Just open the App was asked for a series of authorizations, after explicit rejection, still frequent pop-up windows or even not allowed to use; privacy policy content is full of errors, difficult to read; want to follow the App privacy policy to provide the way to download a copy of their personal information, customer service said that they don't know what it is... Have you ever encountered any of the above situations but are unable to solve them?
On December 17, the Personal Information Protection Research Center of Southern Metropolis Daily held the "2021 Woodpecker Data Governance Forum" in Beijing. At the meeting, the Nandu Personal Information Protection Research Group released the "Annual Report on Personal Information Security (2021)" (hereinafter referred to as the "Report"), disclosing the compliance status of personal information protection of 150 apps and 10 app stores from four aspects: app privacy policy, permission acquisition, portability and app store review mechanism.
None of them are highly transparent, and only 5 disclose non-SDK third parties
This year's report selects a total of 150 apps from the top ten industries as evaluation samples, of which five are the first, middle and tail of each industry. The more transparent the Privacy Policy, the clearer and more comprehensive the description of how a business collects, uses, stores, and protects personal information.
The evaluation results show that "Zhihu" and "Dingdang Fast Medicine" ranked first with 89 points, and "Kuaishou" and "Ctrip" tied for second place with a difference of two points. Apps with medium and high levels of transparency accounted for 82%, and there were 27 apps that scored "failed", and the average scores of various industries did not differ much.
It is worth noting that the number of apps with high transparency is zero. According to the analysis of the report, this is due to the fact that most apps have not yet implemented the innovative provisions in the personal insurance law, and there are many points lost. For example, only 40 apps provide dedicated privacy policies for minors, and fewer than 10 apps mention the rights of the deceased.
In November, the Ministry of Industry and Information Technology issued a notice requiring relevant Internet companies to establish a "list of collected personal information" and a "list of personal information shared with third parties" for personal information protection by the end of December. The review found that 135 out of 150 apps listed embedded third-party SDKs (software development kits) and informed them of their names, purposes of processing, types of personal information and links.
However, the report points out that third-party SDKs are not the only objects for apps to share users' personal information, but also include advertisers and their agencies, affiliates, authorized partners, etc. However, only five apps, such as "Zhihu" and "Vipshop", disclosed some information of third parties such as carriers, payments, advertisers, and media.
Although problems such as unclear privacy policy information, plagiarism, and large gaps in the scores of the head and tail apps still exist, the average privacy policy transparency score of 150 apps this year still reached 70.1 points, which is almost the same as in 2019 under the stricter evaluation standards. This means that the transparency of the app's privacy policy has been significantly improved.
Refused ten times to pop up the window, read the positioning more than two thousand times in five minutes
The Provisions on the Scope of Necessary Personal Information for Common Types of Mobile Internet Applications (hereinafter referred to as the "Provisions"), issued in March this year, delineate the scope of personal information necessary for basic functional services for 39 types of apps. Based on the Provisions, the report conducted a compliance assessment of 150 apps in ten major industries for access to permissions.
The evaluation results show that only the three apps of "New Oxygen Medical Beauty", "360 IOUs" and "Xueersi Online School" scored more than 90 points, and the overall average score was only 57.9 points. Among them, nearly half of the app scores are concentrated in 60-70 points, and there are 60 failed apps, accounting for 40%.
From the specific situation, 89 of the 150 app tested have applied for non-essential permissions when users use the app for the first time, involving telephone, positioning, storage, address book, camera, microphone, etc., including many head apps such as "DingTalk" and "Grapefruit".
In addition, many apps require users to reject permission applications multiple times before they can be used normally. For example, 30 apps such as "Excellent Health" and "Gaotu Classroom" still frequently pop-up applications after users explicitly reject a certain permission, especially the storage permission is repeatedly applied for the most times.
If "Pink Elephant Life" is opened for the first time, the user needs to deny the storage permission pop-up window 11 times in a row, two of which are selected "Reject and no longer ask" and still pop up again. The report believes that the app's practice of applying for the same permission multiple times in a row is a kind of "disguised coercion" and does not meet the "explicit consent" required by law.
