Produced | Tiger Sniff Car Group
The author | Master Zi Nan
Someone broke the rules.
In the era of Internet big data, technological progress has brought people a more convenient life experience. But there has always been a boundary between the collection of user information. Xiaopeng Motors, across this boundary.
On December 14, according to the Tianyancha APP, Xiaopeng Automobile, a new car-making force, was fined 100,000 yuan for collecting 430,000 photos of consumers' faces in offline stores without authorization.
Car companies generally collect car owner information, and rarely collect face information, Xiaopeng Automobile, which belongs to the collection of face information of people who have not bought a car.
Since the 315 Consumer Rights Day in 2021 exposed the illegal collection of user portrait information by some supermarket stores, consumers' tolerance for the illegal collection of information by enterprise merchants has decreased again. After the news of Xiaopeng Automobile was issued, it immediately rushed to weibo hot search. Some Weibo netizens said: "When I go to buy a car in the future, I will not wear a mask."
Subsequently, Xiaopeng Automobile publicly responded: it caused users to worry, apologized for this, and made a deep reflection on the matter. As for the cause of the illegal collection of portraits, Xiaopeng explained that due to his unfamiliarity with the relevant legal provisions, he mistakenly purchased and used the products of third-party suppliers that violated the relevant legal terms.
This is a response from a listed company that serves more than 100,000 users to illegally collect user information – unfamiliar with the relevant legal provisions.
When you enter the store, you will be photographed
A document from the Xuhui District Market Supervision and Administration Bureau restores the whole thing.
On March 1, 2019, Shanghai Xiaopeng Automobile Sales Service Co., Ltd. signed the "Framework Contract for Passenger Flow Monitoring Project of Xiaopeng Automobile Stores" with a company, and purchased the corresponding store passenger flow monitoring project services.
In the incident, Xiaopeng spent 173822.77 yuan to buy related software and hardware.
From January to June 2021, 431612 face photos were collected and uploaded by devices in these stores. At present, the collected face information has been deleted, and the company involved has no illegal gains.
Although the documents of the Xuhui District Supervision and Administration Bureau show that Xiaopeng Automobile did not have illegal gains. However, the price paid by Xiaopeng is not high, only 173,800 yuan and 100,000 yuan of fines for purchasing equipment. The money did not buy a high-end version of the Xiaopeng P7.
In this process, Xiaopeng Automobile did not have the consent of the consumer, nor did it expressly, and informed the consumer of the purpose of collecting faces.
However, in Xiaopeng Automobile's response, Xiaopeng Automobile emphasized its "correct attitude" of correcting mistakes when it is known. It said that before the Shanghai Municipal Supervision Bureau inspected on March 18, the store removed all the collection equipment through internal self-inspection and self-correction.
Although Xiaopeng stressed that he took the initiative to stop the collection behavior, from the perspective of time, Xiaopeng's collection may be "compulsive".
The entire collection behavior was stopped after the 2021 315 party exposed the illegal acts of Kohler, BMW 4S stores, etc. By the time they are installed in 2019 and by 2021, it is unknown how much face information these devices have collected.
In the whole incident, the secret shooting of user face information is not an individual act of the dealer or a single store, but the official illegal behavior of Xiaopeng Automobile. These face collection devices were installed in 7 Xiaopeng stores, of which 5 were directly operated stores and 2 were franchised stores. The purpose of collecting face information is to improve the reception process and better serve customers who come to the store (better sell cars).
The collection of user information in the process of consumer use of the car is to some extent legally recognized. However, it is illegal and immoral to collect personal face information in the process of entering the store.
"The face belongs to biometric information, affecting the safety of a person's life and property, the general enterprise collects user information to improve product service users, but for the low-frequency behavior of a single person entering the store, information acquisition is to feed the user as the food of the algorithm to the machine, and the consumer is blinded and teased in the whole process," a data algorithm engineer told Tiger Sniff.
In the case of Xiaopeng Automobile's secretly photographed faces, consumers' privacy rights were violated and no obvious benefits were obtained. But once the face information is leaked, the operability of the enterprise is very large.
According to the above-mentioned engineers, after such face information is collected, the algorithm will evaluate and judge the consumer's frequency of entering the store, age, clothing, where to go after leaving the store, etc., in order to analyze the potential shopping possibility of consumers. More excessive enterprises will collect face information, conduct face emotion analysis, learn the corresponding behavior of a certain emotion, and finally realize the prediction and impact on the character's emotions. The most excessive approach is to sell face information.
