Observation | Discussing “Real-Name Authentication” (1) Analysis of the Current Situation of App Real-Name Authentication Collecting Personal Information

Online anonymous malicious abuse, slander and rumors, online fraud, and the spread of vulgar culture have caused great damage to personal and public interests, and also posed huge challenges to cyberspace governance and the construction of a good network ecology. As an Internet management method based on the user’s real name, online real-name production is an important means and system to manage network problems and purify cyberspace. App real-name authentication is a product of the development of the online real-name system, and is a mechanism for network operators to verify their true identities based on the personal information provided by users. In practice, apps have proposed different solutions for real-name authentication. This article analyzes the current situation of various App real-name authentication methods, scenarios and existing problems in the market.

one.Real-name authentication method

The App submits the user information to the third-party real-name authentication server, and the real-name authentication server calls the corresponding database to compare the real identity information, and finally returns the verification result to the App. The process is shown in the figure below:

  Observation | Discussing “Real-Name Authentication” (1) Analysis of the Current Situation of App Real-Name Authentication Collecting Personal Information

In practical applications, the commonly used real-name authentication methods for apps are as follows:

(1) Two-factor authentication of ID card: Call the official ID database of public security and other government departments to verify the consistency of user name and ID number with the data in the database. It is often used in online communities, hotel services, transportation ticketing, online games and other industries. App.

(2) Three-factor verification of mobile phone numbers: call the phone number database of China Mobile, China Unicom, and telecom operators to verify the authenticity of the three types of information such as user name, ID number, and mobile phone number and their consistency with database data, often used for instant messaging , online education, online medical treatment, online shopping, job recruitment, express logistics, second-hand transactions, tourism services and other industries.

(3) Four-factor verification of bank card: call the UnionPay database interface to verify the consistency of the user’s name, ID number, bank card number, mobile phone number reserved by the bank and database data, commonly used in online payment, mobile banking, online lending, investment Apps for finance and other industries.

In addition to the above three verification methods, some apps also use “real person authentication” that collects the user’s face, fingerprint, iris and other biometric information to confirm the authenticity of their identity. This enhanced real-name authentication tends to be more and more widely used in practical applications.

two.Real-name authentication scenarios and analysis

The personal information involved in real-name authentication is generally the user’s sensitive personal information, and the app should simultaneously inform the user of its purpose when collecting user information in this scenario. From the analysis of the purpose of the synchronization description of the App, the real-name authentication is firstly to meet the needs of national or industry laws and regulations, and secondly, to maintain the risk control of the operation order. The relevant scenarios mainly include the following categories:

(1) Responsibilities

Account credentials required for registration. From September 1, 2013, users who newly apply for a phone card need to register their real identity information. Therefore, the mobile phone number of the user when registering can be used as an account credential and can also be used to confirm the user’s true identity for the App. Most apps use mobile phone number-based authentication (see Figure 1), and some apps further require users to enter real identity information such as name and ID number (see Figure 2) to confirm the user’s identity.

  Observation | Discussing “Real-Name Authentication” (1) Analysis of the Current Situation of App Real-Name Authentication Collecting Personal Information

Fulfill public safety and information reporting obligations. When calling the user’s itinerary, health information, personal income and other business functions such as health code application, the user’s real identity information is required to query the relevant database to confirm whether the person is in a high-risk area, whether it is a close contact group and the real income ( See Figures 3 and 4).

  Observation | Discussing “Real-Name Authentication” (1) Analysis of the Current Situation of App Real-Name Authentication Collecting Personal Information

Meet the special requirements of the industry and business. In order to address the possible pornography, vulgarity and bad habits of the live broadcast platform, the relevant online cultural associations proposed to the users who applied to become anchors to submit their name, ID number, mobile phone number, bank card account information, and real-name information holding a photo of their ID card. requirements (see Figure 5). In the scenario of overseas shopping, my country’s customs requires that personal items entering the country need to provide the recipient’s ID card for customs declaration (see Figure 6).

  Observation | Discussing “Real-Name Authentication” (1) Analysis of the Current Situation of App Real-Name Authentication Collecting Personal Information

(2) Risk control

Enhanced authentication when enhancing service security. In order to ensure the security of funds, the App requires the real identity information of the user’s name and certificate number when the user performs payment, withdrawal, insurance, loan, transaction, etc. operations. (See Figure 7 and Figure 8).

  Observation | Discussing “Real-Name Authentication” (1) Analysis of the Current Situation of App Real-Name Authentication Collecting Personal Information

Confirm that the user’s behavior is based on his or her own will. In order to ensure that the user is the account owner when the user performs account cancellation, personal historical information export and other operations that are of great concern to the user’s rights and interests, the app adopts a real-name system to prevent the risk of malicious cancellation of the account and theft of information copies by others. (See Figure 9 and Figure 10).

  Observation | Discussing “Real-Name Authentication” (1) Analysis of the Current Situation of App Real-Name Authentication Collecting Personal Information

(3) There is no clear corresponding purpose

Collect real-name information on the grounds of various reward methods. Different from the above scenarios, real-name authentication in such scenarios is not mandatory. The app uses red envelopes, gift vouchers, etc. to reward users for completing the real-name authentication process, or allows users to agree to real-name authentication for reasons such as increasing trust value, increasing transaction rates, and possibly enjoying more rights and interests (Figure 11, Figure 12).

