News 1+1丨Yuantong’s ghosts leaked 400,000 pieces of personal information. Is there any way for the frequent information leakage?

  In the era of data, everyone is delighted with the convenience and intelligence brought to life on the one hand, and on the other hand is also worried about the leakage of personal information.

Especially in the past two years, with the popularization of various big data applications, people’s worries have gradually surpassed "excitement". Incidents of information leakage of platforms and institutions often appear before our eyes.

On the 17th,

YTO Express responded that its internal employees colluded with criminals, causing 400,000 personal information of citizens to be leaked.

Although the suspect in the incident has been brought to justice, this incident has sounded a wake-up call for our personal information protection, and the views on this incident and the views on the leakage of personal information are quite intriguing.

  On the morning of the 17th, YTO Express posted on its official Weibo that: The company noticed that recently there were media reports about cases of illegal acquisition and use of express waybill information that were reported by the company and uncovered by the public security organs.

  YTO Express said that at the end of July this year, the real-time risk control system of the company’s headquarters monitored that two accounts of YTO Express’s Hebei province and district subordinate branches had abnormal queries on the waybill information of the other branch, and it was judged as an obvious abnormal operation. Close the risk account, and immediately set up an investigation team consisting of quality control, security, information center, network management, and Hebei provinces to conduct evidence-collecting investigations on the incident, and then report the case to the local public security department.

  News 1+1 contacted the investigating team, the Anti-fraud Center of the Public Security Bureau of Handan City, Hebei Province, and the Public Security Bureau of Yongnian District, Handan City, and confirmed that the case was discovered and reported by YTO Express.

Wang Qiudong, leader of the Anti-fraud Center of the Public Security Bureau of Yongnian District, Handan City, Hebei:

This case was in August this year. People from the Hebei side of YTO’s security department found our public security bureau and reported that one of their accounts was abnormally logged in a different place. It was used by someone, logged in, and then illegally obtained citizen information and reported it.

  Today, YTO Express stated in its response to the incident: Through company investigations, it was discovered that individual employees of the franchise outlets were suspected of colluding with external criminals, using employee accounts and illegal third-party tools to steal waybill information, resulting in information leakage.

Wang Qiudong, leader of the Anti-fraud Center of the Public Security Bureau of Yongnian District, Handan City, Hebei:

The means of the crime is that the suspect rents the official account of Yuantong Company, and then logs in to screen the recipient or sender’s information. They sort and sell them to criminals who commit telecom fraud. They are a suspected crime of infringing on citizens' personal information. They are crimes in this link.

  After more than a month of investigation by the police, a total of 5 YTO employees were finally seized and rented out their employee accounts at a price of 500 yuan per day, resulting in the leakage of more than 400,000 personal information.

Wang Qiudong, leader of the Anti-fraud Center of the Public Security Bureau of Yongnian District, Handan City, Hebei:

The total amount of information flowing out of these five accounts, the effective amount of information is 45,000.

Some rented out for a long time, some rented out for a short time, the longest is 7 days, the shortest is 1 day, then the effective number of the five numbers our statistics is 45,000.

Among these 45,000 items, 45,000 people may be a person who was committed by a telecommunications fraud, and one of the victims.

  The 45,000 pieces of information leaked contained six parts: the sender's address, name, phone number, and the recipient's phone number, name and address.

According to the confession of the criminal gang that steals personal information, the information will be packaged and sold at a price of one yuan each to areas with high incidence of telecommunications fraud in the country and Southeast Asia.

  It is understood that this is not the first time YTO Express has encountered customer information leakage.

As early as 2013, the media exposed that there are nearly a million pieces of YTO Express individual information not only available online, but also the tracking number data information can be updated 24 hours a day.

  The customer service of YTO Express issued an apology through Weibo.

YTO Express stated that the main reason for online sales order information is that individual online sellers need false transaction information to improve their online store’s credit rating. The occurrence of online reselling information also shows that the company’s internal management needs to be strengthened. .

  Today, YTO Express also stated that this case once again sounded the alarm of information security risks, and apologized for the problems exposed in this case.

Information leakage, is platform supervision too forgiving?

  According to media reports, five employees of Yuantong Company were involved. The information our reporter obtained from the police in the afternoon was that two of these five found that their accounts were logged in abnormally and changed their passwords in time, which did not directly cause losses, so no criminal measures have been taken. The criminal measures were taken by three YTO Express employees.

In addition, this information leak was discovered by YTO Express during daily monitoring and took the initiative to report the case, but this still cannot shirk its supervisory responsibility.

