20% of netizens suffered personal information leakage, how to rectify the "hardest hit area" of data security?

  The "Report on the Development Situation of Information Consumption in China" recently released by the China Academy of Information and Communications Technology shows that in terms of consumer groups, the number of netizens in my country has continued to expand and exceed one billion.

The "Report" also reminds us to be alert to risks such as data security and personal information leakage.

Since the implementation of the Personal Information Protection Law, public security organs in Gansu, Jiangsu and other places have cracked many cases of crimes against citizens' personal information.

  The Public Security Bureau of Lingtai County, Gansu Province just recently dismantled a criminal gang that purchased and sold citizens' personal information online.

The criminal suspects Yan Moumou and Hu Moumou used the store to defraud users' identity information and mobile phone numbers, and illegally registered various online accounts.

  Police discovered that a criminal gang was hiding behind the two suspects.

From February to March this year, the task force moved to Chongqing, Sichuan, and Yunnan, and arrested seven members of a criminal gang that violated citizens' personal information.

Since 2019, the gang has formed a WeChat group to illegally buy and sell citizens’ personal information. They used their identity as communication business agents to defraud users’ personal information and then registered various online accounts by giving gifts, phone bills, etc. as bait. It was sold at a price of 20 yuan, and the illegal profit was nearly 100,000 yuan.

  Jiangsu police also recently cracked down on a criminal gang that sold citizens' personal information.

The gang mainly sells the information of investors and students, which they refer to as "materials".

"Shareholders' materials" include stock speculators' names, mobile phone numbers, exchanges and other information; "Students' materials" include parents' names, phone numbers, and the schools their children attend.

"Material" also separates the material and AI material.

The hand-dial material has been manually dialed to confirm its authenticity and reliability.

The AI ​​material is the phone number randomly generated by the suspect through the software, and there is no other identity information.

  After review, since 2018, the gang has sold more than 200,000 pieces of citizens' personal information and made a profit of more than 200,000 yuan.

  According to the 49th Statistical Report on the Development of China's Internet by the China Internet Network Information Center, as of December 2021, 22.1% of netizens experienced personal information leakage.

Public security organs remind the general public not to click on or use links, websites, and mobile apps from unknown sources, and not to provide SMS verification codes to others to strictly prevent information leakage.

Some mobile apps monitor users in the background

  With the implementation of the Personal Information Protection Law, there has been a legal basis for strengthening the protection of personal information and refusing to "run naked" on the Internet.

But there are still many users who feel that they are under the surveillance of mobile apps.

Many netizens have had this experience. After reading an item or entering a keyword on the Internet, they will soon receive relevant advertisements or information pushed by the mobile app.

What's going on here?

  At a network security agency, technicians used detection tools to test the behavior of two mobile phone browsers to collect user information.

The technician copied a simulated bank account password. Although the browser was not used at this time, the detection tool found the bank account password in a program called by the browser.

  Network Security Engineer Lv Shikui: This App reads the bank card number and password we copied.

The process of taking it away is actually taking it in plaintext, and no related encryption processing is done.

  The technician then selected the phone number and SMS for testing on the mobile phone, and transferred the browser to run in the background. The contents of these two operations are also read by the browser, including the product information browsed on the e-commerce platform. Fully documented by both tested browsers.

One of the browsers can still record user behavior even when the process is closed.

Establish a "double list" to protect citizens' personal information

  In order to allow users to clearly grasp the activities of calling mobile apps and requesting personal information, the Ministry of Industry and Information Technology has previously proposed to establish a "double list" for personal information protection.

  Experts pointed out that during the normal use of mobile apps, there will be activities to call personal information and request permissions, and different mobile apps sometimes need to share sensitive information such as location and address book, which increases the difficulty of supervision of personal information protection.

In order to allow users to clearly grasp the sharing of personal information between mobile apps and third parties, the Ministry of Industry and Information Technology proposed to establish a "dual list" for personal information protection, requiring relevant companies to establish a list of collected personal information and a list of personal information shared with third parties.

  Ning Hua, Director of the Information Security Department of the China Academy of Information and Communications Technology’s Tel Terminal Laboratory: Require companies to list the “List of Personal Information Shared by Third Parties” concisely and clearly in the “Secondary Menu”, including the types of personal information shared with third parties, Purpose of use, usage scenarios and sharing methods, etc.

Multiple measures to rectify illegal collection and use of personal information and other behaviors

  In order to deal with problems such as illegal collection and use of personal information by apps and deception to induce users to provide personal information, the Ministry of Industry and Information Technology has entrusted the China Academy of Information and Communications Technology to establish a working group for the protection of the rights and interests of app users in conjunction with the Internet, mobile terminals, telecom operators and other industrial chains. Informed consent" and "minimum necessary" principles, the organization has formulated standards such as the "Minimum Necessary Evaluation Specification for App Collection and Use of Personal Information", "App User Rights Protection Evaluation Specification" and other standards, clarified the testing requirements and methods, and provided a clearer regulatory basis for supervision .

  The reporter learned from the Ministry of Industry and Information Technology that the first batch of major Internet companies have basically completed the setting of "dual lists" for personal information protection at the end of last year.

On a certain mobile app, the user can click on the menu to view the types of personal information the app has collected, the purpose of use, the usage scenarios, and the personal information and sharing methods shared with third parties.

Mobile phone terminal companies have also developed functions such as app permission minimization recommendation in accordance with the requirements of the Ministry of Industry and Information Technology, and proactively regulate and limit the excessive permission-seeking behavior of apps on mobile phones.

  Telecom operators use the anti-tampering feature of blockchain technology to track and prevent the risk of personal information leakage.

  The person in charge of the telecom operator's information security center is warm: We will put the data characteristics of the operation log on the blockchain to ensure that it cannot be tampered with, and at the same time, it will be verified regularly.

If the log has been tampered with, there is a problem.

We will verify specific events in a risk-based manner.

  It is understood that the Ministry of Industry and Information Technology has vigorously rectified illegal collection and use of personal information and other violations of user rights through measures such as formulating standards, technical inspections, special rectification, and industry self-discipline.

Last year, a total of 2.08 million apps were tested, 1,549 illegal apps were notified, and 514 apps that refused to be rectified were removed from the shelves.

  (Headquarters reporter Sun Jiwei and Tang Zhijian)