When does the app over-collecting personal information stop?
Obtain personal information over-range and high-frequency
● To download and run shopping apps, you need to allow address book permissions; to download and run dating apps, you need to allow location permissions; even if you borrow a shared power bank, all kinds of personal information are collected... App excessive collection of personal information has become a major issue for users Slot
● The collection of personal information has hidden characteristics, the collector and the person being collected are in an obviously unequal position, the user's lack of perception of the collection process, and the vague space of relevant laws and regulations, all make App operators feel confident
● To consolidate the responsibilities of Internet information service providers, especially for sensitive personal information, App should only be processed when it has a specific purpose, sufficient necessity, and strict protection measures are taken.
At the same time, industry associations should strengthen industry self-discipline, improve the blacklist system, and conduct joint punishments on illegal enterprises and individuals.
□ The reporter's trainee reporter Zhang Shoukun
□ Our reporter Han Dandong
□ Intern Wang Yitian
In April this year, the unit door of Baige (a pseudonym), a resident of Shenyang, Liaoning, was replaced with a new access control system. To use the access control system, you need to download an App.
However, Baige found that the App reads a large amount of personal information of users, including location information, recordings, address books, cameras, etc., and users cannot log in and use them if they do not agree.
"Why does an access control system collect the privacy of so many people?" Baige and many owners around him did not understand this.
Similar situations are not uncommon.
In recent years, the excessive collection of personal information by apps has become a major ailment. The public has responded strongly, and relevant departments have repeatedly investigated and reported them, and they have been repeatedly banned.
When does the app over-collecting personal information stop?
With this problem in mind, a reporter from the Rule of Law Daily launched an investigation.
Get information beyond scope
Many users don’t know
To download and run shopping apps, you need to allow address book permissions; to download and run dating apps, you need to allow location permissions; even if you borrow a shared power bank, all kinds of personal information are collected... App excessive collection of personal information has become a big slot for users point.
Recently, the Shanghai Municipal Consumer Protection Commission conducted tests on the personal information security problems encountered by consumers in the process of using shared power banks. It shows that when some power bank apps are first run, personal information is collected before the user authorizes and agrees to the privacy policy; some The app collects the user's name, gender, and other personal information that has nothing to do with renting the power bank; some apps directly provide personal information to third parties without the user's consent or anonymization.
According to the 2021 Report on Issues Related to E-commerce Platforms Infringing Consumer Rights and Interests of the Jiangsu Consumer Protection Commission, many mainstream e-commerce platforms collect non-essential information by default.
The platform binds the display and browsing functions of goods and services based on personalized display with the user agreement, and requires consumers to agree to accept the platform to collect and process consumer device information, service log information, browsing search records and other information by default, so that the platform can use consumption records and Habits to display targeted and personalized products to consumers.
Even though the platform provides a personalized display closing function, it does not provide a function for terminating information collection.
"The personalized display function seems convenient, but it actually limits consumers' freedom of browsing and shopping. For example, after a consumer has successfully purchased a certain product, they will still receive frequent pushes of purchased products based on big data recommendations, which is neither smart. It also affects the shopping experience." Xu Yue, a staff member of the Propaganda Department of Jiangsu Consumer Protection Committee, told reporters.
It is understood that there are some professional apps on the Internet. After downloading, users can use this to form a "privacy report" to see what information the app in their mobile phone collected within a week, when they collected it, how often they collected it, and with which third parties Shared this information and so on.
After downloading, the reporter found that many apps repeatedly read various personal information of reporters without the reporter's knowledge. Among them, mobile phone location and photo albums are the two most read information. There is a dating app for 6 hours in a row. , Read the reporter's mobile phone location every few minutes.
Regarding the issue of excessive collection of personal information, the relevant staff of "Black Cat Complaint" told reporters that on the Black Cat Complaint Platform, since November 2020, there have been more than 30,000 related complaints, mainly involving online loans, online shopping malls, and third-party payments. , Insurance and other industries.
According to the staff member, on financial lending apps, there are apps that read the address book information without the user’s consent, and maliciously harass the address book contacts through SMS when they can effectively contact consumers; there are also some apps that have not been consumed. The author agrees to collect records of his searches, shopping, etc., and recommend products in a targeted manner.
Since the beginning of this year, the Ministry of Industry and Information Technology has issued 10 batches of "App notices on violations of user rights and interests", 11 batches of "Looking back" notices on issues such as App over-range request for permissions and excessive collection of user personal information, and "Regarding delisting infringements." Notification of User Rights App List".
The latest report revealed that 38 apps have over-range, frequent requests for permissions, and collection of user personal information that is not necessary for service scenarios and other violations.
