Interpretation of the special rectification of APP infringement on user rights

Release date: 2019-11-06   

Source: Information and Communications Administration 

1. Background of the rectification work

At present, the problems of APP’s illegal collection of personal information, excessive claims, frequent harassment, and infringement of users’ rights and interests are prominent, and the public has responded strongly. The Ministry of Industry and Information Technology attaches great importance to the protection of APP users’ rights, always implements a people-centered development philosophy, resolutely puts the interests of the public first, and constantly improves the APP governance system and enhances the APP governance capability. The special rectification action of APP infringing on the rights and interests of users organized by this organization is to consolidate and deepen the results of the special governance actions of the four previous ministries and commissions to collect and use personal information in violation of laws and regulations. Under the rectification work system, the initiative is to focus on solving the problems that the people care about.

2. Main methods of rectification work

The organization’s special rectification of APP infringement of users ‘rights and interests is adhered to problem-oriented, focusing on violations of users’ rights and interests that are strongly reflected by the people and the society, and focuses on the supervision and inspection of eight types of issues that users care about and regulates and rectifies. On the one hand, the APP service providers and APP distribution service providers are required to conduct self-inspection and self-correction and rectify them in a timely manner; on the other hand, the combination of technical management and comprehensive use of technical detection and inspection, social supervision, user and expert evaluation and other means to give full play to The role of tripartite institutions, media and users in the supervision of the government to build a comprehensive supervision system of government management, social collaboration, public participation, media supervision, industry self-regulation, and technological support.

3. Legal basis for rectification work

The special rectification work is based on laws such as the “Network Security Law”, “Telecommunications Regulations” and “Several Provisions Regulating the Order of the Internet Information Service Market”, “Telecommunications and Internet User Personal Information Protection Provisions”, “Interim Provisions on the Provisioning and Distribution Management of Mobile Intelligent Terminal Application Software” and other laws Regulations and regulatory documents are required.

4. The main object of the rectification work

This special rectification work mainly targets two types of subject objects, one is the APP service provider. The second is an APP distribution service provider, which includes various stores such as application stores, websites, application software, and basic telecommunication enterprise business halls with distribution functions.

5. Key contents of rectification work

The focus of this special rectification work is to check whether there are eight categories of key issues that are strongly reflected by the masses and highly concerned by the society.

Regarding the collection of personal information of users in violation of regulations, the focus is on supervision, inspection and rectification of issues such as the private collection of personal information and the collection of personal information beyond the scope.

Regarding the illegal use of personal information of users, the focus is on supervision, inspection, and rectification of issues such as privately sharing to third parties and forcing users to use targeted push functions.

Regarding the unreasonable request for user rights, the focus is on supervision and inspection and standardization of the problems of denying permission, frequently applying for permissions, and excessively requesting permissions.

In terms of setting obstacles for user account logout, the focus is on monitoring and standardizing the difficulty of account logout.

The APP distribution service provider shall implement relevant requirements such as the “Interim Provisions on the Provisioning and Distribution Management of Mobile Intelligent Terminal Application Software” (Ministry of Industry and Information Technology Administration [2016] No. 407), and organize a comprehensive inspection of the APPs that it distributes. The application software shall supervise the rectification, and those who refuse to make corrections shall be organized to remove them.

6.What are the disposal measures?

APPs that have problems will be dealt with in accordance with laws and regulations. Specific measures include ordering rectification, making announcements to the public, organizing APP delisting, stopping APP access services, and including the subject of administrative penalties into the list of bad telecommunications business operations or dishonesty Lists and other means will strictly deal with APP subjects with prominent problems, serious violations of laws and regulations, and refusal to rectify. The Ministry of Industry and Information Technology will also take this special action as an opportunity to promote the introduction of relevant regulations to lay the foundation for standardizing industry management and establishing a long-term mechanism.

attached: Focus on standardizing typical scenarios for eight types of problems.docx

Typical scenarios focusing on standardizing eight types of problems:

I. Collection of personal information of users in violation of regulations

(I) “Private Collection of Personal Information”

That is, the APP collects the user’s personal information without explicitly telling the purpose, method and scope of collecting and using personal information and obtaining the user’s consent.

