The dream and reality of "three rights" of Chinese netizens

The movie "Thor 2: The Dark World," there is a line, "before the birth of the universe is a piece of nothingness, it is not, since then there is darkness, and has been there." "The same is true of the internet world of users. Since the advent of the Internet, it has become a beautiful and dangerous "Garden of Eden", on the one hand beautiful, rich, comfortable, convenient and free, on the other hand, but also often burst into various scandals, from hardware to software, from privacy to choice, from rogue software to viruses.

For Chinese internet users, the "Man, my fish" survival seems more apparent, sometimes even the basic rights will be hurt.

The issue is causing concern in academia and the legal profession. November 24, 2013 afternoon, the security alliance sponsored the "Internet users ' three rights ' protection seminar" held in Beijing. The white paper, published by the conference, first proposed the concept of "three rights" for the protection of Internet users, that is, to protect the user's "right to privacy", "rights to Know" and "choice", while the well-known legal and security industry experts reached the consensus that the Government to carry out relevant legislation.

International practice of "the principle of least privilege"

However, no matter how good the ideal, speaking in China, will face the problem of international standards. For example, the most basic principle of "least privilege" is often ignored by internet companies.

Shi Wenchang, a professor at the Chinese Academy of Sciences, said that in countries where Internet legislation is relatively regulated, such as the United States and some countries in Europe, companies that violate the rights of netizens will be severely sanctioned, which is inseparable from an internationally accepted Internet guideline, the principle of least privilege.

The least privilege is the smallest set of permissions that a subject must have to accomplish the task it undertakes. The principle of least privilege, then, is to ensure that each principal has only the minimum privileges necessary to complete a work task throughout its lifecycle, and cannot have the additional privileges required to exceed the task.

On the one hand, this principle gives the "essential" privilege of ensuring that the enterprise is able to perform the tasks required under the privileges conferred upon it; On the other hand, it gives only "essential" privileges, restricts the rights of the Enterprise, and requires no excessive operation. The aim is to limit the damage caused by intentional or unintentional misconduct by the subject to the smallest extent possible. For example, like the cashier does not need to have the accounting privileges, the Internet anti-virus products do not need to have, access to the user network account password privileges, browser software does not need to have a secret collection of users on the computer installation of other software privileges. As a result, the damage caused by subjective negligence or malicious behavior can be reduced.

Under the principle of least privilege, even Google, which consistently pursues the principle of "no evil", has been punished for violating the privacy of its users.

November 18, 2013, the United States, Google and the United States 37 U.S. states and Columbia, Dist. Of to reach a settlement, agreed to its secret tracking the user's network, infringement of consumer privacy practices to pay 17 million of dollars in compensation. It is the second time Google has paid a price for its secret tracking of some of Apple's mobile users ' web browsing behavior. Last year, the Federal Trade Commission conducted an investigation into the alleged state allegations, resulting in a fine of $22.5 million trillion, the largest amount of infringement of consumer privacy fines received by the Federal Trade Commission.

Google is not the only company to be penalized for violating user rights. In 2011, Face-book faced a number of fines for retaining user deletion data and face recognition applications that failed to comply with EU and German laws; in 2013, the US Congress mooted a new bill to guard against the potential threat to people's privacy from devices such as Kinect, The bill will rigidly require manufacturers to provide users with the relevant features of the switch setting options to standardize Microsoft behavior.

In fact, with the birth of the Internet, the vast amount of information, data storage and transmission, so that the network privacy has gradually become a fundamental right of modern people.

While there is no definitive definition, the universal right to privacy is "control of personal information-people enjoy privacy, allowing them to control their identities and identity-related facts". Although the concept has appeared for more than 100 years, it has become familiar to Chinese users because of the frequent disclosure of Internet privacy in recent years.

The legal system to protect privacy was first set up by the United States, followed by France, Germany and other countries have begun to protect the right to privacy in legislation. At present, more than 50 countries and regions in the world have developed personal information protection laws and regulations and standards for the social, political, economic activities, network space to deal with the behavior of personal information norms. Depending on the actual needs of the country, Governments usually adopt different modes of personal information protection. The EU adopts the model of legislation, the United States adopts the model of industry self-discipline, and Japan adopts the model of legislation and industry self-discipline.

