A certain platform obtains location 16 times within one hour, reads and modifies photos and files 121 times
What is the background of frequently calling personal data software?
On November 1, the Personal Information Protection Law was formally implemented, and the issue of personal privacy security returned to public attention.
Previously, after bloggers exposed the iPhone update system, they found that many mainstream software frequently obtained user information in the background, posing a threat to user privacy.
A reporter from the Beijing Youth Daily found that there are indeed many software that frequently call personal location and picture information. There are even social software that obtains location 75 times an hour. Why do they want to call private information so frequently?
Phenomenon
Is the personal App frequently called for information after authorization?
Citizen Ms. Liu broke the news to a reporter from the Beijing Youth Daily that on October 30, after she was shopping in an App, she was frequently pushed "Recommended Products", so she closed the app's location permission.
But I did not expect the system to prompt "need to agree to the privacy policy to continue to use."
Ms. Liu chose the "Still Disagree" button, but unexpectedly the software crashed and could no longer be used.
When she tried again and clicked "View Agreement" on the page, she found that it said: "Based on your express authorization, we may obtain your location and provide you with nearby products and shops... You have the right to refuse or Cancel authorization".
When she clicked the disagreement button, the software still couldn't be used.
However, there has been constant criticism on the Internet for the excessive request of mobile phone permissions by the App. On October 8, a user posted a screenshot stating that "The iOS version of WeChat repeatedly reads the user's album in the background".
According to user descriptions, the "Privacy" function of the new version of iOS15 has "Record App Activity", which can store data such as App access location or microphone within 7 days.
The above-mentioned users found that a certain social platform App reads the photo album several times in the background without the user actively activating the application, and the reading time each time ranges from 40 seconds to 1 minute.
The user also stated that he found that many domestically-made software also frequently read the user's photo album in the background.
Such frequent retrieval of private data has caused many netizens to worry about their privacy and security.
Experience
One-hour test: WeChat has to locate 75 times
Meituan reads and revises photos 121 times
Regarding Ms. Liu’s “no authorization to use the App” situation, the reporter experienced on November 2nd. However, in the system permission management column, the “Allow access to location information permission” page has changed, which is the same as the previous situation of Ms. Liu The difference is that the software can still be used normally after the reporter chooses "Prohibit".
However, the situation of calling private information is still obvious. The reporter used a mobile phone capable of monitoring App behavior records to record a total of seven WeChat, Weibo, Douyin, Meituan, Dingding, Taobao, and Gaode Maps with open permissions. User information call status of several commonly used software.
After an hour of observation, the reporter found that AutoNavi obtained location information 32 times and modified system settings 8 times; Dingding obtained location 18 times and read clipboard 10 times; Meituan obtained Location 16 times, reading and modifying photos and files 121 times; Douyin obtaining location 11 times, reading and modifying photos 24 times; Taobao obtaining location 24 times; Weibo obtaining location 32 times, reading and modifying photos and files 16 Times; WeChat obtains location 75 times, modifies system settings 9 times, reads and modifies photos and files 22 times, and reads clipboard 5 times.
Previously, on May 26, the reporter had done a similar test. In the case of refusing location permission, WeChat had asked for location information more than 800 times in 6 minutes.
WeChat previously responded that the iOS system provides App developers with a standard ability to notify the album update. When the album content is updated, the App will be notified to remind the App to make preparations in advance. The preparation behavior of the App will be recorded as reading the system album.
After the user authorizes WeChat to read the "System Album Permission", in order to facilitate users to quickly post pictures when they press "+" in WeChat chat, WeChat uses this system capability to make the user experience of sending pictures faster and smoother.
WeChat stated that the above actions are only performed locally on the mobile phone, and the latest version will cancel the use of the system's capabilities and optimize the function of quick image posting.
Demystify
Is it a normal requirement for software to call permissions in the background?
