Website operators disclose user privacy as the main channel

March 19, Dangdang issued a notice requesting users to modify the account password from March 19 to March 22. The gift cards and balances in the account will be frozen during this period. It is alleged that the incident originated from the recent theft of very individual accounts, resulting in the embezzlement of the account balances of a minority of consumers. Dangdang also disclosed that the source of information in CSDN.

December 21, 2011, the country's largest programmer community CSDN 6 million user accounts and passwords are disclosed. Then, the password leak event began to ferment in large scale, Tianya, Century Jiayuan, Dangdang and other domestic well-known websites have been exposed to "similar leakage problem", tens of millions of user accounts and passwords on the internet was openly spread, the incident by the media known as "China's internet history of the largest user information disclosure incident."

This year, "3 15" Consumer Rights Day, the China Institute of Electronic Information Industry development, China Software Evaluation Center held the "2012 China Personal Information Protection Congress", released the "Public Personal Information Protection Awareness Research Report" shows that more than 60% of the respondents have encountered personal information stolen.

Just concluded the national two sessions, a number of representatives, members of the motion, proposal, proposed the introduction of Personal Information Protection Act as soon as possible.

Website operators disclose user privacy as the main channel

Network security company 360 President Xiangdong summed up the current lead to personal information leakage of the three main channels: "The first is the user's computer or mobile phone by Trojan software hijacked, that is, the distant Trojan directly control the user's hard disk; the second is that the service provider of the website does not fulfill the obligation of safekeeping Disclosure of personal privacy in the course of use; the third is that personal information is controlled by others during the transmission of the Internet. ”

Compared with technical factors, Liu Tao, deputy general manager of Information Security Research Department of China Software Evaluation Center, believes that the disclosure of users ' privacy by website operators has become more important for the current infringement of personal information security.

Many netizens have unknowingly stored personal information in the Web site operator's server. For example, chat with Instant messaging tools, the chat process involves a lot of information, including telephones, mailboxes, and more intimate content, which is stored on the server as a chat record, and shopping on the electronic mall, including personal bank cards, payment codes, home addresses, and so on, is also stored on the website operator's server. The public is familiar with antivirus software focused on protecting the client computer security, for storage on the carrier server data security beyond reach.

"Although there have been many users of personal information security concerns, but sometimes in order to obtain free services, free products, or in order to know more friends, will still fill out the online personal information," China Electronic Society, Deputy Director of e-commerce Expert Committee, University Management college professor Mechauzou early in 1998 on the "Right to privacy in the implementation of E-commerce may cause problems", the above behavior of netizens called "Helpless choice."

First personal information security standards to be introduced

In Mechauzou's view, personal information, including personal sensitive information and personal general information. For the identity card number, mobile phone number, bank account and other sensitive information to be strictly protected, and for general information, in accordance with the basic norms of the premise can be moderately developed to promote the network of new Economy (310358, fund bar) development.

However, due to the lack of relevant standards, the enterprise for personal information in the collection, processing, utilization and other aspects of the problem.

"The excessive collection of personal information is very common. E-Shopping, for example, requires only names, addresses, and phone calls, but many sites require additional information such as educational background, age, and income. In addition, there is the problem of recessive collection of personal information. Hidden collection is not to tell you, but the use of technical means to collect your personal information, as well as Web browsing time, frequency, attention and click on Network use behavior, and the data for the background mining, analysis of personal interests and preferences. "Mechauzou analysis said.

Industry experts said that with the continuous development of data mining technology, scattered throughout the network, once the personal information is integrated, through data association analysis, it may cause very serious consequences.

"The protection and sharing of personal information is a pair of contradictions, but the key lies in the degree of grasp, the adherence to the bottom line and the establishment of norms is very necessary." "Mechauzou said.

According to Huang, executive vice director of China Software Evaluation Center, at the beginning of 2011, under the guidance of the Information Security Standards Committee, the center led the development of China's first "personal Information protection" Special National standard "information security technology, public and business Services Information System Personal Information Protection Guide", has entered the national standard approval process. The formulation and release of national standards will fill the gaps in our country without extensive guidance and applicability rules and regulations.

Besides defining the definition of relevant concepts, the standard puts forward the basic principles and precautions to be followed in the collection, processing, transfer and deletion of the 4 main links of personal information. For example, "the principle of purpose is clear", require "the processing of personal information with a specific, clear and reasonable purpose, not to expand the scope of use, not the subject of personal information without knowledge to change the purpose of dealing with personal information"; Delete personal information in the shortest time.

Protecting personal information security is a system engineering

Lu Yanna, deputy researcher at the Institute of Law Research, Cass, as the personal information protection involves too many sectors of the industry, and the difference between the same industry, the national standard is still a common standard for various industries, but also in accordance with the characteristics of different industries to refine. At the same time, he considered that the standard was not mandatory and depended on the voluntary participation of relevant trade associations and enterprises, and still needed a special personal information protection law.

For the introduction of personal information protection laws, at the NPC and CPPCC sessions, a number of representatives proposed from the legislative purposes, basic concepts, information resources authorities, basic principles, scope of application, personal information collection, collection, collection procedures, departments or organizations to inform the obligation, personal information storage and use, change procedures, sharing procedures, The industry self-discipline mechanism, supervision organization and responsibility, damages, legal liability and so on to make provisions.

However, in Mechauzou's view, although the legislation of personal information protection law is ripe, but the law can not solve all the problems, personal information security is a systematic project.

He suggested that government departments, as the largest owners of personal information, should first attach great importance to the management of personal information applications, and provide a good legal environment for the development of Citizen's online activities and Internet industry. At the same time, the relevant enterprises should strengthen self-discipline, strengthen technology and management, when the condition is ripe, also can set up the Enterprise Chief Privacy Officer, specially responsible for dealing with the user privacy related matters. And the general public must improve the personal information security protection awareness and ability to prevent network behavior may bring potential risks, weigh the pros and cons.

Xiangdong also believes that personal information protection can not be a package, must be government, Web sites, security companies and users of individual efforts, "especially the Internet enterprises to undertake the protection of personal information is an important responsibility, can not be both athletes and referees."