The clause is three thousand feet, which line do you read?

The clause is three thousand feet, which line do you read?

On July 16, seven departments including the State Cyberspace Administration of China, the Ministry of Public Security, and the Ministry of National Security jointly stationed in Didi to initiate a cyber security review. Previously, due to “serious violations of laws and regulations in the collection and use of personal information,” the Cyberspace Administration of China had removed the “Didi Travel” app and 25 of its apps on the 4th and 9th, respectively. Information security has once again been pushed to the forefront.

The app market has a dazzling array of apps covering all aspects of life, but at the same time, as consumers, we have to “seek the skin of the tiger”: the narrow user privacy policy with obscure language allows us to “know” and cannot continue to use the mechanism without checking Let us “agree”. Such fragile “informed consent” occurs in many scenarios, and we have to doubt: this is the price that must be borne for convenience in the digital age.

Why do these shopping apps seem to know everything about me? Why does a music listening software need to know what I look like? Why did the beauty camera suddenly have the social function of “friend recommendation”? …Users’ perception of data collection is vague, but the user’s portrait is gradually clear to the pores of the operator.

In this context, the relevant departments to clarify what is “necessary information” to avoid the collection of non-essential personal information by operators is as important as urging them to protect user information and prevent user information from leaking.

On May 1, 2021, the “Regulations on the Scope of Necessary Personal Information for Common Types of Mobile Internet Applications” officially implemented by the state clearly enumerates the scope of collection of necessary personal information for 39 common types of apps. Supervision began to be well-founded. According to the relevant regulations, the RUC Newsroom assesses the current information collection status of 70 popular apps.

When personal information becomes a commodity, as its main body, how many rights do we have to know and negotiate prices?

1. After the new regulations, are they regulated?

In the two months since the implementation of the new regulations, there have been 293 apps that have been officially notified for collecting personal information in violation of laws and regulations, which has exceeded the sum of the previous year. Among them, three types of apps , utility, sports, and business have become the focus. Restricted objects accounted for more than 60% of illegal apps, followed by entertainment, audio and video (36) , news reading (27), and shooting and beautification (19) .

The clause is three thousand feet, which line do you read?

Combined with the official rectification notification, it can be seen that APP collects personal information beyond the scope of it is not an illusion. There are apps that “apply for opening permissions or the information collected are not related to existing business functions or exceed the actual needs of business functions”, and there are apps that “collect user consent before collecting user consent. Part of personal information”. On the rectification list of the Cyberspace Administration of China, there are many familiar “old friends” such as Douyin, Kuaishou, Gaode Map, Baidu Map, Toutiao, Tencent News, and Keep.

After the new regulations, has the user collection behavior of apps become more standardized?

RUC Newsroom has collected user information from 14 types of 70 most popular apps on iOS . According to the “Regulations on the Scope of Necessary Personal Information for Common Types of Mobile Internet Applications” (hereinafter referred to as the “Regulations”), it can be seen that most apps A large amount of non-essential user information is still being collected, and more importantly, it is difficult for users to cancel the authorization to collect such information.

Take “58 in the same city” as an example, it collects as many as 28 user information. However, Article 22 of the “Regulations” clearly stated that the “necessary information” for local life apps is only the user’s phone number.

The clause is three thousand feet, which line do you read?

However, whether this “necessary” is not easy to define in actual operation. The “Regulations” states that the basic functional services of “local life” applications are “housekeeping maintenance, home decoration, second-hand idle item trading and other daily life services”, but, as a complex functional aggregation platform, has already covered services far beyond In the category of “local life”, in addition to daily life services, there are also services such as ticketing coupons, job recruitment, and real estate rental.

The wider 58’s business stalls in the same city, the greater the risk of personal information leakage. In 2017, a reporter from 21st Century Business Herald found through an investigation that they only need to spend 700 yuan to purchase a data collection software to collect data on resumes in 58 same cities. In April 2019, the media broke the news that a former employee of 58 same city illegally obtained and sold more than 640,000 personal resumes and was sentenced to four and six months in prison.

