Core Viewpoint - The National Cybersecurity Center has reported that 72 mobile applications are found to be in violation of personal information protection laws, highlighting significant issues in user consent and data handling practices. Group 1: User Consent Issues - 17 mobile applications failed to clearly inform users about privacy policies and data collection practices at the first run of the app [1] - 34 mobile applications did not specify the purposes, methods, and scope of personal information collection in their privacy policies [2] - 17 mobile applications provided personal information to third parties without user consent or proper notification [3] Group 2: Data Collection Practices - 5 mobile applications collected personal information without obtaining user consent or continued to collect data after users declined [4] - 9 mobile applications did not provide effective mechanisms for users to correct, delete personal information, or cancel their accounts [5] - 3 mobile applications failed to process complaints and requests for personal rights in a timely manner [6] Group 3: User Rights and Security Measures - 22 mobile applications did not offer users a straightforward way to withdraw consent for data collection [7] - 25 mobile applications lacked adequate security measures such as encryption or anonymization of personal data [8] - 1 mobile application continued to display ads after the user closed the page, disrupting normal usage [9] Group 4: Compliance with Regulations - 4 mobile applications were found to have no privacy policy at all [10] - 33 out of 71 previously reported applications still exhibited issues upon re-evaluation, leading to their removal from distribution platforms [10]

Core Viewpoint - The recent draft regulation by the National Internet Information Office aims to address the issue of excessive data collection and clarify the boundaries for personal information collection and usage by internet applications [1][2] Group 1: Issues in Data Collection - The internet applications have long been plagued by hidden rules regarding personal information profit, such as collecting user social networks through contact permissions and using microphone access for targeted advertising [1] - Many platforms disguise excessive data collection as "experience upgrades," employing tactics like "bundled consent" and "default selections" to lead users to unknowingly disclose personal information [1] - The forced operational model not only erodes user trust but also leads to frequent data misuse, hindering healthy industry development [1] Group 2: Objectives of the Draft Regulation - The draft regulation targets the core issues in the industry, aiming to further standardize the collection and usage of personal information by internet applications [2] - Certain provisions require applications to separate core functions from non-essential permissions, allowing users to grant permissions selectively and eliminating bundled consent [2] - The regulation emphasizes the "minimum necessity" principle, mandating that permission requests must be directly related to current functions and cease immediately after the task is completed [2] Group 3: Vision for Data Ecosystem - The draft is not intended to restrict data circulation but to create a "bounded circulation" data application ecosystem, encouraging companies to focus on service quality and transparent data collection [2] - Users should regain their rights to be informed and to choose, actively monitoring permission requests and utilizing their rights to report complaints [2] - Collaborative efforts are needed among all parties to protect user rights while allowing for the valuable application of data elements, supporting the development of AI and big data [2]

Core Viewpoint - The article highlights the detection of 70 mobile applications that violate personal information protection laws, emphasizing the need for compliance with privacy policies and user consent in data handling practices [1][2][3]. Group 1: Violations in User Consent and Information Handling - 23 mobile applications failed to provide clear notifications for users to read privacy policies upon first use, making it difficult for users to access these policies [1]. - 24 mobile applications did not specify the purposes, methods, and scope of personal information collection in their privacy policies [2]. - 14 mobile applications shared personal information with third parties without user consent or proper notification [3]. - 5 mobile applications began collecting personal information without obtaining user consent first [4]. - 4 mobile applications did not offer effective options for users to correct, delete personal information, or cancel their accounts [5]. - 2 mobile applications failed to process complaints and requests for personal rights in a timely manner [6]. - 23 mobile applications did not provide users with a way to withdraw consent for personal information collection [7]. Group 2: Security Measures and Policy Compliance - 34 mobile applications did not implement adequate security measures such as encryption or anonymization of personal information [11]. - 9 mobile applications lacked a privacy policy altogether, which is a significant compliance issue [12]. - 13 mobile applications did not have specific rules for handling personal information of minors, failing to obtain necessary parental consent [10]. - 1 mobile application did not inform users about the necessity and impact of processing sensitive personal information [9]. - 3 mobile applications used automated decision-making for information push and marketing without providing options for users to refuse [8].

