Annual Report: 2017 in Retrospect and Prospects for 2018

admin   2018-03-10 16:02
By Nandu Personal Information Protection Research Center
1. 2017 in Retrospect
In the history of China’s cyberspace governance and personal information protection, 2017 is a year worthy to be memorized. Within 2017, the environment of personal information protection improved steadily; typical events raised national attention; government regulation had been strengthened; enterprise system became more standardized and public awareness had enhanced. Looking back to this year, the following events worth to be documented.
I. Sina Weibo Sued Maimai First Case of Unfair Competition On Big Data (January)
Reason: This is China's first case of unfair competition on big data. The judgment made it clear that third-party service must obtain user information under the triple-authorization principle: user authorization, platform authorization and another user authorization. It not only warns third-party platforms that they must comply with business and ethical orders, but also reminds all Internet companies that big data can be traded while users’ privacy data should never be traded voluntarily.
II. Judicial Interpretation On Criminal Cases Involving Infringement Of Citizens' Personal Information (May)
Reason: The Supreme People's Court and the Supreme People's Procuratorate promulgated new judicial interpretations, which clarifies the scope of “citizen's personal information” and the criteria for “illegal acquisition of citizen's personal information”. This is the first time that they released judicial interpretations on fighting against illegal acquisitions of citizens' personal information.
III. Implementation of China Cyberspace Security Law (June)
Reason: Obtaining an absolute majority of the votes, People's Republic of China Cyberspace Security Law was passed in November 2016 and officially implemented in June last year. With the underground industry in trading and infringing personal information and telecommunications frauds increasing, the law has set up a legal defense for protecting personal information. It is of epoch-making significance in the development of Internet for locally and globally. During the past 6 months after the implementation, the law has been applied in various cases across the country. The law plays an important role in deterring the phenomenon of illegal trading and lacking of protection of user information.
IV. The Principal Criminal In The Case of Xu Yuyu Was Sentenced To Life Imprisonment (July)
Reason: College student-to-be Xu Yuyu fell at the entrance of a new life because of the dark chain on personal information. Hackers sold her information to fraudsters and the later implemented the fraud. It is a case that the whole country deplored. Sentencing the principal criminal to life imprisonment releases a strong signal: telecommunications network crimes will be strictly fought against and the Internet order will be regulated.
V. Hidden Cameras Found In A Homestay (August)
Reason: A couple from Hangzhou booked a homestay in Taiwan through Airbnb. After living in for a while, they found hidden cameras in bedroom and bathroom, video-taping their privacy such as taking shower. While the sharing economy and electronic equipment facilitates the public, they also offered convenience to ill-intentioned ones. This is a challenge that individuals, businesses and governments must face.
VI. Four National Ministries Jointly Assessed The Privacy Policies of 10 Most Used APPs (August-September)
People have been accustomed to using APPs for shopping, socializing, travelling and many other things in daily life. But very few people could fully understand the privacy policies of them. Cyberspace Administration, Ministry of Industry and Information Technology, the Ministry of Public Security and Standardization Administration carried out a joint assessment, inspiring the 10 APPs to upgrade their privacy policies by returning the right to choose, the right to unregister and the right to be forgotten to users. It sets an example for the development of the industry.
VII. AI Was Utilized As An Accomplice In Stealing Citizens Personal Information (September)
Reason: While the governance and enterprises' self-discipline is getting stricter, the dark industry also kept up with the trend. AI being used in the dark industry expelled the programmers. The “double-edged sword” effect of AI emerged earlier than expected, indicating that personal information protection is a protracted war where both sides continue to upgrade.
VIII. Some Government and College Websites Leaked Citizens’ and Students’ Personal Information (November)
Reason: Name, Address, ID, banking accounts, etc. were disclosed on government and college websites - information disclosure was turned to improper disclosure even though the original intention was good. The ever-changing environment of is producing new contradictions, and people must adjust their methods and ideology to it.
2. Prospects for 2018
Given the fast growing of Internet of things, commercialization of AI, launching of 5G, entering the golden age of sharing economy, all versions of forecasts are outlining an interconnected world full of vigor and vitality for 2018.
At the same time, what new phenomena and problems will be brought by the changes in personal protection field? Standing at the angle of media, we would like to propose some ideas as follows.
I. The Development of The Internet of Things Prompts People To Become More Sensitive To Privacy
This September, Luo Wen, the vice minister of Ministry of Industry and Information Technology, addressed in 2017 World IoT Wuxi Summit that the global Internet of Things market in 2016 produced a value close to 70 billion dollars, 21% higher compared to that in 2015. The market scale is predicted to be exceeding 100 billion in 2018.
Huge market scale means that the terminals will be transformed from computers and mobile phones into a variety of sensing devices embedded in computer systems such as smart appliances, smart toys, smart wearable devices, cameras, where Information will be acquired in various forms like fingerprints, facial features, behaviors and images. In the visible future, big data and intelligence will be fully integrated into people's lives.
How does the public react to that? We did some analyses on Beijing's Red Yellow Blue Kindergarten abuse scandal that raised a big public concern.
In the scandal, several key words were widely disseminated to public: “needle wound”, standing for parents finding needle wounds on children’s bodies; “white pills” or just “pills”, standing for kindergarten teachers fed pills to children; “telescope”, standing for kindergarten teachers telling children, “I have a long telescope that can reach your home through what I know everything you do.”
All three key words became popular and were widely mentioned. Using the analysis of the popular words index provided by WeChat, Baidu and Weibo, we got the following figures:

