In the era of mobile Internet, one thing that has been repeatedly questioned is whether the app is eavesdropping on users.
On multiple social platforms, netizens have experienced similar stories, just after talking to friends about a certain product, opening the mobile phone, shopping App or social software appear related ads.
In fact, to achieve accurate push, it is often the use of big data and push algorithms rather than eavesdropping. Apps use personal information such as records, geographic locations, and friend relationships to shuttle through the App sharing network, and companies use this information and specific algorithms to build a huge user portrait system. He Yanzhe, deputy director of the Evaluation Laboratory of the Network Security Center of the China Electronics Technology Standardization Institute, believes that the cost of App eavesdropping is high and the legal risk is large, and the ability of enterprises to accurately push comes from the user's personal information shared between apps.
These personal information is related to user privacy, and relevant laws and regulations have been introduced. On March 1, 2022, the Provisions on the Recommendation and Administration of Internet Information Service Algorithms jointly issued by the Cyberspace Administration of China and four other departments were officially implemented, pointing to algorithm chaos - "big data killing", inducing users to indulge in the Internet, manipulating lists, etc. On November 1 last year, the Personal Information Protection Law came into effect, and on the same day, the Ministry of Industry and Information Technology issued a notice proposing that 39 Internet companies should establish a "double list" of personal information protection, that is, a "list of collected personal information" and a "list of personal information shared with third parties", which required 52 apps from 39 companies such as Tencent and Alibaba to list the basic information of users' personal information shared with third parties in the second-level menu of the app.
We combed through the list of third-party shared personal information on the Android system of these apps, trying to outline this complex shared network.
Personal information sharing network: 39 companies V.S. more than 200 companies
"I suspect the phone is peeking at our chat history." Netizen Xiao Zhou vowed to say. She had just finished talking to a friend about a shower gel on social software, and the social software pushed her the corresponding advertisement. However, a more likely accurate push path is that Xiao Zhou's friends have searched for this shower gel on the shopping platform before, and their search records, friend relationships, device identifiers and other personal information flow and match in the shared network of social software and shopping platforms, and finally the algorithm tells the company that Xiao Zhou is also likely to be interested in this shower gel.
Driven by the "double list", the personal information sharing network has gradually appeared in front of the public. Most of the tested apps have an entry for the "Personal Information Sharing List with Third Parties" in the second-level menu of the interface, which informs users of the basic situation of personal information sharing, including the types of personal information shared with third parties, the purpose of use, etc. Enterprises will obtain user consent in privacy policies, registration pages, etc., some of which will encrypt and de-identify the shared information, and some enterprises will let third parties handle the shared information themselves.
As far as the list of third-party shared personal information published by the current 52 apps is concerned, the flow of users' personal information is complex, involving all aspects of every modern person's life in the mobile Internet era - apps, mobile phone manufacturers and operators. More than 200 companies have become the third parties to 52 apps, including Internet companies such as Tencent and Alibaba, followed by mobile phone manufacturers such as Xiaomi and OPPO, and advertising marketing and data statistics companies such as Youmeng and Pangolin.
It should be pointed out that the level of detail of the third-party shared list published by different apps is different, and most of the tested apps do not publish a complete list of advertisers and their agencies, affiliates, authorized partners, etc.
Overly accurate advertising pushes make users worry about personal privacy leakage, and the implementation of regulations such as "double list" and algorithm recommendation management regulations helps to break the "algorithm black box". He Yanzhe said that the construction of a "double list" has made the collection and sharing of personal information more transparent. Meng Jie, a partner at Global Law Firm, further said that the most direct role of the third-party sharing list is to protect the rights of users, users can more directly and conveniently understand how their personal information is used and shared by enterprises, and it is also convenient for the public and regulators to supervise and manage Internet products.
The digital ID "Device Identifier" becomes a high frequency shared personal information
In the personal information sharing network, the mobile phone is an important medium for "targeting" users and quantifying user behavior. Individual clicks, searches, purchases, walking trajectories, etc. will all be incarnated into data and entered into the algorithm system.