Operators are rushing
Easy to breed data black production
The Personal Information Protection Law stipulates that personal information processors shall not refuse to provide products or services on the grounds that individuals do not agree to the processing of their personal information or withdraw their consent; unless the processing of personal information is necessary for the provision of products or services.
"The collection of personal information should be limited to the minimum scope for the purpose of processing, and it is not necessary to collect it; the personal information processor can only process personal information with the consent of the individual. If the important matters of personal information processing change, the individual should be notified again And obtained consent." said Zheng Ning, director of the Cultural Rule of Law Research Center, School of Cultural Industry Management, Communication University of China.
Zheng Ning said that personal information processors must not excessively collect personal information, refuse to provide products or services on the grounds of personal disagreement, and give individuals the right to withdraw their consent.
In other words, consumers have the right to decide whether their personal information is used, the scope of use, and to stop authorized use.
Sensitive personal information should be processed only when it has a specific purpose and sufficient necessity, and strict protection measures are taken.
Over-collecting personal information, users are disgusted, and relevant departments have successively investigated and reported. Why are App operators still rushing?
Cheng Ke, deputy director of the Culture and Rule of Law Research Center of Communication University of China, told reporters that the most important reason is driven by interests. Personal information contains huge commercial value, especially in the context of the digital economy. Through big data analysis of personal information, It can provide a more accurate basis for business decision-making, and at the same time make it possible for business models such as personalized information push and targeted advertising, and can gain a huge advantage in market competition.
In Cheng Ke's view, the collection of personal information often has hidden features, the collector and the person being collected are in an obviously unequal position, and the user lacks perception of the collection process; plus there are ambiguities in relevant laws and regulations, such as how to explain "Excessive", how to understand the "minimal and necessary" principle in personal information collection, there is a certain degree of ambiguity, which makes App operators feel confident.
Excessive collection of personal information has also increased the risk of personal information leakage and abuse.
The relevant person in charge of the Internet Security Brigade of Yongqiao Branch of the Public Security Bureau of Suzhou City, Anhui Province said that when a user visits a website or App, the network service provider does not clearly inform the purpose, method and scope of the collection and use of personal information and collects users before obtaining the user’s consent. Personal information, or non-essential scenes during the service process, over-range, multiple collection of personal information, such as facial video, location information, and address book data, can easily breed data black production and trigger illegal crimes.
Multi-pronged strong governance
Joint disciplinary action
It is imminent to rectify the excessive collection of personal information.
Related departments are also taking active actions.
On November 1, the Ministry of Industry and Information Technology issued the "Notice on Carrying out Information and Communication Service Perception Improvement Actions", which listed the first batch of establishments to establish "dual lists", improve customer service hotline response capabilities, optimize privacy policies and access display methods The list of Internet companies, including 39 major Internet companies, has established a list of collected personal information and a list of shared personal information with third parties, and displayed it in the secondary menu of the App to facilitate user inquiries.
On November 14, the “Network Data Security Management Regulations (Draft for Solicitation of Comments)” issued by the Cyberspace Administration of China stated that if data processors use biometrics for personal identity authentication, they should conduct risk assessments on the necessity and security, and not Biometrics such as face, gait, fingerprints, iris, and voiceprints are used as the only personal identity authentication methods to force individuals to agree to collect their personal biometric information.
In Cheng Ke's view, solving the excessive collection of personal information requires a multi-pronged approach from the legislative side, the judicial side, the law enforcement side, and the user side.
He further explained that on the legislative side, it is necessary to further specify the relevant rules for the protection of personal information, and gradually establish specific and enforceable standards through hierarchical classification.
It is possible to consider refined classification of personal information itself, and establish different protection standards for identity data, behavioral data, and special subject data (minors, elderly, etc.); in addition, for information collectors, such as various apps, Hierarchical and classified management, and clarify its collection authority.
“At present, the protection of personal information is still in the state of multi-departmental joint law enforcement. The establishment of a special information law enforcement department helps to clarify responsibilities and enhance the professionalism of law enforcement.” Cheng Ke said that users also need to raise their awareness of information security and use App Read the user agreement and privacy protection agreement from time to time, and actively report and defend rights when personal information is found to be excessively collected.
Zheng Ning also believes that consumers should be vigilant and protect personal information.
When downloading or using the App, be sure to read the relevant terms carefully, do not arbitrarily open the authority involving personal information; do not arbitrarily fill in personal information or upload certificates and copies with personal information.
If personal information is leaked or used illegally, you should immediately protect your legal rights and interests through legal means.
"The responsibilities of Internet information service providers must be compacted. Especially for sensitive personal information, App should only be processed when it has a specific purpose, sufficient necessity, and strict protective measures. At the same time, industry associations should strengthen Industry self-discipline, complete the blacklist system, and conduct joint punishments on illegal enterprises and individuals." Zheng Ning said.