Ctrip's "loophole Door" focuses on the big data age personal privacy where did you go?

March 22, the Internet Vulnerability Report Platform Cloud Network released a message: Ctrip will be used to deal with user payment of the service interface to open the debugging function, so that all the bank to verify the card owner interface transmission of packets are directly stored in the local server, may be read by any hacker. According to the report, the leak information contains the user's name, ID number, bank card number and category, card CVV code, 6-bit card Bin (6 digits for payment). If someone obtains the above information, they can easily complete the credit card payment.

News, in the Ctrip have had credit card consumption experience of the cardholders have expressed their worries, and even took the initiative to the bank to change cards. In this big data age, the topic of personal privacy becomes hot. During the two sessions this year, the NPC deputies, Millet Technology chairman Lei around the Big Data era: The big Data age strategy involves the protection of personal privacy, need to define what data is available, at the same time need to increase the penalties for Internet crime.

Leaks in the big data age

March 23, Ctrip admitted on its official microblog "security loophole" exists, but also to explain the reasons for the leakage incident, "Ctrip technology developers in order to troubleshoot the system before the doubt, leaving a temporary log, due to negligence did not delete in time, at present, this information has been deleted." ”

Nowadays, the word "big data" is more and more mentioned, which is used to describe and define the massive data produced in the era of information explosion, and to name the related technological development and innovation. The arrival of the large data age, but also let people realize the weak of their own strength, personal privacy in the face of large data become vulnerable, about the Internet leakage incidents occur.

December 2011, CSDN, Century Jiayuan and other sites of the user database was exposed on the network, because some passwords in clear text display, resulting in a large number of netizens are threatened by privacy disclosure. October 2013, such as home, seven days, such as chain hotel was exposed to up to 20 million customers open room information was leaked. November 2013, Yuantong Express near Millions Express single personal information on the network was publicly sold, and even appeared on the Internet special Trading Express number of the site.

"On the Internet, the security of any platform and system is relative, without absolute security." Almost every network enterprise will have a security loophole, which is unavoidable. "In Jiangmin Science and technology sales general manager Guo Changsheng View, which enterprises will not take their own credibility joking, Ctrip did not actively disclose the user's privacy, but only by Third-party platform monitoring to the existence of loopholes, this is not a big problem, and Ctrip also committed to the future if the security vulnerabilities caused by user losses, Ctrip will take full responsibility and pay the compensation.

"Corporate disclosure of privacy is definitely illegal, can not forgive, even if it is not an active disclosure, should also assume responsibility." "Dcci Internet Research Institute Dean, internet expert Liu Xingliang said, the user gives the information at ease to the enterprise, is because he defaults the enterprise to be able to keep the information, is equal to the two sides to draw up the de facto agreement, the enterprise has the obligation to protect the information security."

Liu Honghui, senior partner of Beijing Ying-ke law firm, told reporters: "Credit card consumption sometimes do not need a password, only need CVV code plus ID number can be completed to pay, CVV code is equivalent to payment password, the normal network payment platform, this password is required to input, network payment platform should not be aware of this number Should not be saved, nor should it be leaked. "He believes that although this privacy disclosure did not cause the cardholder's loss, but Ctrip should take appropriate remedial measures."

There's a bottom line to digging up personal privacy.

"Personal privacy is always there, not a big data era after the issue of privacy disclosure." "The key lies in the excavation of personal privacy," says Shenhao, director of the Institute of Journalism at the University of Communication at the Communication Institute of Communication. "He believes that businesses in order to better serve customers, need to obtain information about customers, how this information does not unduly expose privacy, need to grasp the basic principles, which requires the Government to formulate relevant basic rules, enterprises and individuals need to comply with this rule, understand what information can not touch, this is the most basic bottom line.

