by the following principles: user consent, data compliant use, transparency, data security protection measures, privacy design, accuracy and user rights, and accountability systems. Individual citizens should establish a strong awareness of personal information protection, and do not scan codes or register casually.

  In Zhu Wei's view, if you want to solve the problem of selling private information, you must first increase penalties, and secondly, you must pull out the radish out of the precision fraud. That is, in addition to the crime of fraud, it also depends on where the fraudster got it. Citizens’ personal information should follow the vine and consider the problems behind the fraud. In addition, new technologies must be introduced, such as blockchain technology, which can mutually verify each other. Whoever reads and takes away each information can leave traces. It is best to use technical means to solve it. technical problem. In addition, personal information, Internet real-name systems, etc. can be built into a unified website to store, instead of storing personal information on various commercial websites, it is better to store it through a unified website and turn it into an EID. It is better to be managed by the state.

  The protection of private information is of utmost importance to citizens. For citizens how to better protect their private information, Zheng Ning gives the following specific suggestions: First, establish a strong awareness of personal information protection. When personal information is likely to be collected, it is necessary to ask as much as possible the reason and purpose of the collection, whether there is a legal basis, and the data collection party's protection measures for data security. Second, don’t just scan the QR code and don’t send your verification code to others. Third, do not add WeChat and click links casually, and do not register on informal websites.

  Zhu Wei believes that, on the one hand, citizens should not just register information on the "Three Noes" website, don't scan QR codes casually, and don't easily click on links given by others. On the other hand, once they find that their personal information is wrong, changed, omitted, or beyond the scope of the use of personal information on the website platform, citizens can report or file a lawsuit on the platform in accordance with the law.

  Zhu Wei reminded that for individuals, citizens must learn to exercise the right to cancel and the right to peace. The right to cancel means that when citizens no longer use an app, they not only have to uninstall but also log out to eliminate personal information in the app; the right to peace refers to the right to refuse advertisements.