With the technical support of GCC Feitian XinAn Technology Co., Ltd., the report also evaluated the frequency with which 150 apps invoke sensitive permissions over a period of time. The results show that there are as many as 135 frequently invoked permissions.
Among them, the more serious situation is "Lijing Weather", which calls the positioning permission an average of about 153 times per minute; after retreating to the background, it calls the positioning permission 2286 times in five minutes.
Many App customer service said that they did not know what a copy of personal information was
According to Article 45 of the Individual Protection Law, individuals have the right to consult and copy their personal information from personal information processors, and also have the right to request the transfer of personal information to the personal information processor designated by them. The report is modelled on the EU's General Data Protection Regulation, which abbreviates as the "right to portability".
The report found that apps typically provide copies of personal information and promise portability. Of the 150 apps, 57 specify that users can request copies of their personal information, accounting for 38%. As of the end of the evaluation, only copies of personal information provided by 14 apps were received, and the vast majority of the content was the information and device information provided by the user, such as user ID, nickname, registered mobile phone number, registration time, etc.
The responses given by each app are different for what constitutes a copy of personal information. For example, "Xueersi Online School" and "Zebra App" said that the way to obtain a copy of personal information is to take a screenshot of itself; many App customer service bluntly said that "I don't know what a copy of personal information is". There are also many apps that inform the way to get it.
There are also apps that set authentication thresholds that require users to provide information other than the personal information provided when registering. For example, "Dingdang Fast Medicine" requires users to submit mobile phone business hall payment vouchers, handheld ID card photos, transfer personal information to provide the recipient's personal information certificate, willing to receive personal information certification materials, receiving methods.
The report pointed out that only 15 of the 150 apps promised to provide personal information transfer services, and basically required users to provide information such as the receiving method and interface of the other app. However, none of the apps explicitly tells users how to obtain this information. According to the report, this further increases the difficulty of users fulfilling their right to portability.
All app stores lose points on the privacy policy link
In order to understand the compliance status of the app store audit mechanism, the report evaluated the top ten app stores of OPPO Software Store, Huawei App Market, 360 Mobile Assistant, Xiaomi App Store, Vivo App Store, Tencent App Bao, Baidu Mobile Assistant, PP Assistant, Pea Pod, and Samsung App Store.
The results show that OPPO Software Store, Huawei Application Market, and 360 Mobile Assistant ranked in the top three with 82.4, 79.1, and 70 points respectively, while PP Assistant, Samsung App Store, and Pea Pod failed to score. The overall average score is less than 60.
The report pointed out that a common point of the review is that 10 app stores have privacy policy link problems, including not providing privacy policy links, privacy policy links cannot be opened, and privacy policy versions are inconsistent with the app.
For example, the OPPO software store has seven app display pages without privacy policy links, including many well-known apps such as "Excellent Health" and "Huayitong"; in the vivo app store, the privacy policy link of the "Ctrip Travel" display page is a privacy design document, not a privacy policy; and the privacy policy of nine apps in the Xiaomi App Store on the app store display page is inconsistent with the in-app version.
It is worth noting that when the vast majority of app stores display the list of permissions that the app will obtain, they usually use the default expression such as "allow the app..." Only the permission details page of the Xiaomi App Store allows app developers to change the purpose of permission acquisition.
For example, the "Dolphin Offer - Shopping Rebate Platform" modified the purpose of obtaining the four permissions of the app store display page positioning, mobile phone information, camera, and recording - for example, the purpose of obtaining mobile phone information is to "prevent illegal elements from using software to violate laws and regulations".
The report believes that the permission description expressed by the system by default is usually a general description, and cannot accurately take into account the purpose of each app's permission application. Allowing app developers to modify can make users more clear about why the app should obtain this permission, which helps protect the user's right to know.
Producer: Nandu Personal Information Protection Research Center
Written by: Nandu trainee reporter Fan Wenyang reporter Sun Chao
![Keep your privacy safe at all times at OriginOS Ocean[fig]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)