On 5 January, the State Internet Information Office (SAC) issued the Provisions on the Administration of Information Services for Mobile Internet Applications (Draft for Solicitation of Comments) (hereinafter referred to as the "Draft for Comments"), revising the version that came into effect on 1 August 2016 and soliciting comments from the public, with a deadline of 20 January.
The Nandu Privacy Guard noted that the Draft for Comments has been refined and revised at a large scale on the basis of the 2016 version, not only setting up special chapters for application providers and application distribution platforms, but also proposing to create new provisions for hot topics such as creating false traffic for current application providers and fulfilling the obligation to protect minors online.
Some experts said that the draft for comments is more detailed and more operable than the old version, but perhaps it should also be included in other management objects; and the difficulty in implementing the provisions on rectification of induced downloads and traffic fraud is that the application distribution market needs to grasp the scope and extent of the review work.
1
Mini programs and browser plug-ins are included in the supervision object
The Draft for Comments has been refined and revised at a large length on the basis of the 2016 version. The 2016 edition contains only eleven articles in its entirety and does not distinguish between chapters. The Draft for Comments sets up special chapters for application providers and application distribution platforms, and adds new relevant provisions for hot topics such as creating false traffic for application providers, fulfilling the obligation to protect minors online, and risk reporting systems for applications.
It is worth noting that the application distribution platform in the draft for comments not only includes the application store, but also includes the types of platform distribution services such as fast applications, Internet mini programs, and browser plug-ins.
Ma Ce, co-founder of Zhejiang Kenting Law Firm, believes that compared with the previous version, the provisions in the draft for comments are more detailed and more operable. Wu Shenkuo, assistant dean of the Internet Development Research Institute of Beijing Normal University and deputy director of the Internet Society Research Center of China, also said that the draft for comments is "not only a summary of previous experience in law enforcement and supervision, but also a comprehensive response to the demands of the industry and the public."
However, Ma Ce also pointed out that there are some limitations in the draft for comments. For example, the application distribution market that only provides distribution services through the Internet, but there are actually a large number of application distributions that will not be distributed through the Internet, but will be done by pre-installed programs such as intelligent hardware. "Now the shipment of mobile phones is very high, this market is very large, but I think [the draft for comments] does not include it."
2
Clarify the network security vulnerability declaration mechanism
In December last year, the Ministry of Industry and Information Technology (hereinafter referred to as the "Ministry of Industry and Information Technology") issued a notice saying that recently, Alibaba Cloud found that there were remote code execution vulnerabilities in the Apache Log4j2 component (an open source logging framework based on the Java language), which may lead to remote control of devices, which will lead to serious harms such as sensitive information theft and device service interruption.
Alibaba Cloud then made a public response to the matter, saying that it did not share vulnerability information in a timely manner because it did not realize the seriousness of the vulnerability in the early stage, and promised to strengthen the management of vulnerability reports, improve compliance awareness, and actively cooperate with all parties to prevent network security risks.
The Draft for Comments stipulates that applications should comply with the mandatory requirements of national standards related to cybersecurity. When an application provider discovers that there are security defects, vulnerabilities, or other risks in its application, it shall immediately take remedial measures, promptly inform users in accordance with regulations, and report to the relevant competent departments.
This provision inherits the relevant provisions of China's laws and regulations on the practices that enterprises should take when discovering network security vulnerabilities. Article 25 of the Cybersecurity Law, which came into effect in 2017, stipulates that when an incident endangering network security occurs, network operators shall immediately activate an emergency response plan, take corresponding remedial measures, and report to the relevant competent departments in accordance with regulations.
Specifically, the Provisions on the Administration of Security Vulnerabilities in Network Products, which came into effect in September this year, clearly stipulate that network product providers shall submit relevant vulnerability information to the Network Security Threat and Vulnerability Information Sharing Platform of the Ministry of Industry and Information Technology within two days, including the name, model, version of the product with network product security vulnerabilities, as well as the technical characteristics, hazards and scope of impact of the vulnerabilities.
3
To solve the difficulty of traffic fraud, it is necessary to grasp the audit scale
According to the Nandu Privacy Guard, the Ministry of Industry and Information Technology has repeatedly reported that many application distribution platforms have problems such as insufficient app information, lax shelf review, incomplete clearance of stock problems, inaccurate information of registration and verification app developers and operators, and misleading users to download.