Typical scenario 1: When the APP is running, it lacks the link that is explicitly stated to the user and asks for the user’s consent, collecting personal information such as IMEI, device MAC address, software installation list, address book, and SMS.

Typical scenario 2: While the app is running, although there is an explicit link to the user and the user agrees, the collection of personal information occurs before the user agrees.

(2) “Exceeded Collection of Personal Information”

That is, the APP collects personal information. It is not necessary for the service or there is no reasonable application scenario. It collects personal information beyond the scope or frequency.

Typical scenario 1: APP collects personal information, which is not necessary or reasonable for service applications, and collects personal information beyond the scope, such as excessive collection of user contacts, text messages, call records, etc.

Typical scenario 2: APP collects personal information, which is not necessary or reasonable for application scenarios, and collects personal information over frequency, such as collecting location information at a certain frequency, IMEI, or frequently reading contacts, text messages, pictures, etc.

Typical scenario 3: When the APP collects personal information such as ID number, face, fingerprint, etc., it is not necessary or reasonable for the service, such as collecting the ID number, face, fingerprint, etc. as a prerequisite for the application to open, or through Points, rewards, and other methods induce users to collect personal information such as ID numbers, faces, and fingerprints.

Second, the use of user personal information in violation

(3) “Share to third parties without permission”

That is, the app shares and uses the user’s personal information without the user’s consent, such as device identification information, product browsing history, search usage habits, and common software application lists.

Typical scenario 1: Before the user is notified by the APP and without the user’s consent, personal information such as device identification information, product browsing history, search usage habits, and common software application lists is sent directly to the third-party SDK or third-party server.

Typical scenario 2: The app does not notify the user and does not consent to the user, and shares device identification information, product browsing history, search usage habits, and common software application lists with third parties. The user ’s product browsing history and search usage habits appear in Third-party APP.

(4) “Forcing users to use the directed push function”

That is, the APP does not inform the user, or does not mark it in a prominent way. The collected personal information such as user search, browsing history, and usage habits is used for targeted push or precision marketing, and there is no option to turn off this function.

Typical scenario 1: The targeted push function of the APP does not inform the user, and the collected personal information of the user is used for targeted push and precise marketing.

Typical scenario 2: The directed push function of the APP is not marked in a prominent form.

Typical scenario 3: The directed push function of the APP does not provide the user with an option to turn off this function.

Third, unreasonably asking for user rights

(5) “No permission or use”

That is, when the APP is installed and running, it asks the user for permissions that are not related to the current service scenario. After the user refuses to authorize, the application quits or closes.

Typical scenario 1: When the app is first launched, it asks the user for permissions such as phone, address book, location, SMS, audio, camera, storage, and calendar. After the user refuses to authorize, the application quits or closes.

Typical scenario 2: When the APP is running, it asks the user for permissions that are not related to the current service scenario. After the user refuses to authorize, the application quits or closes.

(6) “Frequently apply for permission”

That is, after the user explicitly rejects the permission application, the APP frequently applies to open the address book, positioning, text message, recording, camera and other permissions that are not related to the current service scenario, and harass the user.

Typical scenario 1: After the application is explicitly running, after the user explicitly rejects the permission application, the user frequently requests a pop-up window from the user to open permissions such as contacts, positioning, text messages, recording, and cameras that are not related to the current service scenario.

(7) “Excessive Request for Authority”

That is, when the user is not using related functions or services, the APP applies for permission to open the address book, location, text message, recording, camera, etc. in advance, or exceeds its business functions or services, and applies for the permission of address book, positioning, text message, recording, camera .

Typical scenario 1: When a user does not use the related function or service corresponding to the permission, the APP requests a permission from the user in advance to open the address book, location, text message, recording, camera, and other permissions.

Typical scenario 2: The APP does not provide related business functions or services, and still applies for permissions such as contacts, positioning, text messages, recording, and cameras.

Setting obstacles for user account logout

(8) “It is difficult to delete the account”

That is, the APP does not provide users with account cancellation services or set unreasonable obstacles for cancellation services.

Typical Scenario 1: The APP does not provide the account deletion service to the user.

Typical scenario 2: APP sets up unreasonable obstacles for account deletion service.