China Stipulates Which Permissions Data-Hungry Apps Can Demand
Have you ever been frustrated by the number of invasive and seemingly irrelevant permissions mobile apps demand as conditions for their use? That could change in China, as the country’s top internet regulator moves to curtail the pervasive problem of excessive data collection by apps.
In a joint notice published Monday, the Cyberspace Administration of China and three other central government agencies unveiled a new regulation on the “scope of necessary personal information for common types of mobile internet applications.”
The document, a final version of a draft regulation announced for public feedback in December, specifies what personal information — phone number, location, calendar, messages, photos, call logs, contacts, etc. — 39 categories of apps are allowed to collect from their users, with the new rules slated to come into effect May 1.
China’s current cybersecurity law, approved in 2016, stipulates that network operators can face fines or suspensions if they “infringe” users’ personal information. But the law lacks a clear definition of what this means, presenting a challenge to supervisory authorities.
The new regulation is expected to change the status quo. Messaging apps, for example, will be allowed access to a user’s phone number and contacts. For “online communities,” only a user’s phone number is compulsory. And mobile payment services can require users to provide their phone number, real name, national ID number, and bank card information. Other app categories with their own new data collection rules include ride-hailing, maps and navigation, and e-commerce.
While apps can still request nonessential permissions from their users, these will not be compulsory: The apps must provide basic services even if the additional permissions are declined.
Under the new regulation, most apps — except navigation services, livestreaming platforms, and a few others — will be authorized to at least require a user’s phone number.
For years, government agencies and third-party consumer advocacy groups have been calling out Chinese apps, including many that people use on a daily if not hourly basis, for flagrantly disregarding user privacy. In 2017, the Jiangsu Consumer Council slammed popular services from internet giants Tencent and Baidu for failing to rectify user privacy violations that had been exposed months earlier.
The following year, a Chinese Consumers Association survey of 100 popular apps — including messaging platform WeChat, microblogging site Weibo, and ride-hailing service Didi Chuxing — found that more than 90% were over-collecting user data.
In May 2019, the Cyberspace Administration of China announced a draft regulation that would require apps to be more transparent about and accountable for the information they collect from users, compelling them to still provide core services to users who had refused nonessential permissions. But it is unclear whether this draft was ever formally adopted.
Despite increased scrutiny, problems have persisted. In July of last year, the Beijing Internet Court ruled in favor of two individuals who separately sued internet companies Tencent and ByteDance for infringing their personal information. Months later, in September, a think tank under the influential Southern Metropolis Daily newspaper exposed major security and privacy concerns involving “mini apps” — third-party programs accessible within multifunctional apps like WeChat and Alipay.
According to Gao Fuping, director of the data law research center at East China University of Political Science and Law in Shanghai, the new regulation should provide authorities with a clear standard for judging which apps fall foul of the law. But it could also make it more difficult for apps to comply with the government’s “real-name registration” rules requiring users’ social media accounts to be linked to their verified identities.
“Social networks such as blog and forum sites need to be able to provide users’ real names to network operators,” Gao told Sixth Tone. “If the regulation only allows online communities to collect registered users’ phone numbers, this could hinder the implementation of real-name registration.”
While virtually all SIM cards in China are linked to national ID numbers or passport numbers — thus, to a person’s real identity — network operators typically do not disclose this information to third parties like mobile apps. According to the national cybersecurity law, China’s state-owned telecom companies should refuse service to social platforms that do not verify the real identities of their users.
This story has been updated to clarify that not all apps can require access to a user’s phone number under the new draft regulation.
Editor: David Paulk.
(Header image: People Visual)