"Alipay bill" event of four questions
January 3, Alipay announced the annual user "personal bill". In the bill home page, there is a particularly small line of words - "I agree with the Sesame Service Agreement" (hereinafter referred to as "Agreement") "and has been in advance to click" agree ". The Agreement reads, "You allow Credit Sesame to collect information about you and make it available to third parties."
This situation was disclosed by a lawyer on Weibo, sparking widespread public concern and skepticism.
On Jan. 10, the Network Security Coordination Bureau of the State Internet Information Office interviewed the people in charge of Alipay (China) Network Technology Co. and Sesame Credit Management Co. On Jan. 11, the Information and Communication Administration Bureau of the Ministry of Industry and Information Technology interviewed Ant Gold Service Group Inc. (Alipay) again and asked the company to immediately carry out corrective actions in line with the principle of fully safeguarding users' right to know and right to choose.
To address the factual and legal issues involved in this incident, this reporter interviewed relevant experts and people from Ant Gold Service.
Why "default checkbox"?
Some netizens believe that the more personal information subjects a credit service agency has, the more advantageous the credit products it offers, and the more it can attract more demanders, "Sesame Credit's use of a small-print default checkmark and inability to go back and check it may be an attempt to get more people's authorization."
"This incident has caused dissatisfaction, mainly because of the contracting method." Dr. Liu Ming, an assistant researcher at the Institute of Law of the Chinese Academy of Social Sciences, believes that the way the contract is concluded is as important as the content of the contract, Sesame Credit with a small-print default checkbox and can not go back to view the behavior of the consumer will have the feeling of "being set up", suspecting that Alipay used this way to attract people over, in fact, to let people go to the Sesame Credit authorization. The following are some of the reasons why Alipay has been so successful in this regard. If the merchant is unfair to the consumer in the contracting process, then the consumer has little control over the content of the contract and loses the advantage or even the opportunity to play with the merchant, which is what the consumer is dissatisfied with.
According to the Notice on Preparing for Personal Credit Business issued by the People's Bank of China on January 5, 2015, Sesame Credit Management Co. is one of the first eight commercial credit agencies in China. According to the official website of Sesame Credit, Sesame Credit is an independent third-party credit service organization, and is an important part within the ant gold service ecosystem. From credit cards, consumer finance, financial leasing, mortgage loans, to hotels, room rentals, car rentals, dating, classifieds, student services, public **** business services, etc., Sesame Credit has provided credit services for users and merchants in hundreds of scenarios. Xu Ting, senior expert of global consumer relations at Ant Gold Service, said that since its launch, Sesame Credit has provided credit services to more than a dozen industries, with hundreds of millions of users of personal information.
"Default ticking of such practices mainly occurs in companies that have little confidence in their own business credit and try to accumulate user authorization in this way. In fact, Sesame Credit does not belong to this kind of business." Liu Xiaochun, executive director of the Internet Rule of Law Research Center at the University of the Chinese Academy of Social Sciences, told reporters, "When I did industry research before, I had done a survey and research on Sesame Credit's personal information protection system, and I was impressed with Sesame Credit's safeguards in terms of internal compliance, preventing leakage of personal data, and the maintenance of data security for external cooperation. For such an organization, I don't think it has any need to use such 'carve-outs' as default ticking to get more authorization."
"After making corrections to the default ticking, we ourselves reviewed the situation many times and found that the problem might first be in the inertia of Internet product design." Xu Ting introduced the reporter to the company's internal investigation after the incident, "Internet product managers in the design of products, tend to focus on making the product to use, the experience as fast and smooth as possible. Such a thinking, resulting in the Internet launch of the product, will be directly to the user to choose a lot of things, in the user to use the last look at no problem, it is confirmed. This kind of thinking incorrectly assumes that many operations and interactions are an experiential friction for the user."
What's wrong with "default checkboxes"?