Article 41 of my country’s Cyber ​​Security Law has long stipulated: “Network operators shall not collect personal information irrelevant to the services they provide, and shall not collect and use personal information in violation of the provisions of laws, administrative regulations and agreements between the parties, and shall In accordance with the provisions of laws and administrative regulations and the agreement with users, the personal information stored by them shall be processed.”

So, what is the difference between “non-essential personal information” in the “Regulations” and “personal information not related to the services provided” in the “Network Security Law”?

According to the “Network Security Law”, the location information collected by “” can be accurately located, and more suitable job search companies and housekeeping services can be pushed to users; photos, videos, and audio information can help users take and upload real estate pictures and videos; search History records and browsing records can be used for algorithm optimization to facilitate matching between related service providers and users. This information can be interpreted by the service provider as “service-related personal information”. This vague distinction between “related” and “irrelevant” can easily cause management problems.

The new rules categorize apps and give specific “necessary” and “non-essential” information indicators according to major categories, which undoubtedly improves the accuracy of management.

However, it is observed that after the indicators are broken down by category, there are still some difficulties in management.

First, there are some overlaps and overlaps between “necessary” and “non-essential” information in some categories. Taking Zhaolian Recruitment as an example, the necessary information for this type of APP includes “contact number” and “personal resume”, but the personal resume defined as “essential information” actually contains a lot of “non-essential personal information”, and even more. Specific and sensitive information. This year’s 3.15 party of CCTV exposed the issue of “Zhaopin’s recruitment and recruitment platform resumes can be downloaded at will if you give money, and a lot of them flow to the black market.” The reporter who visited unannounced was informed by the Zhaolian recruitment customer service that users “after registering an account and creating a resume, the default is public the “resume download can be paid in the case without the knowledge of himself.

Another problem is that although the “Regulations” specifically mentions the rights of “tourists”: “APP shall not refuse users to use its basic functions and services because users do not agree to provide non-essential personal information”, but in many cases, if you only press ” Personal information is provided at the minimum necessary. What you will get in the APP will be a bad experience of “hit a wall everywhere” , and you will not be able to use most of its functions.

Take the sports APP “Keep” as an example. According to the new regulations, users should not need to provide any personal information before they can use it as the basic functional service of sports and fitness apps. According to Xiaobian’s attempts, users can indeed start training in Keep as tourists. But in the notification list, Keep is on the list: it is collecting more than 20 “non-essential personal information” from users, and only “location”, “photo” and “sports and fitness” can be turned off in the settings (iOS system ) . If you want to get a smoother and richer service, you have to hand over more privacy a little bit.

For example, if you want to buy paid classes or fitness meals in Keep, you have to pay for the payment information and the delivery address; if you want to use Keep to record changes before and after exercise, you have to hand over health and fitness information…especially It is in WeChat, Meituan and other platform apps and “SuperApp” (super apps) that span multiple fields . “Necessity” is difficult to become a fixed category. The judgment of necessity or not occurs every time a small function is expanded. in.

At the same time, a large part of “non-essential information” should only be used for product optimization. Are crash data, performance data, and other diagnostic data unnecessary information? Can information such as search history and browsing history that can be used to provide personalized and customized services be collected? Excessively limiting the scope of “necessary” may also lead to damage to the interests of users.

This is why, although the “Regulations” require apps to provide basic services for “tourists”, they do not prohibit apps from collecting unnecessary information, nor do they clearly stipulate that apps should seek user consent before collecting non-essential information.

As a result, the problem has returned to the user. But as a user, it is basically impossible to determine what is “necessary” for compliance in different scenarios. What’s worse, information is often lost before the judgment: if the APP does not prompt, the user will not even realize that the information is collected. Let alone protest.

2. Can I not read the privacy regulations that are too long and long?

When you want to solemnly exercise your right to informed consent, do you have a smooth experience of reading the privacy regulations in one go?