The Draft for Comments puts forward requirements from both its own specifications and platform supervision: application providers shall standardize operation and management behavior, must not use false publicity, bundled downloads, etc., or use illegal and bad information to induce users to download, and must not use machine or manual means to brush lists, brush quantities, and control evaluations to create false traffic; application distribution platforms shall establish application monitoring and evaluation mechanisms, improve technical capabilities and management efficiency, resolutely crack down on online black and gray production, and prevent data fraud such as download volume and evaluation indicators , must not be used to fabricate downloads, fabricated evaluations, etc. to carry out false publicity.
In fact, regulatory action has been ongoing in recent years. In April last year, Zhao Zhiguo, spokesman for the Ministry of Industry and Information Technology and director of the Information and Communications Administration, said that it would increase the rectification of problems such as tools and communications apps to deceive and induce users to download; in May, Sheng Ronghua, deputy director of the State Internet Information Office, emphasized cracking down on online trolls, traffic fraud, black public relations, and algorithm abuse; in December, the Central Cyberspace Administration proposed to focus on platform links such as app stores and mini programs, and rectify the problems of creating false reading and comments.
Why are remediation measures continuous, but the problem of traffic fraud has been difficult to solve? According to Ma Ce analysis, there are still some "old problems" in order to implement this provision, that is, the application distribution market as an Internet information service provider, its regulatory scale, such as the scope and extent of the audit work, is still difficult to define.
"According to the draft opinion, the review of the application market has become a substantial regulatory requirement, and once there is a problem with the application, will the application market bear corresponding responsibility?" Ma Ce pointed out that in the current judicial practice, the Internet information service providers will often adopt a more neutral after-the-fact disposal system, "Internet information service providers have no obligation to review the compliance status of in-app information in advance, but if someone reports or is punished by supervision afterwards, the application market must cooperate with the handling." ”
In Wu Shenkuo's view, the implementation of the regulations requires special attention to the allocation of automated and ecological regulatory tools and methods, and it is necessary to reduce the cost of supervision by innovating the complaint and reporting mechanism, improving the level of social supervision, enhancing the willingness of various entities such as platforms to take the initiative to govern, and improving the direction and pertinence of supervision.
4
The fact that filing requirements tend to be refined means that it is easier to land
In the 2016 version, the filing requirements for app stores are "to engage in Internet app store services, and should also file a record with the Internet Information Office of the province, autonomous region, or municipality directly under the Central Government within 30 days of the business going online and operating." ”
The difference is that the Draft for Comments stipulates that when an application distribution platform files with the Internet Information Office of the province, autonomous region, or municipality directly under the Central Government within 30 days of its business going online, it needs to submit five types of materials, including the basic situation of the platform operating entity, the commercial Internet information service license obtained by the platform, or the filing of non-commercial Internet information services.
In Ma Ce's view, filing has long been required in practice, and it is worth noting that while refining it for comments, it has also added a requirement for the Cyberspace Administration of China to disclose to the public the list of platforms that have fulfilled the filing procedures.
"There was no such channel to inquire before." He told the Nandu Privacy Guard, "This shows that the filing system may enter a substantive orbit next." The previous provisions were more formal, and I think the detailed filing requirements in the revised draft will be easier to implement. ”
In addition, Ma Ce also pointed out that the materials required for filing in the draft for comments are more conventional and necessary information, which will not cause the platform to bear too much pressure in the process. "The core purpose of the filing system is to let regulators understand the types and numbers of application markets through filing, so that they can better achieve governance through them."
Wu Shenkuo further pointed out that the purpose of this filing mechanism design is to clarify the rights, obligations and responsibilities of each role in the business ecology, to achieve effective traceability and process control in this way, to strengthen the regulatory thinking of in-depth governance by improving the responsibility level and responsibility requirements of the subject, and to avoid the emergence of a chain of large-scale risk transmission.
Written by: Nandu trainee reporter Fan Wenyang
![The Cyberspace Administration of China (CAC) solicited public comments on the Provisions on the Administration of Information Services for Mobile Internet Applications[fig]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)