Core Points - The National Cybersecurity Notification Center reported that 64 mobile applications were found to illegally collect and use personal information, including apps from 7 financial institutions [1][5] - The violations involved 13 types of misconduct, with 5 major categories identified as "high-risk" behaviors [3][4] Group 1: Financial Institutions - Four brokerage firms and three banks were named, including Chengtong Securities, Xingye Securities, Shengan Securities, Wukuang Securities, Longjiang Bank, Wuhai Bank, and Haixia Bank [1][5] - Specific issues included failure to inform users about the recipients of their personal information and not obtaining separate consent, affecting apps from Chengtong Securities, Haixia Bank, Xingye Securities, and Wukuang Securities [6] - Chengtong Securities did not implement necessary security measures such as encryption, while Xingye Securities failed to provide users with a way to withdraw consent for data collection [6] Group 2: Violations and Categories - The five major categories of violations included: 1. Lack of clear notification to users about privacy policies at the first app launch [3] 2. Incomplete privacy policies that did not specify the purposes, methods, and scope of personal information collection [3] 3. Failure to inform users about the transfer of their personal information to other parties [3][6] 4. No provision for users to easily withdraw consent for data collection [4][6] 5. Inadequate security measures such as encryption and de-identification [4] - Other industries affected included food and beverage, gaming, transportation, and lifestyle services, with notable brands like Starbucks, Hualala, and others being implicated [7]

Core Insights - The Central Cyberspace Administration of China has detected violations of user rights in 15 apps and 16 SDKs, highlighting issues such as failure to list the SDKs collecting personal information and lack of clarity on the rules for personal information collection [1][6]. Group 1: Issues Identified in Apps - Eight of the 15 problematic apps failed to list the SDKs collecting personal information, including Moji Weather TV version (1.3.8) and Dongman Zhi Jia (3.9.13) [1][2]. - Seven apps did not accurately specify the purpose, method, and scope of personal information collection by the SDKs, including Youdao Premium Course (6.8.2) and Tuhu Car (7.10.5) [1][3]. Group 2: Issues Identified in SDKs - Among the 16 problematic SDKs, three did not provide rules for personal information collection, including CTP Penetration Collection and Jinsida Penetration Collection [3][4]. - Four SDKs, such as Xigua Video, failed to explain measures for responding to user requests regarding personal information rights in their collection rules [3][4]. Group 3: Regulatory Actions and Compliance - The Central Cyberspace Administration requires the operators of the identified apps and SDKs to complete rectifications within 15 working days from the announcement and report back on their compliance [6]. - The regulatory body will conduct follow-up inspections and take legal actions based on the rectification results [6].

0 0 0 0 I 000H00HH00 H o 0 0 0 1 0 ------ 00 T 1 1000 I 0 0 0 0 0 r 0 0 0 0 1 0 0 0 0 0 000 0 0 0 0 0 0 0 o Ho :国家网络安全 一点宣传周 0 0 0 0 0 1 0 0 0 0 0 OHOHO 1 0 0 0 0 0 0 101 0 l 主 0 0 1 (--------- 2- (2) 0 0 1 - China Cybersecurity Week 0 ------- 0 0 1 l 11 0 0 1 0 0 1 0 0 0 T 1 1 - 0 0 0 0 1 0 0 0 0 0 0 0 0 c 4 pend from the 0 0 0 0 0 0 0 0 0 0 0 e 0 0 格安全 你我同行 0 0 0 c 0 0 8 3 融网络安全宣传手册 中国人民银行 THE PEOPLE'S BANK OF CHINA 《中华人民共和国网络安全法》 《中华人民共和国网络安全法》由中 华人民共和国第十二届全国人民代表大会 常务委员会第二十四次会议于2016年11月 7日表决通过,自2017年6月1日 ...