However, the United States, which has always taken "less intervention and more self-discipline" as the minimum intervention principle, has gradually changed its attitude. In the process of making Internet policy, the United States Government intends to strengthen the management of Internet privacy, minors protection, Internet security, Internet governance and so on to ensure the legitimate rights and interests of the relevant participants of the Internet.

How far is the Chinese user's dream of "three rights"?

China so far has not seen internet companies have been fined for violating user rights, but it does not mean that China's internet is safer than anyone else's.

On the contrary, in China's internet life, as the privacy, the right to know, the choice of the user "three rights", seems to have become a commercial profit-making tools and entertainment talk, has been exhibitions and even damage.

In 2011, CSDN, a well-known domestic developer community, was hacked and more than 6 million user data were leaked from their databases. Then hackers have burst out Renren, 178, play, Lily Nets, 51CTO, Tianya Forum and other user information. Even a netizen burst material, traffic bank and Minsheng Bank also in arrows, a large number of depositors card number, passwords were leaked;

2012, 1th store staff leaked user information incidents, 900,000 user information was sold at low prices, seriously damaging the user's personal rights and interests;

2013, Nanning police captured "inside Ghost", its steal 50多万条 personal information, almost covers the entire Beibu Gulf area. The offender uses a large chain-store in a district as a computer defender, using unregistered Internet companies to peddle personal information stolen from the mall system at a price of $0.1 per piece online.

Some data show that the network crime caused China a direct economic loss of 289 billion yuan a year, only the fishing site, the loss of nearly 30 billion yuan. Collateral damage caused by personal information and privacy leaks is harder to measure with money.

In such a social environment, the user's privacy becomes cheap, the knowledge becomes insignificant, the choice is impossible to talk about.

Zhang Xinbao, a professor and doctoral tutor at Renmin University Law School, believes that over the coming term, the Internet industry as a whole will become unrecognizable, with consequences not only of simple economic losses, but even of the lives of netizens.

According to CNNIC (China Internet Network Information Center), "2012 China Internet users of the status of the study report" shows that up to 84.8% of the Internet users have encountered information security incidents, the total number of 456 million, the average person encountered 2.4 types of information security incidents; Among netizens who encounter information security incidents, 77.7% Netizens have suffered different forms of loss, and 47.5% of netizens will not do anything about it.

And China's Internet users ' information security problem is increasingly closely linked, is the Chinese netizens to the interconnection security, self-protection awareness of serious deficiencies.

A recent study by the Boston Consulting Company (Boston con-sulting Group) found that the Chinese were least worried about privacy exposure and that only half of the Internet users knew the meaning of cyber security. "This situation is mainly due to the lack of a complete definition of Internet user rights in our existing laws and the lack of Internet Security industry organization, which leads to the difficulty of Internet security supervision." Liupine, an associate professor of law School of Renmin University of China and a network law scholar, believes that the rights of user privacy and personal information must be protected through legislation. "Only by strengthening the legal system of Internet security can we protect fair competition, promote benign development of the industry, and make each network user's rights and interests effectively protected." ”

Liupine also stressed that now the problem of Internet security is the right balance between enterprises and users, and the formation of good internet security mechanism ultimately depends on the game of power, the current game is the biggest problem is the vast number of computer users do not actually participate in the game status, only through legislation on user rights to make provisions, In order to enable citizens and enterprises to effectively establish a balanced relationship.

Some enterprises that provide users with Internet security products have also been questioned about infringement of user privacy. For example, according to an accidental leaked document, 360 has detailed records of a large number of users of the full network access behavior, on its server, each user corresponding to a string, through the query string, you can understand the user all personal information, Internet browsing records, account password, online shopping history, and even he used the Kingdee, Data on the internal financial network of companies such as Chery, the official mailbox username and password of the government agencies they serve. The leak involved a total of 1.41 million items, including 247,326 entries involving user name information, including a username and a password entry of 816.

In the IDF Internet Deterrence Defense Laboratory co-founder, security expert Wan, although the law is the ultimate user rights and interests to rely on, but the real user "three rights" protection, can not be separated from the self-discipline of enterprises and independent third party industry institutions supervision, otherwise, The abuse of product technology dominance and market discourse will continue to play and ultimately damage the Internet industry and social innovation environment, "The Internet's ' river-style ' development may really have to reflect and slow down the time."