The clause is three thousand feet, which line do you read?

According to statistics, among the 70 popular apps, the full text of “Beile Tiger Children’s Songs” with the longest privacy clause is 21,210 words. If you use iPhone 12 and use a medium-sized font to read, you need to swipe 34 screens to read it. The shortest privacy clause in the popular APP, Tick Travel, also has 2116 words. It takes at least 7 minutes to understand it at the 200~400 words per minute of the average person’s careful reading speed.

On average, the privacy clauses of 70 popular apps are about 13,000 words, about 21 screens. If the length of the news bulletin is about 5,000 words, it is about 2.5 squares.

Moreover, if you look carefully at the content of the terms, you will find that although most of the privacy regulations are clearly organized and expressed, it is inevitable that there will be terms such as SDK, IMEI, OAID, “I read it, but I didn’t fully read it.” Moreover, the privacy regulations of the major APPs are similar. Even users who are conscious of reading the privacy regulations may ignore the “trap” in the language when reading because of inertia.

Some scholars have pointed out that the existing problems of the “inform-agree” framework are that the privacy policy is lengthy and obscure, and the second is that users are eager to use products or services, and they are likely to directly click “agree” or “next step.” And companies should take the initiative to take the responsibility for the privacy policy being “too long to watch”. [1]

In 2017, in the special work of “Personal Information Protection and Promotion Action”, the state made detailed considerations on “how to effectively improve the effect of notification”, and required the privacy policy not only to “completely and clearly describe the collection and collection of products and service providers”. The practice of saving, using, and providing personal information to the outside world”, in order to better realize the user’s right to know and avoid “too long to watch”, the service provider also needs to provide “enhanced notification”, that is, when registering an account, installing programs, The reminder about personal information displayed to the user at the first use condenses and highlights the core content of the privacy policy. Especially before the authorization of sensitive personal information is involved, the operator is obliged to give a second reminder. [2]

But according to our statistics, among the 70 popular apps, only 35 apps briefly enumerate or highlight the privacy data that may be collected in the privacy policy that pops up when the user first uses it. Operators still have a long way to go to make users truly “informed”.

In addition to national supervision, at the beginning of this year, Apple also launched a private information function in the App Store, requiring APP developers to provide a summary of privacy practices to explain to users the content and purpose of the information they collect, especially whether the information will be provided to the third party. Three parties may be used for advertising “tracking” and so on. However, the private information marked by the APP has not been reviewed by Apple. Whether the obligation is fulfilled or not depends on the developer’s conscious: some APPs have dazzlingly stated in the privacy regulations that they may obtain user identification codes, phone numbers or microphone, camera, etc. permissions, but only one is marked in the APP Store. A solitary “user ID”.

The clause is three thousand feet, which line do you read?

Privacy information reminder card in Apple App Store

3. What if you don’t “agree”?

Agree or disagree, this is a problem.

If you promise privacy, you will be able to flow through the dazzling array of functions; if you hesitate, you will be turned away by the various words of the platform: “We will not be able to provide you with better services” “Abandon use” “Reconsider “… The status of operators and users is inherently unequal.

According to our statistics on the personal information collection and use problems of the 173 apps reported by the Office of the Cyberspace Administration of China, it can be found that 70% of the violating apps did not tell the user what it was for when they applied for the permission of personal sensitive information; nearly half of the violations APP does not list the purpose and type of third-party SDK (software development kit) for collecting and using personal information; 18% of violating apps have “no privacy policy”; 17% of violating apps once users disagree to open non-essential permissions or provide non-essential Information, they refuse to provide corresponding or all business functions; about 16% of violating apps “default” users agree to the privacy policy; about 12% of violating apps still frequently ask for user consent after the user expressly disagrees to open part of the permissions, which interferes with the normal operation of users Use; about 3% of illegal apps still collect information through other channels after users refuse to authorize.

The clause is three thousand feet, which line do you read?

