At a time when vicious online incidents such as telecommunications network fraud, infringement of the legitimate rights and interests of minors, and online violence are frequent, it has become a general trend to build a cyberspace governance system based on the real-name system. In order to strengthen the national Internet security governance and effectively protect the rights and interests of users, each platform has put forward higher requirements for the identity authentication and verification of users.
Recently, the CCIA Data Security Working Committee held a symposium to discuss how to balance the principles of identity verification and minimization of personal information in the process of governance support and security risk control. Some experts attending the meeting pointed out that real-name authentication is essentially to protect the rights and interests of users by transferring user privacy, which belongs to the "gray area", and to complete this network ecological governance process, all parties need to work together.
1
According to the level of risk, the strength of real-name authentication is determined
In recent years, in order to achieve security risk control and protect the public interest, laws and regulations such as the Anti-Telecommunications Network Fraud Law of the People's Republic of China and the Provisions on the Administration of Internet User Account Name Information have successively solicited opinions, proposing to increase the accuracy and real-time requirements for real-name authentication and verification of user account identities on Internet platforms, and to take measures such as re-verification, restricting functions, and suspending services for abnormal accounts identified by monitoring.
Before that, the first question that needs to be answered is: what do identity authentication and identity verification refer to? What is the difference between the two?
Participating experts pointed out that identity authentication refers to the authentication carried out when a person's identity is first determined, which may include id card number, face recognition authentication, etc.; and the verification carried out after that is called identity verification, and the personal information collected should generally not exceed the authentication stage. Therefore, in the process of using the service, identity verification does not lead to excessive collection of personal information, but may "overly disturb the user".
In addition, "the level of identity verification is also different. According to experts, the current identity verification probably includes three methods. One is the weakest non-real-name authentication, such as simple accounts and passwords set up in the early Internet era; the second is authentication through mobile phone numbers and verification codes; and the third is the use of third-party platforms such as WeChat and Alipay to log in and verify.
Speaking of the specific application scenarios of identity verification, a corporate legal counsel stressed that in the game industry as an example, it must carry out strong real-name authentication for users, that is, verify the user's name and ID card number, and mobile phone numbers are not included as weak verification means. In order to achieve the actual business needs of protecting minors and prevent minors from fraudulently using their parental identities to log in to their accounts, many Internet companies will take the initiative to increase live verification links such as mobile phone numbers and face recognition.
The Law on the Protection of Minors, which came into effect in June last year, stipulates that online service providers such as online games, online live broadcasts, online audio and video, and online social networking shall set up corresponding functions such as time management, authority management, and consumption management for minors' use of their services.
However, some experts at the meeting said bluntly that in the process of practice, Internet companies face multiple difficulties to achieve the above compliance.
She pointed out that at present, the state only provides a unified identity authentication system for the online game industry, and other industries do not have similar "interfaces", if enterprises find alternative channels on their own, the cost and risk are higher, and the effect cannot be guaranteed. Therefore, live broadcasting, short videos and other industries only need a mobile phone number to complete the registration, whether to open the teen mode can be selected by the user - which means that most of the minors' Internet addiction problem can only rely mainly on parental supervision and personal consciousness, and lack of external force compulsion.
Many experts believe that if the supporting resources used to implement the requirements of laws and regulations cannot be guaranteed, and enterprises lack a relatively secure and stable identity authentication "interface" and the ability to handle a large number of users' sensitive personal information, then the widespread implementation of real-name authentication, including face recognition, may lead to serious information flooding and leakage problems.
For example, at present, many small platforms do "fake identity verification", that is, only collect or only do logical verification, and do not verify the authenticity of the collected ID number or bank card number by calling authoritative third-party resources.
It is worth mentioning that in terms of balancing the strength of real-name authentication and business needs, some corporate legal counsel pointed out that the real-name authentication of the Internet follows the basic principles of high-risk strong certification and low-risk weak certification. For example, she explained that if you sell a plush toy and be asked to brush your face, the strength of this identity authentication and the size of the risk do not match; if you sell a token that is considered to be at risk of virtual currency speculation, it is reasonable to be required to carry out strong authentication such as face brushing.
2
Real-name authentication is the joint efforts of all parties for ecological governance
In the process of verifying identity, users may face the dilemma of not passing and not being able to use. Participating experts pointed out that users are more worried about the excessive collection of personal information, so the recognition of real-name authentication such as face recognition is not high, and the number of related complaints is relatively large. So, how can we balance the compliance and performance of the identity verification process and improve user acceptance?
Some experts at the meeting suggested that for users who have not passed real-name authentication or have not logged in with real information, repeated notification methods can be adopted. First inform the user of the reasons for the need to verify his identity again, such as the obligation of the user's real-name authentication in laws and regulations, emphasize that his account is facing a high risk, and need to consider security, etc.; then you can inform the user of the serious consequences that may result from not accepting the above requirements.
In addition, for the case of "failure to pass, it cannot be used", the enterprise should provide corresponding relief channels. When the exercise of user accounts is restricted, multiple verification opportunities should be provided, other verification methods of the same intensity should be replaced, and manual appeal channels should be established.
Since the full implementation of the real-name system in the mainland, the contradictions shown by identity verification have become a major problem in Internet governance. An in-house counsel pointed out at the meeting that the essence of real-name authentication is to achieve one-by-one mapping between individuals represented by numbers in the network and individuals in the real world, so as to control their behavior in the virtual world, so that the legal responsibilities that netizens should bear can continue from the real world to the virtual world.
In fact, users' concerns about the leakage of personal information during the real-name authentication process are not unfounded. One expert at the meeting admitted that in its essence, real-name authentication requires users to ensure the security of their accounts or their identity at the cost of transferring some personal information.
Therefore, some legal personnel pointed out that enterprises should minimize the degree of privacy infringement on users as much as possible, maximize the benefits of protecting legitimate rights and interests, and balance the advantages and disadvantages of real-name authentication - which is the comprehensive effect that needs to be achieved after the joint governance of all parties. He said that Internet real-name authentication is an ecological governance process, and Internet service providers, basic telecom operators and mobile intelligent terminal system manufacturers should join the governance of real-name authentication.
"Don't think that real-name authentication is a black and white thing, it is actually a 'gray area' between infringing personal information and protecting rights and interests." If you want to stay in the most appropriate position, you must need all parties to work together, and you can't rely on any party such as Internet service providers alone. He said.
Written by: Fan Wenyang, trainee reporter of Nandu, and Jiang Lin, reporter
![Millions of social accounts into an e-mail tool! Bottom account "Processing plant"[fig]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)