Focus Interview 20230904 Scan QR Code Consumption: Need for "Convenience" and More "Boundary" Policies | Internet Celebrities | Personal Information
CCTV News: A cup of milk tea may not cost much, but the order contains the consumer's personal information and consumption trajectory. A single order is inconspicuous, but what if it's an order for one thousand or ten thousand cups of milk tea? For merchants, the user data behind this can be an important asset. Because of this, businesses are finding ways to obtain user data through various dazzling marketing methods. Scan the QR code to order meals, enjoy exclusive membership, and join groups to receive discounts. So, are there any excessive collection of user data in these marketing methods? Have the merchants properly stored the collected data? Today we will go to Shanghai to take a look.
One day in September 2022, several men sneaked into the office of a logistics company at night. In order not to be recognized by others, they not only covered their faces tightly, but also opened umbrellas. After tinkering with the computer, these people quickly left, seemingly without stealing anything or causing any damage. However, soon after, the Minhang Branch of the Shanghai Public Security Bureau received a report that someone had been involved in telecommunications network fraud.
Shi Minchao, a police officer from the Anti Fraud Special Team of the Minhang Branch of the Shanghai Public Security Bureau, said, "The victim is a 26 year old woman named Xue, who has some habits of online shopping. She received some online scams that impersonate customer service, resulting in direct losses of over 20000 yuan."
It is understood that the key to the success of fraudsters is that they accurately grasp the personal information left by Ms. Xue during shopping. So, how did the criminals obtain this information? The police later arrested suspect Peng. According to his account, he was instructed to work in a logistics enterprise to steal user information and promised to buy it at a price of 2.5 yuan per piece. Subsequently, Peng secretly implanted a Trojan program into the company's computer using loopholes in company management, thereby stealing a large amount of personal information from users.
The multiple similar cases solved by the police clearly indicate that the theft and sale of personal information, as well as the implementation of telecommunications network fraud, have formed a complete gray industry chain. Among them, personal information leakage is the most important link in this chain.
Shi Minchao said, "The reason why telecommunications network fraud is so rampant now is mainly because criminals have obtained our personal information, accurately formulated scripts and scripts for us, and carried out fraud against us."
The investigation found that cases of directly stealing personal information are still rare. People are more likely to encounter situations where merchants ask for personal information such as name, location, and phone number while scanning QR codes, ordering meals, parking and paying fees, buying and selling real estate, and shopping in supermarkets. However, due to various reasons, information leakage occurs.
Zhang Wei, an Internet security expert, said: "There are two main types of harm caused by personal information disclosure. One is the use of personal information by the black ash industry. The other is that enterprises gain more abnormal commercial rewards and interests from the abuse of user information. In addition, they will also establish an intelligence system and establish industrial barriers through personal information."
Despite constant public complaints, why are companies keen on collecting consumer personal information?
He Yuan, Executive Director and Associate Professor of the Data Law Research Center at Shanghai Jiao Tong University, said, "Because we are in the era of the digital economy, data is like 'oil'. Especially with a large amount of data, it has great value that ordinary people cannot imagine and is very tempting."
Tang Jiansheng, Deputy Secretary General of the Shanghai Consumer Protection Commission, said, "Integrating all these data together to form a portrait of everyone, and this portrait is precisely the most commercially valuable."
Ultimately, data is the key to opening the door to wealth. Therefore, many users' personal information is excessively collected, forcibly requested, induced to be taken, and illegally used by merchants. Starting from mid June, the Shanghai Cyberspace Administration, in conjunction with the Market Supervision Bureau, launched a six-month special law enforcement action to address these chaos, focusing on eight consumer areas: restaurants, parking QR codes, children's learning and training, shopping in supermarkets, financial and small loans, real estate intermediaries, car 4S stores, and rental chargers.
Wu Hongming, Deputy Director of the Network Law Enforcement Supervision Department of the Cyberspace Administration of the Shanghai Municipal Party Committee, said, "Through centralized rectification, we aim to enhance the self-protection awareness of citizens' personal information, while regulating the behavior of merchants in protecting personal information and fulfilling their obligations in protecting personal information."
Several prominent issues were discovered through investigations and undercover investigations of 29 well-known milk tea and fast food restaurants in Shanghai. Firstly, forcibly or beyond the scope of requesting information. These phenomena are very common in restaurants, milk tea shops, and coffee shops. For example, even though the user has arrived at the consumption venue, they are still told to scan the QR code through the app or mini program to order, and during the scanning process, they are forced or induced to provide their name, phone number, location information, and other needs that exceed the ordering range by giving coupons or joining a membership, otherwise they cannot complete the order. Experts say that this approach not only violates the principle of minimum necessity, but also deprives consumers of their right to make independent choices and violates the Consumer Rights Protection Law.
