The App personal information specification was introduced, and 10 applications such as WeChat, Pinduoduo, Meituan and Tik Tok were measured for compliance.
Protecting personal information and privacy has become a hot topic in the science and technology circle recently. At the 315 party, cases such as companies illegally collecting face information and cleaning up software stealing information from the elderly were exposed. From the perspective of the regulatory authorities, the protection measures for personal information are also increasing.
Last week, Yang Xiaowei, deputy director of the National Internet Information Office, said at a press conference that the Data Security Law and the Personal Information Protection Law are being stepped up to provide legal protection for data security and personal privacy protection at the legal level.
Yesterday, the State Internet Information Office, the Ministry of Industry and Information Technology, the Ministry of Public Security and the State Administration of Market Supervision jointly issued the Provisions on the Scope of Necessary Personal Information for Common Mobile Internet Applications (hereinafter referred to as the Regulations).
, which shall come into force on May 1, 2021.
Does the App have excessive collection of personal information? If the user does not agree to provide unnecessary personal information, the App refuses to provide users with basic functional services? In this regard, Sohu Technology reviewed the privacy policies of the top ten commonly used apps and compared them with the necessary personal information defined in the Regulations.
It should be noted that whether device and log information and Cookie belong to personal information is still controversial. If it is counted as personal information and strictly in accordance with the restrictions in the Regulations, Sohu Technology found that the top ten apps, including iQiyi, Baidu Map, Didi, Alipay, Meituan, Pinduoduo, Taobao, WeChat, QQ and Tik Tok, may need to be rectified. Because in addition to the necessary information mentioned in the Regulations, these apps will also collect users’ device and log information, Cookie and similar data files by default.
Generally speaking, equipment information mainly includes unique equipment identification code, login IP address, equipment model, etc. Log information mainly includes browsing records, retrieval records, access date and time, etc.
Of course, if the above information is not defined as personal information, then the personal information collection of these apps is basically compliant. Some apps have out-of-range information collection, which users can refuse and will only affect additional services.
Iqiyi:
In the "Regulations", the basic functional services of online audio-visual apps are "movies, music search and playback", and the basic functional services can be used without personal information.
In the privacy policy of iQiyi, iQiyi claims that the collection of device information and log information is to provide the most core service content display/play/download service. If the above information and/or permission are refused, the products and services may not be used. Iqiyi also stressed that individual device information, log information, etc. cannot identify the user’s identity information.
Specifically, the device information includes MAC address of the device, unique device identification code, login IP address, device model, device name, device identification, browser type and setting, language setting, operating system and application version, access mode to the network, network quality data, mobile network information (including operator name), product version number, and information related to the location of the device.
In terms of log information, iQiyi will automatically collect users’ personal online records and save them as relevant operation logs and service logs, including browsing records, likes/sharing/comments/interaction records, collection/attention/reservation records, playing records, playing duration, and date and time of visit.
Iqiyi said that Cookie and similar technologies may be used to collect some personal information of users, including their habits of visiting websites, browsing information and login information.
Didi:
In the "Regulations", the basic functional services of online car-hailing apps are "online taxi booking service and cruise taxi calling service", and the necessary personal information includes: 1. Mobile phone number of registered users; 2. The passenger’s departure place, arrival place, location information and whereabouts; 3. Payment information such as payment time, payment amount and payment channel (online booking taxi service).
In Didi’s privacy policy, personal information necessary to complete the above basic functions includes mobile phone number, itinerary information, payment information, location information, order information and transaction status, audio and video recording information, equipment information and log information.
Specifically, users need a mobile phone number and a password to register. If they log in with WeChat, they also need to obtain the OpenID; of WeChat platform. Travel information, including departure place, arrival place, whereabouts track, duration and mileage information; Payment information includes payment tools, payment account risk control information and payment status. If users use Didi Wallet, they need to set payment password, record balance, payment record, cash withdrawal record and bank card number.
In addition, Didi said that in order to improve the product safety capability, the sound information of the in-vehicle environment during the user’s trip will be obtained through software or hardware equipment. Some registered vehicles in the platform may be equipped with in-vehicle video recorders and other equipment, and users may be recorded with video information. Moreover, Didi will collect device information (including device model, operating system version, device settings, MAC address, device identifiers such as IMEI, IDFA and OAID, SIM card IMSI information, SIM card attribution, device environment, mobile application list and other software and hardware feature information) and log information (including browsing records, content retrieval, click to view records, transaction records, IP address browser type, telecom operator, language used, and access date and time).
Alipay:
In the "Regulations", the basic functions of online payment apps are "online payment, cash withdrawal, transfer and other functions", and the necessary personal information includes: 1. Mobile phone number of registered users; 2 registered user name, certificate type and number, certificate validity period, bank card number.
