One location permission can make privacy “streaking”.
Editor’s note: This article is from the micro-channel public number “leopard change” (ID: baobiannews), Author: Pan Tao, editor: Liu Yang authorized release.
Mobile phones have become a normal state in people’s lives. However, this normality also provides conditions for the leakage of users’ privacy, especially the leakage of location information. Leopard Bian tested 30 head apps and found that all of them had applied for location permissions without exception. Why do all apps want your positioning?
“On average, each mobile phone is located by the APP 3691 times a day, and photo albums and personal files are accessed by the APP 2432 times a day. The APP tries to quietly start 783 times a day in the background. There are more than 400,000 APPs that can directly read the user’s Clipboard.”
This is a set of statistics released by the research and development team of Xiaomi MIUI’s privacy protection capability building in January this year. The desire of various apps for user permissions may be more exaggerated than people think.
Navigation APP needs positioning permission, which is understandable; Meitu APP needs camera permission, which is reasonable.
However, if a mobile phone input method or a simple flashlight APP, but you want your address book, phone number, and even location permissions, would you agree without hesitation?
In 2018, the China Consumers Association released the evaluation of personal information collection and privacy policies of 100 apps. The results show that most of these apps are suspected of excessively collecting user information, and location information has become a must for military experts. Locally, as many as 59 apps have been hit.
Why do all apps want location information that can’t match its own functions?
30 apps, without exception
In order to solve this mystery, Leopard Bian further expanded the sample based on the last time evaluating the permissions of the address book and downloaded 30 more commonly used head apps, covering common areas such as social networking, search, entertainment, and travel. A test was done on the application of these apps for location permissions.
However, unlike the situation where address book permissions are overwhelming, location permissions are almost overwhelming. From the permission management interface of Android phones, it can be found that all of the 30 head apps tested have applied for location permissions without exception.
In these 30 apps, in addition to Didi Chuxing, Meituan, AutoNavi Maps and other apps that take LBS (location-based services) as the core, and provide services that must obtain user positioning permissions, including Mei App including Tu Xiuxiu, Tomato Free Novel, QQ Music, etc., have also applied for location permission.
Take the free tomato novel under ByteDance as an example.
Use your Android phone to download the Tomato Free Novel APP. After opening it for the first time, the APP will send you a pop-up window of “Personal Information Protection Guidelines” asking you “Agree” or “Disagree”.
Of course, there is usually only one correct choice. Once you choose “Disagree”, the APP will likely refuse service.
In the “Guidelines for Personal Information Protection” interface given by Tomato Free Novels, you can see that the permissions that APP applies for include not only “collecting and using device identification information”, album (storage) permissions, phone permissions, etc., but also clearly include Location permissions.
Regarding the reason for applying for location permission, Tomato’s free novel is “used to enrich the recommended dimensions of push information”, and further explained, “City locations do not need to use location permissions, only through IP The address determines the city and related information, and does not collect precise location information.”
But this does not seem to be the case.
Check all the permissions of the Tomato Free Novel APP, and you can find that under the “location information” permission of the mobile phone, the APPapplied permissions not only include “access to approximate location information”, but also include “access to exact location information”. Location information”——This is also true of the 30 apps tested this time.
Users just want to read an online novel, don’t they have to recommend the works of writers in the same city? The Himalayas really borrowed this guise.
“Get information about your location and related audio and video content and recommendations of related movie viewing places around your location, food ordering around frequently visited places, and other local life service recommendations.” The privacy policy truly reveals Himalayan thoughts Yes, it is the second half of this sentence-The location information service necessary for local life advertisements.
Zhihu is similar.
Download the Zhihu APP, you will see a “Welcome” interface when you open it for the first time, enter the “Personal Information Protection Guidelines”, in the explanation of the “location function”, Zhihu said this:
“When you enable location-related features, such as publishing content with location information, we will obtain the location information of the device after you enable the device location permission. In order to push you content related to your location, we The precise location information of the device will be collected when you turn on the device location permission.”
To put it simply, The reason why Zhihu APP needs location permission is that it is convenient for you to send content with location information; the other is that it can recommend location-related information streams to you.