Zhao Shuai, head of Qi'an Pangu's privacy and security business, said that in terms of personal information protection, the operating system's authority is designed to restrict the collection and use of personal information by the App, and allow users to actively control whether the App can collect specific types of individuals. Information, such as address book, geographic location, etc.
The behavior of invoking permissions in the background is reasonable in certain scenarios. For example, when we use mobile phones to navigate, we are still using the App even though we switch to the background. There are also some scenarios that are not necessary. For example, we switch the App to the background temporarily. If this App is not used to provide services, then the background call permissions in this case may be beyond the scope of normal requirements.
Qu Zilong, the founder of the non-governmental Internet security organization Network Jiandao, believes that from a technical point of view, the number of calls does not directly explain the problem, and it is based on what its application scenarios actually do to confirm compliance.
Where is the boundary for the software to collect user privacy rights?
Regarding App mobile phone user data, Zhao Shuai said that from a technical point of view, it should be divided into several different situations: including personal information protected by system permissions, such as address book, recording, location, etc.; personal information not protected by user permissions, For example, the ID number, medical history, and marital status that the user actively enters; some preference information generated by the user during the use of the App, which may be actively recorded by the App, such as favorite songs, frequent restaurants, etc.
For personal information protected by system permissions, the software should fully express and obtain the user's consent before calling these permissions to obtain personal information, and should ensure that the scope, frequency, and method of access comply with the minimum necessary principles.
For the information entered by the user on its own initiative, the rationality and possible impact of the entry should be fully explained, and the user should be given the right to choose whether to enter it or not.
For the data collected during the use of the software, users should be clearly informed and the subsequent use should be explained.
What are the risks of user information being collected?
Qu Zilong said that after privacy leaks, accurate advertising is not the biggest risk. Unscrupulous companies will use big data to kill them, or even illegal software will be loaded into mobile phones to obtain address book and album permissions. After analysis, extraction is used to achieve "personal identity information". "Misappropriation", "targeted network fraud" and other purposes.
It is recommended that users do not allow third-party software to easily obtain access to address books and photo albums, and try not to store ID cards, bank cards, and other photo content containing sensitive information in photo albums.
Qu Zilong believes that the necessary permissions are divided according to the industry, and the country has clearly stipulated the law. Most of the disputes are some personalized content. For example, Alipay is a payment software, but after adding a small program, it becomes "Public application platform", the permissions acquired by attribute changes will naturally change accordingly. The best way is that if the third-party service in the application is only used occasionally, the secondary authorization is adopted, and the authorization principle is used immediately. If the long-term use of the application has a permission switch, the user can manually turn off the authorization at any time, which may be a better solution.
Text/Reporter Dong Zhenjie Song Xia
statement
It is a normal behavior to adjust permissions, but the platform must master it well
He Yanzhe, deputy director of the Evaluation Laboratory of the Cyber Security Research Center of the China Electronics Standardization Institute, said that the previous problem of mandatory authority and abuse was prominent. Users did not want to use this function, but the platform forced use. After the personal information protection law was promulgated, this problem was basically solved. , The user can freely choose.
He said that if the authority is opened, whether the information obtained is used within a reasonable scope is a question that needs to be considered.
App requests for camera permissions are generally for taking pictures and scanning QR codes, and for geographic location is positioning and navigation. These are clearly written in the relevant privacy agreements.
However, there are still some details that do have problems, such as the number of reads, which might have only needed 10 times, and finally got 20 times.
Previously, the situation was more serious. The number of reads could reach hundreds of times. Now the number of times is only between single digits and tens digits. This is generally not judged as a violation during the detection process. "There are many permissions to adjust. It is because of security and risk control issues, such as account login from another place, the platform will use this to judge. The reason is very complicated. As long as it is controlled within a dozen times, it is basically not a problem." He Yanzhe said that the background reading is the same. , Also need to look at the frequency, if the account has an abnormality, it will be detected through the background reading, and the data may not be read away.
"It depends on whether it is simply verifying the location or uploading data. There are more unreasonable factors in the background, and specific analysis of specific issues is required."