Did you know
Smart TVs can also
force authorization and excessive claims
collect personal information beyond the scope
threaten the security of home users
Information pictures (pictures and texts are irrelevant) Xinhua News Agency Pictures provided
Recently, China Information and Communications Research The Academy and the Telecommunications Terminal Industry Association released the "OTT Terminal Data Security and Personal Information Protection Research Report (2022)" (hereinafter referred to as the "Report").
The "Report" shows that the infringement of personal information rights by smart TV SDK is more serious than that of smartphones.
SDK: Third-party software development tool kit
OTT: Internet companies use the Internet as the medium and Internet TV as the terminal to provide users with various services
Why do these problems occur?
How to protect the
personal information of smart TV users from infringement?
This
" China Consumer News " reporter conducted an in-depth investigation
1
SDK mandatory authorization exists in large quantities
The "Report" shows:
In terms of data security and personal information security, Internet TV APP and third-party SDK mandatory authorization, excessive There are a lot of phenomena of claiming rights and collecting personal information beyond the scope;
In terms of traffic fraud, the OTT field has a high proportion of false and fraudulent traffic, squeezing the advertising market budget and threatening the security of home users;
In terms of content, content piracy and infringement, secondary creation, and relocation Soft piracy is prominent, affecting the development of the video payment market; in terms of
screencasting security, screencasting is more convenient, but there is also the risk of leaking user privacy.
The "Report" also shows that:
75% of the tested TV operating systems have known security vulnerabilities;
60% of the pre-installed APPs have problems with illegal collection of user information such as MAC addresses;
80% of the TV systems have built-in SDKs and pre-installed applications. The issue of sharing sensitive user data to third parties without obtaining user consent.
From the perspective of problem distribution:
system components have the most problems, accounting for 27%;
is followed by security issues with preset APPs, accounting for 23%;
security issues from the operating system and involving personal information protection each account for 18%;
data security issues accounted for 14%.
2
Data sharing security issues are prominent
The "Report" shows that among user data security issues, data sharing security issues are relatively prominent.
Almost all Internet TV apps share data with integrated third-party SDKs, but this behavior is not reflected in the privacy policy. User's sensitive information is transmitted without desensitization. For example:
The pre-installed APP of the Internet TV under test will clearly display the mobile phone number of the account information page, and some will transmit the user's remote control operations, personal viewing habits information and other personal information in plain text. The display of
permission application statement and information collection statement in the privacy policy is also the hardest hit area. The "Report" shows that 80% of APPs on Internet TV do not disclose other rules for collecting and using personal information. There are a lot of problems such as default consent to the privacy policy, illegal/out-of-scope collection and use of personal information, third-party permission applications and lack of information collection statements. The
test found that 80% of APPs on Internet TVs have the problem that the installation software package is not reinforced. Attackers can insert malicious code at a low cost, causing user information leakage and property losses; 57% of APPs on Internet TVs have pre-installed APP codes. The configuration file is set to open, which can easily cause application vulnerabilities and be exploited by hackers.
The "Report" shows that the tested APPs on Internet TV are all involved in the problem of private collection of personal information, including private sharing with third parties, excessive collection of personal information, denial of permission, excessive request for permission, etc.
3
The pre-installed SDK for smart TVs was not disclosed and was not compliant.
TalkingData legal director and data compliance officer Ge Mengying told a reporter from China Consumer Daily: "I think this built-in SDK is an illegal operation by APP and TV manufacturers."
"Internet TV itself cannot directly build in the SDK.As a software development toolkit, SDK is based on APP. The SDK built into the TV system is, to be precise, the TV manufacturer’s own APP or the partner’s APP with built-in SDK. Moreover, this built-in behavior requires the TV manufacturer’s technical skills. It can only be completed with the cooperation of the above.
is different from mobile phones in that many TV manufacturers' APPs may not have display pages, so they will not be displayed to individual users, resulting in a situation where individual users are unaware.
From a compliance perspective, there is a problem that the built-in APP does not disclose the loaded SDK to individual users. According to the requirements of the " Personal Information Protection Law " and the " Notice on Carrying out Information and Communication Service Perception Improvement Actions " issued by the Ministry of Industry and Information Technology, the APP should disclose the list of loaded SDKs in its privacy policy, including the SDK Basic information on collecting personal information, including information type, purpose of use, usage scenarios and other information. "
4
APP relevant specifications should apply to smart TVs
Regarding pre-installation regulations, the Ministry of Industry and Information Technology issued the "Notice on Strengthening the Management of Mobile Smart Terminals' Network Access" as early as 2013, and in 2016 it issued the " Mobile Smart Terminal Application Software Pre-installation" "Interim Provisions on Configuration and Distribution Management " to refine the regulations on mobile intelligent terminal manufacturers and Internet information service providers that provide mobile intelligent terminal application software distribution services. Since then, the Ministry of Industry and Information Technology, together with the National Internet Information Office, has drafted again this year. "Notice on Further Standardizing the Preset Behavior of Mobile Smart Terminal Application Software (Draft for Comments)" intends to further standardize the preset and distribution management of application software.
Ge Mengying said: "The main purpose of the above regulations is to protect the right to know of individual users. And the right to choose, it doesn’t matter whether the carrier is a mobile smart terminal or a smart TV. What is important is to protect the rights and interests of individual users. "
Ge Mengying believes that the above-mentioned regulations on the obligation to notify pre-installation are consistent with the "Personal Information Protection Law", which specifically points out that before processing personal information, it needs to be true, accurate, and clear in a conspicuous manner and in clear and understandable language. Complete notification obligations to individuals. Therefore, smart TV manufacturers should disclose the list of pre-installed applications to individual users, usually on the official website of the TV manufacturer, and should also ensure that consumers are informed. Rights and choices.
5
Although the correlation is low, personal information will still be infringed.
Duan Zhichao, a senior data compliance lawyer at Han Kun Law Firm , told a reporter from China Consumer News that Internet TV and smartphones play an important role in the collection of personal information. There is no difference in the essence of the application.
He believes that although Internet TV may be less relevant to individuals than smartphones, the viewing records of Internet TV and its various terminals, behavioral data, and Information such as purchase records, installation records, and maintenance records related to Internet TV can also reflect some personal characteristics, such as income, interests and preferences.
In addition, Internet TV provides video, voice, screen projection, etc. Functional modules such as cameras and microphones, as well as the connectivity and interaction between multiple devices, will cause problems such as personal information leakage if appropriate security protection measures are not taken.
Currently, the focus of supervision of personal information protection in APPs is still mainly focused on mobile phones. In terms of APP applications and SDK, Duan Zhichao believes that both the "Personal Information Protection Law" and the recently released " Mobile Internet Application Information Service Management Regulations " have put forward higher levels of personal information protection in the Internet TV industry. It is required that regulatory authorities can more easily apply the experience summed up in the supervision and enforcement of mobile APPs and SDKs or the industry consensus formed in the supervision and governance of other mobile smart terminals such as Internet TV. These existing cases will provide guidance for all parties in the Internet TV industry. Party provides clearer direction guidance.
(Original title: Exposure! When you watch a smart TV, it is also secretly "looking" at you...)
Source: China Consumer News
Process Editor: TF099