Such an explanation sounds reasonable, butThe problem lies in the last sentence of this explanation: “If you do not agree to enable device location permissions, we may also provide you with relevant content based on your device IP address.”
In other words, whether you agree or disagree, your location information will be determined if you know it.
The permission application for Baidu network disk is too excessive, not only includes the “exact location information”, but also an additional permission to “use location information in the background”. In this regard, Baidu’s privacy policy stated that “this permission will only be used to trigger the process of the network disk and perform automatic background backup of photos after the background automatic backup is turned on.”
Can’t understand? That’s right.
All kinds of methods that can’t be used on the table can see clues in the app’s positioning authority.
Moreover, there are not a few cases like this. Some netizens complained on social media, and Soul recommended Harbin local content to him without the permission of positioning.
We have turned off the location information permission of Weibo, and the Weibo APP can still accurately recommend nearby people to you.
At this point, the top-ranked apps such as Bilibili, Douban, and QQ Browser are not exempt.
User portraits and the privacy of “streaking”
In November 2019, when Chen Ting, a junior at Shanghai International Studies University, used the Baidu Tieba app, she found out that the Baidu Tieba app still succeeded in giving her a clear “no”-removal of the location permission. Recommend personalized ads that can accurately target the user’s area.
“Do not stop the infringement, and do not agree to mediation.” Angrily, she took Baidu to court.
Users play against Internet giants. It seems that the strength of the two parties is disparity and the chance of winning is not great, but this situation is not uncommon. ByteDance has also been sued by users for abusing address book permissions.
Users have responded fiercely, and policies are also putting pressure on them.
As early as 2017, the Cyberspace Administration of China, the Ministry of Industry and Information Technology, the Ministry of Public Security, and the National Standards Commission jointly launched the “Personal Information Protection Promotion Action” and focused on 10 online products such as WeChat and Sina Weibo. The privacy policy of the service was reviewed. Since then, news of APP rectification and delisting has often appeared.
On February 5 this year, the Ministry of Industry and Information Technology also notified the list of 26 companies that had illegally called the microphone, address book, photo album and other APP permissions, and removed 10 apps that failed to rectify in time as required.
Why do the companies behind the APP still do not hesitate to “take risks”?
The reason is no differentmiscellaneous. For users, information such as location, phone number, and photo albums is related to personal privacy and is unwilling to leak, but for Internet companies, these data are the passwords for continuous energy and money, and they only need to set up individual permissions to obtain them. Why not do it?
“We call Data Burying Point.” Chen Jie is a product operator of a domestic Internet company. In his opinion, the abuse of permissions has become an industry trend. In addition to supporting product iteration,” User portraits will definitely be done, and companies have their own databases.”
Take the positioning authority as an example. APP has mastered the user’s positioning information and knows far more than simple geographic location.
For a user whose location information is leaked, the place he stays during the day is likely to be his work unit; the place he stays at night may be his residence; the route connecting the two scenes may understand his commute The only way; and with information such as work unit and daily stop location, it can further speculate on the user’s economic status and consumption preferences.
Two researchers from the University of Bologna and University College London have done such an experiment. They developed an app to test how much personal information can be collected by location tracking.
69 users installed the program and ran it for at least two weeks, and tracked more than 200,000 locations. After identifying about 2500 of them, this application collected up to 5000 personal information related to demographic information and personality.
Only by obtaining location information, the application can not only spy on the user’s social economy, consumption habits, etc., but also personal health and other privacy.
A mere location authority has almost opened the door for users’ privacy to “run naked”.
With this information, combined with other private information such as the user’s social network, mobile phone usage trajectory, etc., for an APP, recommend a nearby restaurant that you might go to, or an item you might like, and What is the difficulty?
Backed by gray production, leakage is difficult to prevent
In addition to perfecting user portraits for precision marketing for enterprises, users’ personal information itself is actually an “asset” that can be circulated and sold.
In August 2018, the China Consumers Association issued the “APP Personal Information Leakage Investigation Report”. The report showed that when consumers’ personal information was leaked, the proportion of consumers who were harassed by sales calls and text messages exceeded 80%. There was also the issue of personal account passwords being stolen.
The culprit is the gray industry behind personal information.