In Shenhao view, most of the information collected should be open, impartial, authoritative, such as the user with the mobile company signed the use of contracts, mobile must know the user ID number, mobile can analyze the user what time the most text messages, but can not analyze the content of text messages. For businesses, through the mining of relevant large data, may bring together some of the relevant information, so that some personal privacy is exposed, "such as using my microblog, the merchant can analyze the content of my microblog, because the content is public, use these analysis, can dig out what kind of advertisement I like, Thus pushing ads, this is the legal way, but the merchant enters my email through my email content to analyze my behavior this is tort. "Shenhao that the big data age for personal privacy protection, the bottom line should be large data analysis of the information will not cause harm to consumers or users."

"Some enterprises will use their own clients and other means to collect user's behavior habits, and then push products or ads to users, this behavior is a violation of personal privacy behavior, and this is the enterprise's active behavior, the most harmful to users." "Guo Changsheng that the Chinese people's awareness of legal rights is not strong enough, if in Europe and the United States, such violations may lead to bankruptcy of the company."

From the point of view of large data collection information, Liu Xingliang proposed that for the collection of information in addition to the most basic bottom line, there is a tiered level, the management of permissions. "What kind of information can be publicly analyzed, what level of people can contact what kind of information needs to do a detailed layering, such as the information collected by Ctrip, can not be made accessible to everyone." For the enterprise, certainly hope that the user information to collect the more the better, the more complete information, the data mining, collation of the greater help. "He believes that in this process, the enterprise level of responsibility is greater, it to collect what information, which parts are available, or through enterprise self-discipline."

In addition, Liu Xingliang that the disclosure of personal privacy behavior should have the standard of punishment, can be the number of restrictions, such as the leakage of a certain number of information on the scope of the punishment, can not just let the enterprise's reputation on the loss of the end, but also need to pay a higher cost enterprises.

Protection of privacy can not be unworthy

For Internet enterprises, the information collected from users mainly includes consumption habits, behavioral characteristics, personal data and so on, enterprises can collect the information to carry out large data analysis, further mining the user's potential consumption capacity, more diversified value, so as to provide users with more targeted services. Shenhao that, under this premise, consumers or users can allow a certain amount of personal privacy.

The protection of personal privacy can not be unworthy. "The big Data age, personal privacy issues will certainly be more focused, but not because there is a risk of rejecting large data, like not because the chopper can chop people, it is not allowed to use is a truth." "Liu Xingliang said, not because of this credit card information leakage problem, do not let the platform to obtain credit card information, this is not realistic, should be the platform to obtain the information has the limit, if the platform to obtain more information than the limit, then by the relevant law enforcement departments to punish.

According to Liu Honghui, China's Internet privacy protection has relevant regulations. By the Ministry of Public Security issued by the "Internet Security Protection Technical Measures" fourth stipulates: "Internet service providers, networking units should establish a corresponding management system." The user registration information may not be disclosed or disclosed without the consent of the user except as otherwise stipulated in the laws and administrative regulations. Internet service providers, networking units of use should use the Internet security measures in accordance with the law, should not use the Internet security technology measures to violate the user's freedom of communication and communication secrets. "In addition, there are" Computer Information Network international networking Security Management measures, "specified in article seventh," The user's freedom of communication and communication secrets are protected by law. " No unit or individual may violate the laws and regulations and use the Internet to infringe upon the freedom of communication and communication secrets of the users. ”

Internet companies often according to the user's online purchase situation analysis, such as users browse the watch shopping site, and then open the site will appear a lot of watches ads. Liu Honghui that in the user was informed that does not violate the user right, does not cause the loss the premise, is equivalent to gives the user the shopping custom to do a survey report, just like the street investigation, "Your behavior will not divulge to others, the enterprise just carried on the analysis, in order to provide the service more targeted." ”

The enterprise collects the limited data without the user's knowledge, to a certain extent, ignoring the rights of people, Liu Honghui suggested that the Internet companies that collect relevant information can publish a bulletin on their website, such as stating: "Login to our website, your shopping habits may be recorded, we do data sampling, but the guarantee will not leak." "In this way, users enter the site to indicate that they agree to collect, and no more violations of the privacy of the dispute."