If you want to use this data for accurate advertising push, identifying users is the key. Each phone has a unique device identifier that plays an important role, and the device identifier family includes IMEI, Android ID, IDFA, Mac address, etc., representing the user's "digital ID". In this evaluation, the device identifier belongs to the high-frequency shared personal information, the enterprise collects and shares the device identifier, use behavior and other personal information, the algorithm system to "calculate" the user's living habits and consumption behavior and other characteristics, to build a user's personal portrait.
This is a common practice in Internet companies. Yang Zhengjun of the China Academy of Information and Communications Technology and others mentioned in the "Research and Response Suggestions on the Identification of Internet Advertisements" that the Internet advertising industry chain involves multiple entities, from Apps and smart TVs to third-party monitoring platforms, data platforms, and automated trading platforms.
At present, the above list only outlines a vague and huge sharing system, and some companies actually do not list a complete list of third parties with whom they share personal information, such as DingTalk's third-party personal information sharing list only mentions that the third-party partners are more than 100 third-party service providers such as Shanghai Xiangyan Technology Co., Ltd., and Century Jiayuan lists all its offline direct stores and authorized offline associate stores.
"Enterprises share a large number of third parties to share personal information, involving many types of personal information, if there is no systematic combing in the early stage, the workload is larger, and the cooperation agreement between the two sides often does not clearly stipulate the specific rules of information sharing," Meng Jie explained the difficulty of enterprises to publish a complete list of third parties, she believes that enterprises with large user scale and large amount of personal information processing should also implement and build a "double list" as soon as possible in accordance with the requirements stipulated by the Ministry of Industry and Information Technology, and can think of a more scientific and effective model in terms of operation methods.
The picture shows some of the associated stores announced by the third-party sharing list of the Century Jiayuan App.
SDK hidden behind the app
If the mobile phone is the medium and the device identifier is the anchor, then the important "rope" connecting the two is the third-party SDK (software development kit).
Different third-party SDKs can help apps invoke various functions, including message push, mobile payment, third-party login, map location, etc. For example, if you want to use Alipay to pay when shopping on Kuaishou, you need to call the Alipay SDK; if you want to send or share a location on DingTalk and use AutoNavi Map when you punch in time, you need to call the AutoNavi Map SDK. In order to achieve these functions, the Alipay SDK collects the user's device identifier, payment amount, etc., and the AutoNavi Map SDK collects the user's device identifier, location information, etc.
They are widely present in all apps, but they are not known to the general public. Taking the third-party sharing list published by Himalaya as an example, its published advertising SDK shared more than 30 user information, which means that when users use the Himalaya App, some personal information such as its device identifier and geographical location will be shared with advertising and marketing platforms such as Guangdiantong and Pangolin.
While implementing the "double list", the road to compliance with the third-party SDK of the enterprise is still uneven: how to determine whether the collection of personal information by the third-party SDK complies with the principle of "minimum necessity"? Does the number, scenario, and frequency of personal information collected by the third-party SDK match the description in the sharing list? How to clarify the relationship between the App and the SDK and implement the main responsibility?
Recently, the Information and Communications Administration of the Ministry of Industry and Information Technology notified the list of Apps (SDKs) that infringe on the rights and interests of users, and 13 third-party SDKs were included in the list due to the illegal collection of personal information.
He Yanzhe believes that in order to define whether the collection of personal information by the third-party SDK complies with the principle of "minimum necessity", there still needs to be more clear and unambiguous relevant provisions, in addition, to give users control or a solution, that is, users have the right to withdraw their consent after agreeing to the third-party SDK sharing their personal information.
"At present, App R&D enterprises can only understand the SDK through the privacy policy, and the enterprise does not have the corresponding technical means, detection ideas and motivation to detect the integrated third-party SDK to find out whether the actual personal information collection behavior of the SDK is consistent with the description in the privacy policy." Peng Gen, general manager of Beijing Hanhua Feitian Xinan Technology Co., Ltd., once wrote an article.