What purpose Xiaopeng Automobile achieved with these face information is unknown. However, it requires further explanation.
"The scariest part of big data is not only that information can be leaked, but also that the party in charge of the data can make predictions about people's behavior, and when a person's behavior can be predicted, human rights are difficult to protect," the engineer said.
In china's law, the collection of face information also has strict restrictions. In July this year, the Supreme People's Court issued the Provisions on Several Issues Concerning the Application of Law in the Trial of Civil Cases Related to The Use of Face Recognition Technology to Handle Personal Information, article 1 of which clearly states that the handling of "face information" and "face information generated based on face recognition technology" are the objects of regulation. Article 2 of the Provisions clearly points out that the use of face recognition technology for face verification, identification or analysis in business places such as hotels, shopping malls, banks, stations, airports, stadiums, entertainment venues, and other business premises and public places in violation of laws and administrative regulations is an act of infringing on the personality rights and interests of natural persons.
This time, Xiaopeng Automobile was lucky, because Xiaopeng's illegal behavior occurred before the promulgation of the Personal Information Protection Law, so the relevant departments can only use the Consumer Rights and Interests Protection Law as a reference.
A lawyer told Tiger Sniff that the latest Personal Information Protection Law mentions that if there is an illegal act of handling personal information in violation of the law, and the circumstances are serious, the department performing the responsibility of personal information protection at the provincial level or above shall order corrections, confiscate the illegal gains, and impose a fine of less than 50 million yuan or less than 5% of the previous year's turnover, and may order the suspension of relevant business or suspension of business for rectification, and notify the relevant competent departments to revoke the relevant business licenses or revoke business licenses The directly responsible supervisors and other directly responsible personnel shall be fined between 100,000 and 1 million yuan, and may decide to prohibit them from serving as directors, supervisors, senior management personnel and persons responsible for personal information protection of relevant enterprises for a certain period of time.
Whether the illegal circumstances are serious or not needs to be judged by the relevant departments.
But we can compare it with an old story. When the BMW 4S store that was exposed in the previous 315 was seized, a total of 4617 face information of consumers who arrived in the store were captured and stored.
Xiaopeng's 430,000 face information is about 100 times that of the aforementioned BMW 4S store.
Have a "previous conviction"
Judging from the information disclosed by the relevant departments, this is not the first time that Xiaopeng Automobile has planted on the user's personal information.
On January 11 this year, the Guangdong Provincial Communications Administration reported that Xiaopeng Automobile, as a travel and transportation APP, was found to have three violations of user rights and interests and a safety hazard.
i.e. 1. The first time the App runs without the user reading and agreeing to the privacy policy, behavior monitoring finds that the application, Android ID, MAC address, IMEI, IMSI are retrieved GET_TASK; 2. The purpose, method and scope of the collection and use of personal information by the third-party SDK integrated by the APP are not listed one by one in the public text such as the privacy policy; 3. Each time you click "My Points, My Pengyou Value, Invite Friends earn points", the App collects mac address and IMEI information once. Non-service-necessary and without reasonable use cases, exceeding the minimum frequency necessary to implement the business functionality of the product or service. In addition, the Xiaopeng Auto App also has the security risk problem of interface hijacking security.
It is worth noting that the relevant punishment that occurred on January 11 did not make Xiaopeng realize the importance of users' personal information. After that, Xiaopeng's store also collected personal information for two months. Do you not want to change it, or is what the relevant departments say is not clear enough?
Stealing personal privacy is a low-cost but hugely profitable thing for enterprises. In this regard, in addition to regulation, enterprises are all self-conscious. And we can see that the gap between enterprises and enterprises is still very large.
For example, Tesla, which was exposed in the United States to collect face information in violation of the law, directly turned off the camera that collected face information in the car in the Chinese market.
When the author of this article previously consulted the user privacy agreements of multiple car companies, he found that most new energy car companies choose to desensitize sensitive information such as faces and do not upload them, and the period of behavioral data storage is more than 7-30 days. These car companies are more conservative than the regulations of the Ministry of Industry and Information Technology in terms of user privacy collection.
Only a few businesses are on the verge of breaking the law, even crossing the border.
In the matter of car building, the illegal collection of user information belongs to the end of the line. Building a good car with your heart and doing a good job of what a normal car company should do is more reliable than collecting user information and thinking about how to let users buy a car.