Zhou Hanhua, deputy director of the Institute of Law of the Chinese Academy of Social Sciences: After the

existing relevant laws and regulations, including the amendment of the Criminal Law, there is a crime of "refusal to perform the obligation of information network security management". One of the specific acts is "causing the disclosure of user information and causing Serious consequences”, so the relevant law enforcement agencies should actually follow up.

Including whether YTO was ordered to make rectifications after 2013, and what rectification measures has it taken?

After those five accounts were sold, 400,000 information could be leaked. In fact, there are already very serious problems in internal management.

Therefore, administrative law enforcement agencies, including criminal law enforcement agencies, should follow up, "the crime of refusal to fulfill the obligation of information network security management", this weapon is to be used, otherwise such things will be endless.

Zhou Hanhua, deputy director of the Institute of Law of the Chinese Academy of Social Sciences:

According to the judicial interpretation of the crime of infringing on citizens’ personal information, illegally acquiring, selling or providing citizens with different types of personal information 50, 500, and 5,000 can constitute criminal liability, so this time More than 45,000 pieces of absolutely valid information of 400,000 users leaked in the incident are numerous.

Zhou Hanhua, deputy director of the Institute of Law of the Chinese Academy of Social Sciences:

In the Internet age, personal information is often massive.

A case cracked by the Ministry of Public Security last year involved 5 billion pieces of personal information; Equifax credit information company in the United States leaked 135 million pieces of personal credit information of US citizens at one time; Yahoo mailbox leaked 500 million pieces of personal information from citizens at one time Information, another time is 3 billion.

So in this era, in fact, everyone's personal information is facing very big risks.

400,000 pieces of express information, its content is relatively large, it includes the sender's address, name, phone number and recipient, phone number, name, address, and also includes ID card information, user preferences, etc., these are for big data The analysis is very valuable, and the information of express delivery bills has always been a place that criminals and criminals have been watching closely.

Zhou Hanhua, deputy director of the Law Institute of the Chinese Academy of Social Sciences:

Internationally, the protection of personal information is now facing a problem. Is it to fight the "fly" or the "tiger"?

"Flies" are often in the middle and lower reaches. In today's case, the five employees belong to "flies."

But platforms and big companies are "tigers."

If we really want to solve the problem of personal information abuse, it is useless not to fight the "tiger", so the "tiger" is used internationally.

Of course, "flies" must be beaten, but the "flies" are more often penalized through public security management, and through public security management laws, including the investigation of criminal responsibility.

The standards of 50, 500, and 5,000 of the crimes of infringing on citizens' personal information constitute criminal liability for natural persons, but for "big tigers", this is not enough.

  If your password, your mobile phone number, address, etc. have been leaked and obtained, and you still have room for modification, then the acquisition of personal biometric information is a stronger kind of personal information. Obtained. In the past two years, face recognition and voice recognition have been used more and more. How to ensure safety?

"The first case of face recognition"

  With the advent of the era of face-swiping, when people enjoy the convenience of mobile payment, hotel check-in, station and airport security, smart security and other fields brought by face-swiping, some people are soberly thinking about the safety of face-swiping from another angle. Sex.

  Guo Bing, a distinguished associate professor of Zhejiang Sci-Tech University, has devoted himself to studying the legal issues of personal information protection for many years.

At the same time, he has another identity as the chief prosecutor of the "first case of facial recognition in China".

Last year, he sued Hangzhou Wildlife World to the court because of the "mandatory" upgrade of the annual card of Hangzhou Wildlife World from fingerprint recognition to "swiping face".

Guo Bing, Distinguished Associate Professor of Zhejiang Sci-Tech University:

As a scholar who is concerned about the protection of personal information, I think that if a commercial organization like a zoo uses facial recognition technology without the informed consent of tourists or consumers, It must be suspected of illegality. In addition to obtaining consumer consent, I believe that consumers should also be informed of the purpose and risks of use, so that consumers truly know.

  Currently, the case is still under trial.

In fact, Hangzhou City, where Guo Bing is located, is also exploring the risks and legal attributes of face recognition.

On October 28, the "Hangzhou City Property Management Regulations (Revised Draft)" was submitted to the 30th meeting of the Standing Committee of the 13th Hangzhou Municipal People's Congress for deliberation, and it has entered the second instance.

  The "Revised Draft" added and clarified that property service personnel shall not force owners to use shared facilities and equipment through biometric methods such as fingerprints and face recognition.

The origin of this clause also originated from Guo Bing.