"The practice of ticking by default goes against the spirit of contract, especially contractual freedom and contractual justice." Professor Liu Junhai, director of the Institute of Commercial Law at Renmin University of China, said, "Freedom of contract is the contract between the two sides of the true meaning of the expression, and then reach a consensus, so that both sides are binding. Default ticking, that is, you have not let everyone see the contract terms, the default consent, as the enterprise unilaterally drafted the format terms, did not seek the consent of consumers, it as the consumer and the enterprise are binding on both sides of the contract terms, contrary to the spirit of the freedom of contract. Freedom of contract is not unilateral, it is bilateral freedom of contract. It is reasonable to say that any form terms drawn up by a business are form terms drafted by the business on behalf of the consumer at the behest of the consumer. However, the problem is that many format terms stuffed with 'private goods', often excluding the core power and interests of consumers' claims, increasing the obligations, responsibilities and risks of consumers, unilaterally get rid of or exclude the businessmen from obligations and responsibilities to consumers, unilaterally create rights and major benefits for the enterprise, as long as there is one of the above situations, that is contrary to the freedom of contract The existence of one of the above situations is contrary to contractual justice. Contractual justice requires that the rights and obligations of both parties are equal, put on a scale and weigh, your rights are equal to my rights, your obligations and my obligations are also equal."
"The default checkbox is not compliant, although our country does not have a personal data protection law, but the Consumer Protection Law clearly stipulates that consumers have the right to know and the right to free choice, if the user did not notice the agreement, and then reached by default, personal information is 'sold' off, which violates the user's right to know and free choice in the first place." Zhu Wei, deputy director of the Communication Law Research Center at China University of Political Science and Law, said.
"From the perspective of consumer protection, the default checkbox not only infringes on consumers' right to know and right to choose, but also their right to personal information security." Qiu Baochang, director of the Beijing Lawyers Association Consumer Rights and Interests Protection Professional Committee, believes that the default checkbox option in small print is easy to pass over, not the consumer's own choice, how personal information will be handled is not governed by their own true meaning, there is a security risk. "This also involves the right to privacy, property security, personal security, if the information is leaked, such as information related to the family's economic conditions, may also lead to theft, robbery and other cases."
On the right to privacy, Zhu Wei suggested that the right to privacy is an important right under Article 2 of the Tort Liability Law. In terms of tort liability law, part of the right to privacy can be alienated as a civil right as long as the user agrees. But this consent cannot be obtained by deception. "Without the user's knowledge, ticking the box by default, stipulating that he agrees or 'tricking' him into agreeing, and obtaining information in this way, violates the right to privacy."
Zhu Wei also pointed out that from the perspective of network security law considerations, citizens' personal information is also an important component aspect of network security, from December 28, 2012, the Standing Committee of the National People's Congress to consider and adopt the "decision to strengthen the protection of network information", to the adoption of the network security law in 2016, the legislation of the business on the use of personal information of the user is summarized in nine words " Legitimacy, legitimacy, necessity", which means that the user's information must be used only on the basis of fully seeking the user's consent, and cannot be used in violation of the law or in breach of contract. Article 43 stipulates that when a user discovers that a network service provider has used personal information in violation of the law or in breach of contract, the user has the right to request the network service provider to delete the information, giving the user the right to delete. Therefore, if the user is unaware of this, how can there be a breach of contract? Therefore, the default checkbox approach is very inappropriate, the user can ask Sesame Credit to remove all the information.
Beijing University of Chemical Technology College of Arts and Law Associate Professor Yue Yepeng pointed out that, according to the Consumer Protection Law, Article 26, the operator in the business activities of the use of format terms, shall not use the format terms and with the help of technical means to force transactions. Format clauses with such circumstances have invalid content. "The default checkbox restricts the consumer's right to make decisions and control the use of personal information, and, as Credit Sesame did not use a 'reasonable manner' to prompt, the clause should be deemed invalid even if the consumer clicks to agree."
Xu Ting also admitted that the default checkmark was indeed wrong and really shouldn't have been done. "With the fermentation of the incident, we are more and more aware of their own work mistakes to the public and users to bring trouble. The company attaches great importance to it, and the management believes that we can't discuss this incident on its own merits, but have to reflect on it comprehensively from the root."
How to protect the user's right to know, right to choose?
So, if the default check, but let the user independent "click to confirm", is not even to protect the user's right to know, the right to choose? In this regard, Liu Ming believes that the Internet contract is concluded in two main ways, one is to browse the contract is concluded, and the second is to register the user click to confirm the conclusion. The latter has a click to agree to the process, to give the user the opportunity to express their meaning, which is precisely the "default check" is difficult to do. "In fact, let the user in the case of no knowledge at all to reach an agreement, is the Agreement is not recognized in the key. Click to confirm that the effectiveness of this Internet contract has been recognized in theory and practice. The key to being recognized still lies in whether the core content involving the rights and obligations of consumers is made available and clearly visible to consumers. Some Internet agreements, although also take the click to confirm the way, but the contract content is too much, it is difficult to understand, and the way of the format terms, may also form the effect of unfairness to consumers."
