CCTV exposed, MIIT released the list! Personal information has become a commodity, and cross-border apps are becoming a cancer of informatization

• Have you ever encountered App permissions that “cannot be used without authorization”?
• Have you ever suspected that your offline conversations were being eavesdropped on?
• Have you ever noticed that your personal information has been leaked?

These phenomena are all violations of the App’s boundaries, and these violations are constantly evolving with the development of the Internet.

Just halfway through 2020, the Ministry of Industry and Information Technology has announced two lists of "apps that infringe on user rights". In addition, CCTV Finance also reported on this chaos.

It is not difficult to see that apps that violate regulations and exceed boundaries are becoming a cancer of informatization.

[[333338]]

Cross-border apps emerge in endlessly

On July 12, CCTV Finance exposed the phenomenon of some apps crossing the line to obtain personal information. The report pointed out that some words that appeared in offline chats by users would later appear in the push notifications of mobile apps, which led to the suspicion that mobile apps were eavesdropping.

In addition, the report also pointed out some unreasonable information authorization behaviors and the use of mobile phone verification codes to obtain personal information.

After CCTV exposed the incident, netizens expressed their similar feelings one after another - "I have had this feeling for a long time", "It is too difficult to have privacy", "This problem is very serious", "This is not the first or second time I have encountered this situation, there is no secret world"·······

In fact, before the exposure by CCTV Finance, the Ministry of Industry and Information Technology had published a list of “apps that infringe on user rights”.

Among them, on May 15, the Ministry of Industry and Information Technology announced the first batch of problematic application software in 2020, including Dangdang, Zuzuche, WiFi Manager and other apps.

Less than two months later, on July 3, the Ministry of Industry and Information Technology announced the second batch of apps that infringed on user rights in 2020, mainly including 15 apps such as WisdomTree, Nanobox, and Wufan Game Hall.

From the list of apps released by the Ministry of Industry and Information Technology, we can see that the issues involved mainly include the following aspects:

• Collect personal information without permission;
• Collecting personal information beyond the scope of the scope;
• Unauthorized sharing with third parties;
• No permission, no use;
• Frequent request for permissions;
• Requesting excessive permissions;
• Force users to use the targeted push function;
• Account cancellation is difficult.

So, how do these problems occur in mobile phones? And despite the attention of various departments, why do these app problems still persist?

The causes behind the chaos

According to the latest research results from Zhejiang University, mobile phone apps can use the built-in accelerometer of the phone to collect the sound vibration frequency emitted by the phone's speaker, bypassing the privacy agreement without the user's knowledge and legally obtaining voice information.

In addition, He Yanzhe, an expert from the App Special Governance Working Group, pointed out through specific experiments that even though the application interface is not opened, illegal mobile apps will still transmit data in the background.

From the transmitted data packets, it can be seen that the App will first obtain the IMEI number of the mobile phone (mobile device identification number, equivalent to the "mobile phone ID card"). Experts point out that once the mobile device identification number is stolen, it lays the foundation for personalized push.

Moreover, some apps not only use the illegally obtained information themselves, but also transmit it to third parties. The behavior of apps that include third-party toolkits is even more covert, making supervision more difficult.

No trade, no harm.

The reason why personal information is frequently stolen is not only due to the need for personalized App push notifications, but also due to a gray industrial chain.

According to previous reports, the buying and selling of personal information has formed a large-scale, long-chain, and highly profitable industrial chain, namely, illegal acquisition of personal information - information reprocessing - information trafficking. This industrial chain has a complete structure, and all kinds of information are clearly priced.

So, in addition to theft within apps, what other illegal thefts of user data exist?

According to a previous report by the Beijing News, using web crawlers and other methods is also one of the main ways to steal information. Some organizations crawl user data through merchants on e-commerce platforms such as Taobao and JD.com, or obtain user personal information such as mobile phone numbers through web pages, and then make profits through data trafficking and traffic traction.

Furthermore, staff who have access to personal data are also the "main force" of data leaks, taking advantage of their position to sell customer privacy information at high prices.

Personal information is frequently violated and data leaks are a chaotic phenomenon, which urgently needs to be regulated.

How to prevent personal information leakage?

First of all, from the user's perspective, we must raise awareness of personal information protection.

When enabling relevant permissions, be careful to check the options involving personal information, including mobile phone contacts, geographic location, etc. In addition, do not easily authorize functions such as microphones and cameras unless necessary.

When using the App, users should also pay more attention to whether there are any information leaks, background self-starting, etc. If any related violations are found, measures should be taken immediately to strengthen permissions and report to the relevant departments.

At the mobile phone manufacturer level, Ren Kui, dean of the School of Cyberspace Security at Zhejiang University, gave some advice in an interview. Ren Kui said:

• It is recommended that major mobile phone manufacturers increase the permission level of acceleration sensors and try to avoid various applications collecting accelerometer data when it is not necessary.
• At the same time, major manufacturers should also limit the sampling frequency of the accelerometer, or use the system's built-in filter to filter out the high-frequency part of the accelerometer sensor signal that contains the most voice information in advance.

In addition, to avoid similar vulnerabilities in the future, major manufacturers have re-evaluated the security and sensitivity of various sensors, modified the Android operating system's permissions for mobile phone apps to call various sensor data, and eliminated future side-channel attack paths.

At the legal and regulatory level, my country has currently promulgated laws and regulations such as the "Cybersecurity Law", "Telecommunications Regulations", and "Telecommunications and Internet User Personal Information Protection Regulations", which have made specific regulations in many aspects.

However, as the ways in which personal information is violated become more diverse, laws and regulations still need to be further improved. For example, regarding the issue of unauthorized use, Internet industry expert Bao Ran told CCTV Finance:

It is definitely unreasonable to not allow users to use the software without authorization. However, the legality of the software is still in a fuzzy area, because our relevant laws and regulations do not provide a particularly precise description and definition of the legality of the software.

The information age should bring convenience and intelligence, and private data should not become a commodity in the information age. Moreover, the protection of personal information is not just a one-person operation, but a matter for the entire industry, requiring the participation of multiple forces.

In addition, for those who are in the gray industrial chain, when you are stealing and selling other people's data, you don't know that your data is also being stolen and sold. In this data trading game, once it starts, no one is exempt.

In order to prevent personal information from being exposed, the best way is to press the end button of this illegal trading game.

This article is reproduced from Leiphone.com. If you need to reprint it, please go to Leiphone.com official website to apply for authorization.