In Alipay’s privacy policy, users need to provide their mobile phone number or email address as account login names. Users also need to provide basic identity information, including name, nationality, gender, occupation, address, contact information, type, number and expiration date of valid identity documents, and color photocopies or photos of valid identity documents.
In the operation of balance payment, it is necessary to record the balance information and transaction information of the payment account; In fast payment, users need to provide the name of the bank, the card number of the bank card, the validity period of the bank card, the name and ID number, and the reserved mobile phone number of the bank; In the transfer operation, if you transfer money to someone else’s Alipay account, you need to enter the payee’s account, payee’s partial name and transfer amount; When transferring money to someone else’s bank card, you need to enter the payee’s name, card number and bank.
When a user makes a purchase, Alipay claims that it will collect the transaction information of the user directly or from merchants, including transaction amount, transaction object, transaction commodity, transaction time and delivery information (if any). If the user does not agree, the transaction may not be completed.
In addition, for security reasons, Alipay claims that it needs to record Alipay service category, mode, equipment brand, equipment model, equipment name, IP address, MAC address, equipment software version information, equipment identification code, equipment identifier, location, network usage habits, equipment-related application information and other log information related to Alipay services. If you don’t agree to record the above information, you may not be able to complete the wind control verification.
Baidu map:
In the "Regulations", the basic function service of map navigation App is "positioning and navigation", and the necessary personal information is: location information, departure place and arrival place.
Through Baidu Map Privacy Policy, we can see that the personal information directly provided by users and automatically collected by App includes: registration information, device information, location information, log information, vehicle information, address book information, calendar information, application list information, and the information beyond the scope is mainly collected for additional services.
For example, in terms of registration information, when registering a Baidu universal account, users need to provide the account name, avatar, secret email address, secret mobile phone, secret security questions, and create a password. Or, log in with a third-party account. Baidu map privacy policy points out that if you don’t log in to Baidu map, it will not prevent users from using the core business functions of location service and search service, but it will affect the use of additional business functions such as error reporting and comment.
Meituan:
In the "Regulations", the basic function service of catering take-away App is "catering purchase and delivery", and the necessary personal information includes: 1. Mobile phone number of registered users; 2. The consignee’s name, address and telephone number; 3. Payment information such as payment time, payment amount and payment channel.
In Meituan’s privacy policy, users need to provide their mobile phone numbers to create accounts, and improve relevant network identification information (such as avatar, nickname and login password, etc.); In terms of payment information, it is necessary to collect the order information, reconciliation information and other necessary information required by law; When it comes to delivery and other services, users need to provide the name, gender, mobile phone number, delivery address, house number, etc. of the consignee.
In addition, Meituan will also collect logs and equipment information. When users use the products/services provided by Meituan, Meituan will collect information such as browsing, searching, clicking, collecting, adding shopping carts, trading, after-sales, paying attention to, sharing and publishing, and save them as relevant web logs, including IP address, browser type, language used, operating system version, date and time of visit, telecom operator, network request, etc.
Meituan will also obtain user’s device information, including device attributes, connection and status information, such as device model, device identifier (IMEI/Android ID/IDFA/OpenUdid/GUID/OAID, SIM card IMSI, ICCID information, etc.), device MAC address, software list, telecom operator and other software and hardware feature information.
Pinduoduo:
In the "Regulations", the basic function service of online shopping apps is "purchasing goods", and the necessary personal information includes: 1. The mobile phone number of registered users; 2. The consignee’s name, address and telephone number; 3. Payment information such as payment time, payment amount and payment channel.
In Pinduoduo’s privacy policy, users need to provide their mobile phone number for registration to complete the basic function of "purchase", and Pinduoduo will collect the user’s equipment information, log information, order information and payment information.
Specifically, device information includes but is not limited to device type, device model, device setting, device identification code, device storage space, operating system and application version, language setting, resolution, and software and hardware feature information. In addition, Pinduoduo may write into the storage space of the devices used by users when accessing the Pinduoduo platform or using Pinduoduo services.
In terms of log information, Pinduoduo said that when users visit the Pinduoduo platform or use services, the system may automatically receive and record information on browsers and computers (including but not limited to IP address, browser type, search records, browsing records, browsing habits, language used, date and time of visit, telecom operators and web records of recording requirements).
The order information includes the name (or name) of the consignee, the receiving address and the telephone number. The order also contains the order number, the information of the goods or services purchased, the time of placing the order, the time of group formation, the actual payment amount and the payment method adopted. As for payment information, users can complete payment through third-party payment institutions, and the payment function itself does not collect personal information. However, Pinduoduo needs to share the user’s order number, transaction amount and transaction information required by other payment institutions selected by users with the payment institutions selected by users.