  Observation | Discussing “Real-Name Authentication” (1) Analysis of the Current Situation of App Real-Name Authentication Collecting Personal Information

three. Analysis of the Problems Existing in the Collection of Personal Information by App Real-Name Authentication

In the common real-name authentication scenarios of the above apps, from the analysis of the results of the test and evaluation, there are mainly the following problems:

(1) The requirements on which the app states real-name authentication is not clear

Article 41 of the “Cyber ​​Security Law” requires that network operators should follow the principles of legality, legitimacy and necessity when collecting and using personal information. clear and reasonable purpose”, so when an app collects personal information on the grounds of real-name authentication, it should clearly state or quote the terms and requirements of national laws and regulations, industry management measures, and most of the apps only use “based on” Laws, regulations and regulatory requirements”, “relevant regulations” and other vague statements are summarized, it should be said that the legal basis and reasonable reasons for explaining the collection purpose to users have not been achieved.

(2) Requirements for generalized use of the real-name system

The “Network Security Law” that came into effect on June 1, 2017 put forward the overarching requirement that “network operators shall require users to provide real identity information”, but there is no detailed and complete supporting document for the specific types of services that require real-name authentication. For the definition, the specific categories of real identity information required for real-name authentication in different scenarios are not clarified. As more and more apps require users to perform real-name authentication in more and more scenarios, some companies have a “free-rider” mentality and generalize the use of real-name authentication requirements, which are neither necessary nor strong real-name authentication. Upon request, users are required to provide their name, ID number and even face information on the grounds of real-name authentication. And because many apps fail to clearly state the legal and regulatory requirements they are based on when they require real-name authentication for users, it is difficult for users to distinguish the necessity.

(3) Deceiving users to provide personal information for real-name authentication

The introduction of the real-name system is conducive to the supervision of the industry authorities and the fight against crime. The real-name system has been involved in many fields of social management. In order to prevent scalpers from reselling, the “real-name system for train tickets” has been implemented; in order to protect personal property, the “real-name system for savings” has been implemented; To put an end to spam and fraudulent text messages, a “mobile phone real-name system” has been implemented. Real-name authentication has also played an important role in the accountability of social management, but there are still some apps that “mislead users to agree to collect real-name information through fraud, deception, etc.” Information has not been verified for authenticity. The test found that using user A’s name, user B’s ID number, and user C’s face information, it passed the real-name authentication of some apps. There are two reasons for this problem. One is that when verifying the authenticity of user information, a certain service fee must be paid for invoking the third-party interface. In the case of a large number of users, the fee is not small for the App. Second, because most people still submit real personal information, App operators “hoard” data through out-of-scope collection methods, and these sensitive personal information collected may provide them with more “realization” opportunities.

(4) The processing method of the real-name information that is not clearly indicated to the user

Article 43 of the Cybersecurity Law stipulates that network operators shall collect and use personal information in accordance with laws, administrative regulations and agreements with users. According to this regulation, personal information collected on the grounds of real-name authentication shall not be used for other purposes, and this part of the information shall not be intercepted or stored without permission when using the real-name authentication interface service. In practice, most apps do not explain how this information will be processed after completing the corresponding authentication function during real-name authentication (see Figure 13 and Figure 14). Most of personal real-name information is sensitive personal information. Once leaked, it may cause serious harm to personal rights and interests of users, especially facial features, fingerprints and other biometrics, which are unchangeable information and should not be collected unless in special scenarios. For real-name information, if the national laws and regulations put forward storage requirements, a full impact assessment should be made on the security of personal information to ensure that the system information protection mechanism meets the corresponding requirements.

  Observation | Discussing “Real-Name Authentication” (1) Analysis of the Current Situation of App Real-Name Authentication Collecting Personal Information

Four. A few safety tips:

App real-name authentication involves a huge amount of data and information, and is closely related to the security of netizens’ personal information. Its smooth implementation requires the relevant competent authorities to further improve the top-level design and supporting measures, and promote network operators to comply with laws and regulations, under the premise of following the minimum necessary principle. Collect and use user real-name information.

At the level of policies and regulations: The application scenarios of the real-name system can be distinguished, corresponding regulatory documents and classification protection policies can be issued, and standards and specifications can be formulated to guide enterprises to apply them correctly. For the framework requirements put forward by regulations and policies, there should be supporting standards and specifications to “clearly define” their scope and types. At the same time, in order to give full play to the positive role of the real-name system, a corresponding supervision and management mechanism should also be established to compress operators’ discretionary space and avoid operators’ generalized use of real-name system requirements.

App operator level: First, clarify the business types that require real-name authentication. Personal information collected on the grounds of real-name authentication must have a clear basis. App operators should sort out the relevant requirements of various departments or industries, and confirm the business types that the state requires real-name authentication. For example, it is now clear that the real-name system is required for taking planes, trains, long-distance buses, staying in hotels, entering Internet cafes, purchasing controlled items, sending couriers, applying for phone numbers, and online games. When this type of business is involved, you can ask for real-name authentication. . The second is to clarify the type of real-name information required. The two-factor, three-factor, and four-factor authentication methods need to collect different types of user personal information and their sensitivities, and the strengths increase in turn. The requirements of the real-name system are not contradictory to the principle of minimum necessity. It is necessary to select a real-name authentication method suitable for business scenarios according to specific needs. This not only protects the user’s personal information, but also fully fulfills responsibilities and saves costs. The third is to limit the use of real-name information. First of all, in most scenarios, real-name information is used for identity authentication. The purpose and scope of its use are very clear and easy for users to understand. However, once it is used for other purposes, the user’s explicit consent needs to be obtained again; secondly, When using real-name information, the use of original data should be avoided, and only encrypted or de-identified data should be used to implement functions such as identity re-authentication, which will be more conducive to protecting information from being leaked and abused.

The Links:   AA104VB04 G121XN01-V001

Related Posts