Left: WeChat Index; Right: Baidu Index; Below: Weibo Index

The figures show that the news broke out on November 23-24. On November 24, “telescope” quickly surpassed the other words and peaked in the media index.
While the “needle wounds” and “pill” triggered an outpouring of public rage, people were more touched by “telescope”. One commented: “Long telescope that can reach your home” is the most horrible sentence he or she has heard in recent years while some others even used the term “creepy”.
Many studies on Internet information dissemination pattern have shown that anger and empathy are the main triggers of public concern. In this case, unlike the other two, “telescope” simultaneously aroused both. It reveals since privacy relates to every individual, it can easily cause both emotions at the same time, making it easier to produce a hot topic.
In the “2018 Security Predictions Report” released recently, Forcepoint, a famous global Internet security company made a point that two main reasons why Internet of Things is vulnerable to attack are large access amount and poor security. Take smart home as an example, convenience is much more emphasized over security mechanism. In 2018, hackers may not only attack the smart appliances in one single family, but also the entire system of Internet of Things. This will create mass destruction, which could lead to massive leakage of user information.
United States and other developed countries are not the only ones Forcepoint's forecast fits. China's Internet industry is gradually stepping towards the central stage of the world, meaning that China will also be the first few to experience the risks in Internet of Things. If not prepared well, the public will build an irreversible untrusting relationship with the enterprises in the industry even before the Internet of Things is universal.
II. Eco-Circle Construction of Internet Giants Cause Public Concern of Security of User Data Sharing
In recent years, there is a popular saying on the Internet: product companies are worth 10 billions of dollars, platform companies are worth 100 billions, and eco-companies are worth 1000 billions.
As Internet giants continue to expand by acquisitions and distribution of their upstream and downstream businesses, problems on how to share the largest asset, user data, with third parties and how to obtain users’ agreements have emerged.
Nandu Personal Information Protection Research Center (PIPRC) reviewed the ten Internet products and services assessed by national ministries in August. Although the “third party sharing” clauses written in their private policies differ in some ways, there are a few commonalities:
a)  All companies mention that they would share user data with any third party after informing users clearly and getting affirmative consent.
b)  Several companies say that they would share user data with their affiliates or partners without users' consent.
c)  Several companies say that they would sign a confidentiality agreement with third parties.
d)  Several companies say that they would de-identify users' personal information.
Potential risks could be brought out by the approaches above:
a)   Have the users been fully informed when they authorize third parties?
In one of the Nandu investigative news reports, some third parties providing credit investigation to P2P platforms obtain users’ consent by simply asking if the users “agree that we obtain your personal information to complete the service”. They don’t tell users what information they'll get or how to use and protect it at all.
After users clicked on “agree” with limited acknowledgement, the third-party platforms would obtain 38 pages of information including users' sensitive personal information. We cannot assume that an informed consent is completed during the process. On the other hand, platforms that collect user information giving out their data assets too easily force them to undertake the risk of data leakage together with third-party platforms and could also lose users’ trust.
b)   With the strategic planning of Internet ecosystem, user information will be shared in a larger and larger scope. Whether to get users' consent or to de-identify the information before sharing are the questions companies do not have answers to yet. At the same time, the questions may also bring compliance risks.
According to article 42 of the Cyberspace Security Law, network operators must not disclose, tamper with or destroy collected personal information, unless the information is de-identified and cannot be recovered. However, most of them are principle norms, missing specifications and supporting regulations.
Two months after the implementation of the Cyberspace Security Law, the NPC Law Enforcement Inspection Team conducted an inspection and wrote a report about it. The report pointed out that since the implementation, organs composing the State Council issued a series of supporting measures. Cyberspace Administration of China and other ministries promulgated the “Opinions on Strengthening the Work of National Network Security Standards”, accelerating the formulation of national standards for network security. The report also revealed that 198 national standards for network security have been released.
At present, some provinces have carried out legislation on supporting regulations, such as the “Computer Information System Security Protection Measures” promulgated by the Inner Mongolia Autonomous Region and the “Regulations on the Construction and Protection of Telecommunication Facilities in Fujian Province” promulgated by Fujian Province.
According to the report, quite a few companies and organizations reflected that while the Cyberspace Security Law regulates on data security, the application is far more complex. Additional regulations on aspects like data desensitization standards and data sharing are still needed.
Therefore, along with the promulgation of supporting laws and regulations, enterprises must clear up problems about compliance of sharing users’ personal information.
Based on above, there are two points worth highlighting in 2018:
1.  The supporting laws and regulations of Cyberspace Security Law will give a clear definition of sensitive personal information and clarify the rules of collecting and sharing user data. Besides, standards for data de-identification will be published.
2.  The saying of “technology is neutral and platforms are irresponsible” is no longer convincible. Enterprises should not view users' consciousness of privacy protection as an obstacle. In contrary, they should re-examine the design of the security defense mechanisms. The mechanism should not be based on the border-based risk defense, it must focus on data flow and users needs.
We also welcome you to share your point of view with us. Please tell us what you think is the most noteworthy issues in the field of personal information protection in 2018.