In addition, Pinduoduo said that users may know their identity and usage habits through cookies, but users can modify their acceptance of cookies or reject cookies from Pinduoduo through their browsers.
Taobao:
"Taobao Privacy Policy" shows that in addition to the telephone number required for member registration, the company will collect information about users’ collections, purchases and purchases, and the location of users to recommend goods and services. For the sake of security, Taobao said that it needs to collect and process the user’s equipment information and log information. In addition, in order to provide preferential information about nearby goods and services, the user’s location information will also be read, but the user can choose to turn it off.
Taobao said that most of the above personal information was provided by users voluntarily, or Taobao obtained it through Cookies, SDK and similar technologies when users used products, and some of it was obtained indirectly from third parties.
Wechat:
In the "Regulations", the basic functional service of instant messaging apps is "providing online instant messaging services such as text, pictures, voice and video". The necessary personal information includes: 1. The mobile phone number of registered users; 2. Account information: account number and account number list of instant messaging contacts.
The Guide to Privacy Protection of WeChat shows that when users register for WeChat service, the information they need to provide includes account information, mobile phone number, device model, operating system, login IP address, search conducted on WeChat, records of viewing operations and other log information. WeChat calls this kind of information "the basic information that must be collected to provide services".
When using functions such as nearby people, shaking, face-to-face group building and nearby applets, WeChat will record the geographical location information after obtaining the user’s consent. If it refuses to provide it, it will not be able to use the above functions. Wechat search, search and take a look also collect search records, reading records, recommendation records and visit times, comments and interaction records.
With the continuous superposition of WeChat functions, in addition to the basic communication functions, WeChat also carries many other needs, which inevitably involves more personal information collection.
QQ:
"Guidelines for QQ Privacy Protection" shows that when users use QQ services, they will collect log information such as device model, operating system, device Mac address, unique device identifier, application ID, login IP address, QQ software version number, access mode, type and status, network quality data, operation log, service log information (such as your browsing history under reading function, service failure information, etc.), which is for providing information.
QQ will collect some sensitive information, such as steps, mobile phone contact information and geographical location information, when users use some functions, but refusing to provide them will make users unable to use related specific functions, but will not affect the use of other QQ functions.
In addition, third-party partners of QQ will use third-party SDK to collect and use users’ personal information. For example, users can share specific content to Sina Weibo, and QQ is connected to Sina Weibo SDK. Third-party partners may collect personal common equipment information and network status. When users use Huawei mobile phones, the mobile phone manufacturer Push SDK accessed by QQ needs to collect the MAC address and unique identification information (such as IMEI) of the mobile phone device, and may collect parameters such as the user’s mobile phone model, system type, system version, network status, etc. for pushing information.
Like WeChat, the user information collected by QQ is also out of scope, but according to the Guidelines, if you refuse to provide relevant information, it will only affect the corresponding functions and will not affect the basic functions.
Tik Tok:
In the "Regulations", the basic function service of short video apps is "video search and play for no more than a certain period of time", and the basic function service can be used without personal information.
Tik Tok Privacy Policy points out that the information provided by users and obtained by automatic means includes account number, identity authentication, log information (click, follow, collect, search, browse and share), release information, address book, geographical location information and equipment information.
However, Tik Tok said, "Based on our cooperation with communication operators, when you use the" one-click login "function of Tik Tok, the operator will send us your mobile phone number with your express consent, so that we can provide you with fast login service. The mobile phone number belongs to personal sensitive information. If you refuse to provide it, you will not be able to register and log in to Tik Tok by "one-click login", but it will not affect your registration and login by other means, nor will it affect the normal use of other functions. "
In addition, Tik Tok said that in order to improve the uploading speed of audio and video, enrich the publishing function and optimize the experience, when users publish audio and video, Tik Tok will temporarily load the audio and video to the server before clicking "Publish" to confirm the uploading. However, users can turn it off in the settings.
To sum up, users’ device information, log information and Cookie are basically collected by default. After entering the App, there is no relevant button to choose to reject the "collected" device and log information; If you want to reject the "collected" Cookie, you need to turn off the relevant permissions in the browser, and you need the browser to support the relevant functions.
For example, in the Regulations, online audio-visual apps can use basic functional services without personal information. In iQiyi’s privacy policy, iQiyi claims that refusing to provide equipment information and log information may lead to the inability to use products and services.
It should be noted that the definition of whether device information, log information, etc. belong to personal information is still vague. Pinduoduo mentioned in his privacy policy that individual device information, log information, search keyword information and other information or data that cannot be directly linked with a specific individual are not personal information or personal sensitive information. However, according to the national standard "Information Security Technology Personal Information Security Specification" implemented in October last year, online records, common equipment information, etc. belong to personal information.