  On October 9th, he stated his proposal for the entry of face recognition into the community at the "Revision Draft" legislative hearing organized by the Hangzhou Judicial Bureau.

Guo Bing, Distinguished Associate Professor of Zhejiang Sci-Tech University:

I really hope that the subsequent legislation can be more refined and prevent the risk of face-sweeping, because our personal information leakage is a bit similar to the pollution of our current cyberspace. I agree very much. , Our protection of personal information must not follow the strategy that we used to control environmental pollution, first pollution and then governance. Once biometric information is widely leaked, it is completely different from environmental governance. It is really difficult to control the consequences. living.

  If this revised draft is reviewed and approved, the "Hangzhou City Property Management Regulations" will become the first domestic statutory regulation to incorporate face recognition in residential areas into property management.

Cao Dianhang, deputy director of the Hangzhou Municipal Bureau of Justice:

I think legislation should be forward-looking. We can’t wait for problems to break out before we standardize legislation. If we do this, the management cost will be very high and the difficulty will increase exponentially. The regulations do not deny property companies that they cannot use the face-swiping system, which means that the face-swiping system is allowed to be associated and managed, but the owner’s consent must be obtained. It is said that if the owner’s consent is obtained, his face can still be collected , Biological information, but if the owner is unwilling, then he cannot be forced to collect the owner’s biological information, he should be allowed to enter the community with a card or other means.

  From the first lawsuit to the first entry into local regulations, it means that the application and protection of personal biometric information represented by fingerprints, faces, voiceprints, and iris has become more and more urgent.

  In addition to face recognition, mobile phones are suspected of being monitored due to open permissions, which has become another problem for the public.

Mobile phone user Liu Qian:

I talked to my colleagues about the baby’s affairs, some problems with the baby’s certificate, my shopping software and browser will push me the baby’s certificate set, but I haven’t even searched the baby’s certificate online. I feel pretty scary.

Mobile phone user Yuan Qingpan:

I told a friend about the date palms, and then after a day, I got a video about the date palm recommendations on an app.

I was surprised, I said how could you possibly, right?

Apart from saying, there is no search record, so you can recommend it to me.

Zhou Hanhua, deputy director of the Institute of Law of the Chinese Academy of Social Sciences:

Similar incidents of surveillance have occurred abroad, which can be regarded as scandals.

This brings great challenges to personal privacy and even personal and property safety.

Some apps must use a microphone because they have a call function, but many apps don’t actually have a call function. For example, some apps for reading also call your microphone. In this case, legal intervention is required, and there must be reasonable It can be called only when business needs, otherwise the microphone should not be called.

Zhou Hanhua, deputy director of the Institute of Law of the Chinese Academy of Social Sciences:

This must be judged by a regulatory agency.

Many apps feel that they need to call a lot of personal information, otherwise they cannot provide services. In fact, many times what they say is unreasonable.

For example, if a reading software only provides text services, there is no need for a microphone.

Even if the microphone is really needed, it is not always needed. It may only be called when you need it. When you don't need it, you should respect the user's choice and don't let it be on for you forever.

Personal information protection, how does the law work?

  These simple questionnaires are an online questionnaire released by the research team on the application of face recognition technology in the first half of 2020. More than 20,000 people participated. This set of data can at least reflect the public’s perception of face recognition applications. Basic attitude direction.

Zhou Hanhua, deputy director of the Institute of Law of the Chinese Academy of Social Sciences:

Actually, there have been a lot of discussions about face recognition in the world, and many subjects are now aware of the consequences of face recognition.

For example, San Francisco, USA, clearly prohibits face recognition.

In other areas, Microsoft has made some normative requirements for face recognition, and under what circumstances it will perform face recognition.

Since we are now entering the 4G and 5G era, it is an era of video. At this time, the use of human faces is more and more extensive, and the risks brought by it are unprecedented.

Because the face cannot be changed, if it is the password, it can be changed, even the address can be changed, and the car can also be changed, but the face cannot be changed.

So once this damage is caused, it cannot be undone.

This requires protection in legislation and law enforcement as a top priority.

  On the one hand, there is the development of technology and the market, there are market demands, and there are also high-tech development needs. On the other hand, people are more deeply concerned about their own information security.

It's not that the two must be opposed and you can only choose one, but when there is technological development, how to use technology appropriately, there must be a clear red line boundary, and the premise of technology application must be safety.

Technology needs to be developed, but the prerequisite should be security, especially when it comes to personal privacy and personal information. We hope that laws and regulations can really play a role in the future to protect the privacy of each of us.