Nowadays, personal information trading has already formed a large-scale industrial chain with detailed division of labor. In this industry chain, personal information is clearly marked with prices, so that the upper, middle, and lower reaches of the chain can form a complete transaction and closed loop of realization. After the data is collected in the upstream, the midstream link processes and processes it, and then forms a large-scale market through exchange or trading. The final result is common telephone fraud and malicious marketing.
In April 2018, the Huai’an police in Jiangsu cracked a criminal case of illegal trafficking in personal information. One of the protagonists of the case was Koala’s credit investigation has illegally provided more than 98 million inquiries and return photos since March 2015. More than 38 million yuan in illegal profits.
Koala’s credit reporting violations, apart from suspected of selling the query interface after obtaining the interface from the upstream company, another major reason is that the personal information is illegally cached for the downstream company to query for profit, causing the leakage of the user’s personal information.
Although more apps have not reached this point, in the face of the temptation of “data = money”, the abuse and arrogance of permissions has become the norm.
Some people even set up a business that uses location information for profit.
There are media reports that after buyers purchase an APP called “Observer” online, they first install it on their mobile phones, and then install the “hidden version” of the APP-the icon can be displayed on the controlled end , Installed on the phone of the monitored person. As long as the app’s location and authorization to read files are opened during installation, the monitor can realize remote monitoring.
In addition to the “observer”, the software developer has also developed several other apps with similar functions, including remote positioning, remote reading and writing of files, and even camera control. One of the apps can even successfully evade the security protection of WeChat and obtain the chat history of the monitored person.
The business of directly selling privacy is too public. Such extreme cases do not represent the attitude of most apps towards privacy authority. But in those long, difficult and obscure privacy terms, the explanation of sharing users’ personal information through the APP can actually show some careful thinking of the platform.
In 2019, with the gimmick of “just need a photo to act in the world’s best drama”, Ai’s face-changing software ZAO was once popular all over the Internet. The reason why it quickly fell into the altar is not only related to the copyright of the platform material, but to a large extent the user’s privacy and security.
According to ZAO’s previous user agreement, when users use “ZAO” to change their faces, they also mean “agree or ensure that the actual right holder agrees to grant ZAO and its affiliates a completely free, irrevocable, and permanent worldwide , Sublicensable and sublicensable rights”, Content includes but not limited to: face photosThe portrait right of you or the portrait right holder contained in the portrait information of the film, picture, and video data, and the use of technology to make formal changes to the portrait of you or the portrait right holder.
Such overlord clauses not only caused strong backlash from some users, but also directly attracted interviews from the Ministry of Industry and Information Technology.
Actually, Apps are usually ambiguous about who they share information. They use “partners” and “affiliated companies” as a prevarication. As for which companies are they, and under what circumstances. What information is shared, and how to use it… Many apps lack sufficient detailed explanations.
In addition, those terms seem to be professional and reliable, but in fact they put on a posture of refusal and users rarely check them. This has caused both APP and users to be in a situation of serious asymmetric information. It is difficult for users to prevent personal privacy from leaking, even without knowing it from beginning to end.
Conclusion
Users are kept in the dark, and companies are still adding weight. In order to get user rights in a reasonable way, some apps even add some tasteless functions to recharge their numbers.
For example, when you open today’s WiFi master key APP, you can not only use it to connect to WiFi, browse the content of the information stream including graphics and videos in your spare time, and even find a “detection camera” in the toolbox. ”Function.
In short, no matter whether the user really needs it or not, the “family bucket” will be arranged first.
“This is the function that does not match the actual demand. We often say that the pseudo-requirement.” Chen Jie said, “If you don’t authorize many functions, you will be allowed to open the permissions through various channels.”
As a result, for the sake of their own calculations, the company took a lot of data that did not substantially help product iteration. And once privacy issues are involved, as long as they evade responsibility in the privacy clauses in time, the company will be able to dump the pot to users.
As the source of private information leakage, APP’s many issues regarding data attribution and scope of authority are still open for discussion.
To curb ash production and prevent leakage, on the one hand, we need to continue to refine relevant laws and regulations and strengthen dynamic supervision of enterprises; on the other hand, nowadays, major mobile phone brands have their own application markets, and the upstream Barriers to entry may also be an effective method.
After all, privacy is everyone’s basic right. What you can share should be yours.