The more stores there are, the more data they generate, sometimes even reaching astonishing levels. For example, a well-known chain milk tea brand generates 87 pieces of data for every order received, and has accumulated over 10 billion pieces so far. Among them, there are 670 million sensitive personal information related to consumer names, phone numbers, locations, and other information. Experts say that in the era of digital economy, data is often used for business management, which is beneficial for improving work efficiency and economic benefits. Therefore, personal information can be collected and used. But in the process of collecting information, the three principles of legality, legitimacy, and necessity must be followed.
It is understood that building a technology platform to collect consumer personal information requires a low threshold and low cost. On some e-commerce platforms, there are a large number of individuals or technology companies developing QR code ordering mini programs selling this business. Network security experts say that scanning QR codes for ordering carries certain risks, especially when scanning QR codes with unknown origin for small businesses, which cannot guarantee their security.
So, have these pieces of information collected by merchants through scanning QR codes to order and inducing submissions been properly stored? The investigation found that many enterprises have certain hidden dangers when storing user information. For example, the well-known milk tea shop mentioned earlier collected a huge amount of data. According to the Cybersecurity Law and the Data Security Law, it should be protected according to a three-level standard, but this enterprise did not do these tasks. How has this company been rectifying after a month?
Zhu Yan, General Manager of a certain technology enterprise, said, "We have already contacted relevant level protection units and have set a basic goal of completing all protection work by December."
As for the 87 pieces of information generated by ordering a cup of milk tea, the reporter saw them in the backend database. Most of this information is production information necessary for the normal operation of enterprises, rather than personal privacy information, so the public does not need to panic. The most directly related to the public are their name and phone number. The reporter saw that the vast majority of people leave their nicknames or surnames, rather than their full names; As for the phone number, the reporter randomly selected an order from the same day for inspection.
Xu Yu, Vice President of the Innovation Research Institute of Shanghai Information Security Evaluation and Certification Center, said, "A mask change has been made in the middle, and the entire personal information will not be leaked. It still meets the requirements."
But soon law enforcement officers discovered a complete phone number, and the merchant informed them that it was a virtual phone number. Is this really a virtual number? The reporter immediately dialed and confirmed that it was not the customer's real phone number. It is understood that virtual numbers are used for the convenience of merchants or delivery drivers to contact customers. They can be dialed, but they are not real numbers and will automatically expire after 24 hours. Subsequently, the reporter selected orders from a few days ago for further verification, and all numbers were invalidated, not real phone numbers.
In addition, privacy policies are also one of the key contents of this inspection. The so-called privacy policy refers to the statement issued by the information collecting party on how to collect personal information. Simply put, it tells users the purpose, purpose, and how to store personal information collected. Law enforcement officers have found that many companies either do not have privacy policies or are incomplete. For example, the internet celebrity milk tea shop mentioned earlier did not clearly inform users of the relevant content.
The investigation by reporters found that some companies have formulated privacy policies, but they are too lengthy and the user experience is very unfriendly. For example, how can consumers read the privacy policy of a certain coffee chain store, which is full of nearly ten thousand words? Rather than informing users, it is more about protecting the company itself.
In order to strengthen personal information protection, the Shanghai Consumer Protection Commission has issued compliance guidelines, self-discipline commitments, and compliance lists for four consumption scenarios since July, including QR code ordering, parking payment, children's training, and shared power banks. In the future, corresponding guidance will be provided for major consumer scenarios such as real estate intermediaries and supermarket shopping.
Not only in Shanghai, but also recently in Beijing, scanning consumer services, illegal collection and use, analysis of consumer personal information cases, and compliance guidelines have been released, sorting out six types of violations and making corresponding regulations. On August 3, the National Cyberspace Administration issued the "Management Measures for Personal Information Protection Compliance Audit", which stipulates that processors who process personal information of more than one million people should conduct at least one personal information protection compliance audit annually; Other personal information processors should conduct a personal information protection compliance audit at least once every two years.
Data is known as the "oil" of the information age, which refers to its enormous value, and data containing personal information is even more of a high-quality "oil", which is the focus of competition among businesses. However, in the consumer field, the phenomenon of users' personal information being excessively collected, forcibly requested, induced to be taken, and illegally used by merchants is not uncommon. It is not impossible for merchants to collect user personal information, but it should be collected with boundaries, used with moderation, and protected with responsibility. How to standardize the information collection and usage behavior of merchants in various consumption scenarios, and how to supervise and guide merchants to protect consumer personal information, should be given sufficient attention.