Editor’s note:
Cybersecurity is increasingly a problem that troubles you and me.
Data breaches, hacked cameras, email/telephone scams… Worrying news hit the headlines every now and then.
In this data-driven world, companies are so craving to know who you are, with industries from finance to healthcare and from advertising to e-commerce thirsting for data more than any time before.
We hope for a better world where technologies are so advanced to eliminate illness and bring about endless prosperity, but be prudent before we get there. Driven by the huge demand, data breaches are happening every now and then. The outside world may have already known everything about you.
This is the Part 4 of a 5 Part-Series. Link to the Part 1, Part 2, Part 3 and Part 5.
Reaching their claws too far
“Don’t profile us as data transaction companies,” jittered the three data service providers approached by KrASIA. Well, they have good reason to be frightened. “Data transaction” is a phrase every data service provider tries to dodge ever since the Cybersecurity Law of the People’s Republic of China was enacted. If measured strictly against the new law’s definition, “not a single data transaction made in the past was totally legal”.
So the data service providers are all shying away from that phrase and, instead, describe themselves as companies specializing in analyzing and integrating data. All the data are legally obtained from the customers, who have sought prior consent from the end users, claimed those data service providers.
There it is, the “user consent”, justifying all the data transactions of those data service providers. While the “user consent” is legally effective, it is often obtained in a tricky way, which can be deemed neither legal nor illegal.
Life today would be difficult without smartphones and the apps that ride on them. They’ve brought much convenience to our lives and increased our digital footprints exponentially.
While installing an app, a user will, invariably, come to the step where she or he is asked to agree with its terms of services, which are, often, with tens of thousands of words and in small type. How many of you will read that before clicking to agree? I guess no one. Of course, there’s always the option of “don’t agree”. But, by doing that, you’ll also deny yourself the access to its services.
The Chinese government is stepping up its efforts in cracking down on digital data transactions. But, the ones that got busted are largely “blatant risk takers”, which are usually easier to nail. Actually, the real threat to the citizens’ personal data privacy comes from the “subtle practices”. Some apps for Andriod phones, for example, have been secretly harvesting the data that’re unrelated to their services.
The open source Android enables device makers to deliver their own versions of Android systems. But many phone makers are simply not so well geared for timely upgrades to patch the bugs susceptible for exploitation, leaving their devices vulnerable to malicious software.
There’s often a year or two years’ delay before the bugs in certain versions of Android could be fixed. Quite possibly, the devices riding on a certain version, by then, would have already been phased out on the market, Li Tiejun, security specialist of Cheetah Mobile, told KrASIA. If the root access of an Android device is acquired by malicious software, then goes the data stored on it.
In addition to malicious software, another huge army that is eroding our personal data privacy is the app we use daily, which the users often fail to take notice. What the users don’t know is that they have agreed to surrender much of their personal data with a simple click to agree with the terms of services or, sometimes, by allowing the apps to access certain functions on their phones.
The apps can encroach on the personal data on your phone by gaining access to the following functional modules, including root, contacts, phone number, text messages, call log, location, microphone, camera and more.
But, how will this endanger your personal data privacy?
Once an app is allowed to access the contacts on your phone, all the contacts on your phone are basically exposed to exploitation. Just imagine the number of contacts an app can harvest if it has millions of users, probably tens of millions. The consequence would be woeful if that amount of contacts end up on the black market. Your close friends or relatives could fall victims to frauds.
By clicking to agree, the user basically forfeits the control over his or her personal data. You can do nothing about it, even if the apps breach your personal data privacy by using your data on unintended purposes. It’s all their call.
What’s even more unsettling is that some apps demand access to certain functions that are even irrelevant to their services, only for the purpose of mining more of your personal data.
According to a report published by DCCI (Dhaka Chamber of Commerce & Industry), 13% of non-game apps on the market had reached their claws beyond their service scopes and asked for access to the users’ location information in 2016. That ratio was an astounding 26% among the learning apps.
Additionally, 9.1% of the non-game apps had demanded access to the users’ contacts, which are even totally irrelevant to their services. Some live streaming apps even stretched far beyond for the root access on the users’ phones, which are usually gripped in the hands of the phone makers.
This practice is universally adopted among the app developers. Citing their explanation, it is “snag more of it for when you need it”. “Those accesses may not of any use for their current versions. Thinking that they might be needed for their future versions, they ask for them anyway. But, most probably, the functions they’ve asked for accesses will not be needed at all. So, all in all, what they are really eyeing is still the extra amount of data,” Li Tiejun told KrASIA.
What for?
What the app developers need those data for? Well, of course, for their own gains.
According to DCCI, different app developers deal with those data in different ways. Some app developers leverage those data for targeted advertising, i.e. optimizing their online advertising mechanism. Once an app developer has gotten its hands on a user’s personal data, it will go further down the path by continuing tracking his or her digital behavior and hoarding more of his or her personal data. The more data the app developers bag home, the happier they will be. That explains why they are so keen on harvesting data that’re even irrelevant to their services.
Sitting on a huge amount of user data, some app developers will choose to trade the harvested data with third-party advertisers, game promotion platforms and e-commerce marketing platforms.
There are others that will even allow marketing companies or data analysis companies to insert their own SDK packets into their apps for direct data collection. The users’ data are secretly being funneled to some third-party companies, but they are unaware.
The data gathering practice has been going on for long in a “seemingly legal but twisty way”. The terms of services of most apps are simply “empty shells”, which sidestep all the essential issues like to what extent the data is collected and how the data will be used, leaving the users in the dark.
“The terms are lopsided towards the app developers. In some cases, the type of data to be gathered and how the data will be used are specified in the terms of services. The users will definitely be stunned if they take their time to read it carefully,” said Li Tiejun. In other countries, privacy breach, oftentimes, induces class actions, which are costly to settle. The penalty for personal data breach in the U.S., Europe and some countries in Southeast Asia, for example, is much heavier than that in China.
In early 2017, Meitu’s photo filter app took the U.S. by storm for a set of pictures of Trump and spiked to No.55 on Apple’s app store in only 24 hours.
But, its popularity soon sunk for, what the security experts in the U.S. called, the privacy nightmare. It turned out, Meitu had been seeking excessive permissions, including access to the users’ phone’s contacts, Wifi, operator information and IMSI, except for the access to the camera on users’ phones. With those accesses, Meitu is able to figure out all your digital behaviors on your phones.
Regulation:
Many internet firms rushed to modify their terms of services around the time of the issuance of the Cybersecurity Law of the People’s Republic of China, an insider told KrASIA.
It says clearly in the Cybersecurity Law of the People’s Republic of China that “network operators must not gather citizens’ personal information unrelated to the services they provide”.
It also specifies in the Article 41 that network operators collecting and using citizens’ personal information shall abide by “principles of legality, propriety, and necessity, explicitly stating the purposes, means, and scope for collecting or using information, and obtaining the consent of the person whose data is gathered”.
But, the question is whether those network operators will really put “explicitly stating” into practice.
Here’s an excerpt from the terms of services from an internet firm modified in August 2017: “For the purposes set forth in this Privacy Policy, some of our services are provided jointly with our authorized partners. For enhancing our services and delivering better user experience, we may share some of your data with our partners.”
The statement is clearly a far away from “explicitly stating”.
“The companies now are trying to include as many data gathering circumstances in their terms of services as possible, including allowing them to share gathered data with business partners involved and related third-parties. The vaguer the terms are, the more circumstances they cover, and the less legal risks they take,” Gao Fuping, a professor at East China University of Political Science and Law told KrASIA. This practice may work perfectly well in China, “but it is null and void abroad.”