Say “no” to excessive permissions requested by mobile apps

With the rapid development of mobile Internet, various mobile applications (APPs) have become popular rapidly, playing an important role in promoting economic and social development and serving people's livelihood. However, at the same time, the problem of APPs collecting users' personal information beyond their scope is very prominent. In particular, some APPs request authorization for personal information through bundling functions. If users refuse authorization, they will not be able to use the basic functions and services of the APP, which is a disguised way of forcing users to authorize. Excessive requests for rights have been upgraded from "sneaky" to "blatant".

[[391828]]

Recently, the Cyberspace Administration of China and four other departments jointly issued the "Regulations on the Scope of Necessary Personal Information for Common Types of Mobile Internet Applications" (hereinafter referred to as the "Regulations"), which clarified the scope of necessary personal information for 39 common types of APPs, such as map navigation, instant messaging, and online shopping, and required their operators not to refuse users from using the basic functional services of the APP because the users do not agree to provide non-essential personal information.

When you install an APP to watch videos, it requires you to authorize call records; when you download an APP for navigation, it actually requires access to your address book information... Some APPs often require users to hand over various unnecessary privacy permissions by default, making the user's mobile phone like an unguarded "big house" where anyone can smash a window or demolish a wall. If the APP's excessive rights requests are allowed to grow wildly, not only will personal information leakage become a high-probability event, but the data security risks it brings should not be underestimated. In reality, a large number of illegal APPs have formed a black market for personal information through excessive rights requests, resulting in personal information being used by criminals, providing a "hotbed" for Internet crimes such as telecommunications network fraud and human flesh searches.

Regarding the collection of personal information, the Cybersecurity Law clearly stipulates the principle of "legality, legitimacy, and necessity", which is an iron rule that APPs must always follow. However, in the past, due to the lack of sufficiently detailed regulations on the legality, legitimacy, and necessity of the scope of personal information collected by APPs, it was difficult to judge the type, scope, and boundaries of personal information collection, making personal information protection work mostly focused on post-event accountability. In fact, from the perspective of governance costs and law enforcement efficiency, it is very necessary to conduct ex ante supervision of personal information collection. The more effort is put into ex ante supervision, the smaller the subsequent risks will be. Only in the face of sufficiently specific and targeted rules can ex ante supervision play a better role.

The "Regulations" issued this time further and more accurately implement the "legal, legitimate and necessary" principles in the Cybersecurity Law, move law enforcement forward, increase governance efforts from the perspective of the scope of personal information collection, establish rules and draw boundaries to prevent APPs from excessively requesting rights, and make specific and clear provisions for the categories of personal information rights requests of 39 types of APPs in practice, urging platforms to collect personal information in accordance with the law and contract, and to effectively fulfill their main responsibility of protecting the security of users' personal information.

In order to eradicate the soil for the chaos of excessive APP requests for rights, in addition to the need for relevant departments to combine prior supervision and post-event accountability, and for APP operators to fulfill their principal responsibilities in accordance with laws and regulations, it also depends on the courage of the majority of users to supervise and be good at protecting their rights. As the "Regulations" clearly state, any organization or individual has the right to report to the relevant departments. This not only facilitates the public's right to supervise the security of personal information, but also broadens the governance channels for relevant departments to protect the security of personal information.