The power of “disagree” has shrunk because of the inconvenient convenience. For many users, there are only necessary functions and no necessary privacy. When we rush to take a taxi, rush to navigate, rush to pay… What if we don’t agree?

In this see-saw doomed to be unequal, only the intervention of public power can hope to achieve a certain balance. This is also the general trend in the world. On May 25, 2018, the “most stringent” data protection law “General Data Protection Regulation” was officially implemented in the EU, stipulating that companies that violate the regulations can be fined 4% of their global annual turnover or 20 million euros, either The higher value is penalized.

In this year’s May 1 New Regulations, penalties for violating apps are usually order to correct, warn, confiscate illegal income, and fines. Only if the circumstances are serious will they be ordered to suspend related businesses, suspend business for rectification, close the website or revoke their business license. Although the maximum amount of fines in the new regulations is only 1 million, which is negligible compared to the 50 million Euro fines paid by Google under the EU’s General Data Regulations, in the face of the “Overlord Clause” of various APP privacy policies, as a user We seem to have added a little more confidence.

On July 19, the Ministry of Industry and Information Technology issued an APP notification on the sixth batch of infringements of user rights and interests in 2021. Up to now, there are still 145 apps that have not been rectified, including Xiakitchen, Phoenix News, Douyin Speedy, Xunlei, Huya Live, Anjuke, and Oriental Fortune. The Ministry of Industry and Information Technology requires the above 145 apps to be completed before July 26 Rectification, otherwise, relevant disposal work will be organized and carried out in accordance with laws and regulations. The determination and intensity of supervision can be seen.

I hope that one day in the near future, when we click on any app, we will truly “know” and “agree” to all the collection and use of personal information.

References: [1] [2] Hong Yanqing: “Privacy clause review enhances the level of information protection”,

the data shows

1. Data acquisition time: July 13-15, 2021

2. Data source: Qimai Data iOS list (Mainland China), APP Store, and privacy agreements/policies provided by each APP.

3. The sample selection rules are as follows: There are a total of 70 sample apps in this article. Select “Video Entertainment”, “Utility Tools”, “Social Communication”, “Education”, “News Reading”, “Photo Beautification”, “Travel Navigation”, “Travel Accommodation”, “Shopping Comparison”, “Children”, “Sports Health”, and “Convenient Life” under the App Store. The top 5 applications in the 14 categories of “food” and “business” in total daily activity are taken as samples. If there are different versions of the same application, the main version will be selected first (for example, “Tik Tok” and “Tik Tok Extreme Edition” appear at the same time, select “Tik Tok”).

4. Because there is no relatively unified APP download platform and privacy data type division on the Android side. This article mainly refers to the classification of privacy data types in the iOS APP Store. It should be noted that the privacy data collected by each APP in the APP Store is indicated by the developer itself, and the APP Store has not been officially verified, and the privacy data collection statement of some APPs in the APP Store is different from its privacy agreement. In addition, the privacy agreements displayed in apps such as “Tik Tok”, “Kai Shou”, “Bai Zi Zhan”, “China Mobile”, and “KFC” are the latest versions, but because they cannot be copied and cannot be collected, the privacy agreements of these apps are available. The relatively old version is analyzed.

5. “Necessary information” classification standards refer to the “Regulations on the Scope of Necessary Personal Information for Common Types of Mobile Internet Applications” issued by the National Cyberspace Administration and other institutions.

6. “Whether to provide a summary of the privacy policy” refers to whether the data that may be collected by the APP is briefly listed or highlighted in the privacy regulations that pop up when the APP is opened for the first time.

Posted by:CoinYuppie,Reprinted with attribution to:
Coinyuppie is an open information publishing platform, all information provided is not related to the views and positions of coinyuppie, and does not constitute any investment and financial advice. Users are expected to carefully screen and prevent risks.

Like (0)
Donate Buy me a coffee Buy me a coffee
Previous 2021-07-21 12:06
Next 2021-07-21 12:08

Related articles