Kong Dechao, a postdoctoral fellow at Renmin University of China, argued that the scope of the generalized authorization in the Agreement is too broad for the information subject to know which of the collected personal information is being used for evaluating the individual's credit, let alone to exercise the right of the information subject to object to and correct the individual's erroneous or inaccurate personal information as stipulated in the Regulations on the Administration of the Credit Collection Industry.
Zhu Wei also believes that, from the content of the Agreement, consumers are not able to understand the scope, manner, purpose, and use of the personal information that Sesame Credit collects and uses, nor do they know what kind of services Sesame will provide after they provide their information. The terms are vaguely defined and the authorization description is rather general. And clearly informing the information subject of the scope, manner, purpose and other matters of collecting and using information is required by a number of laws and regulations, such as the Cybersecurity Law and the Provisions on the Protection of Personal Information of Telecommunications and Internet Users. He pointed out that provisions on the use of private information should be highlighted more to users for special attention. "It is recommended that Sesame Credit make this agreement a little bigger next step, especially to clearly inform users about who will use their personal information, how it will be used, whether it can be transferred, and how it will be transferred. You can't default check the box to agree, you have to default check the box to disagree, so that the user reads it and becomes agreeable before jumping to the next step."
Xu Ting responded that for the consideration of personal information protection, the next step they will be ready to improve from the product design concept. "We reflected that the subsequent agreement to change the way and location of the reminder and add a click process may be a better user experience. Honestly, a click in the process of viewing the bill is going to add a little bit of cost for the user, but it will make it clearer for him and there will be no misunderstanding. And the user feels that there is a process of their own choice, although a bit of trouble, but it is easy to be accepted. So in the future in the product design, can not always think of reducing the friction of the product experience, reduce unnecessary interactions, more to be combined with the law, combined with the user's needs in a comprehensive manner, and the user has a healthy interaction."
Xu Ting told reporters, "From the feedback of opinions and views, we also found that there are some questions actually stem from the user's misunderstanding of the content of the Agreement's terms. It is because people don't understand what the credit service is all about that there is a concern that information may be leaked. Through the creation of these misunderstandings, we have also reflected on the fact that if we could clearly let people understand how we work with our partners and how credit evaluation affects the lives of users; and if we could express the meaning of the terms of the Agreement in language that is more accurate and easy to understand and at the same time conforms to the rigor of the legal provisions, these misunderstandings might not have arisen. We're trying to figure that out now, and we're already working on it."
"In addition, we will guarantee the implementation of this improvement in our organizational structure. The company has decided to set up a separate department under the customer center, dedicated to consumer rights protection and personal information protection, implemented to a very specific department and responsible person. He will report directly to the general manager, which is equivalent to a separate team to specialize in the implementation of this department will also have a clear assessment and accountability system, from now on, the entire company to attach importance to the protection of consumer information, we plan to carry out personal information protection of the entire staff of the cultural construction and training and education, taut in the minds of the information protection of this string. We are confident that we will do a good job of protecting users' information with practical efforts." Xu Ting said.
How is personal information protected in the era of big data?
The "Alipay bill" incident has sparked public concern about personal information security.
"Default ticking, should not be just a practice of Alipay, it is a common practice within the Internet industry, almost a clear rule." Zhu Wei said, this is because, our country does not have a personal data protection law, involving privacy protection laws and regulations, policy documents, red-top documents, there are more than 150, but the legislation is too general, not detailed enough. There is no distinction between personal information and big data. Identifiable information belongs to personal information, which belongs to the category of privacy; non-identifiable information belongs to big data, which belongs to the category of intellectual property rights, and businessmen can just use it without any problem. "For example, what pages are browsed, how many times are browsed, these non-identifiable to personal information, do not need to ask for the user's personal consent; however, in the end, who browsed, what is the name of the information must be informed in advance to ask for the user's consent before use. And the boundary between personal information and big data is actually very blurred in our country. It is precisely because of the blurring that many online service providers make it a business practice to collect information arbitrarily, without making it clear at all whether they are using personal information or big data, and it is extremely advantageous for businesses to mix them up."
Why has the practice of ticking boxes by default become a bright rule in the Internet industry? According to Liu Junhai, "This reflects the existence of regulatory loopholes and blind spots to a certain extent, and relevant law enforcement agencies and regulators should be urged to have the courage to regulate when the market fails. Regulators should use various means such as administrative guidance, market access, administrative penalties, etc. to maintain the order of fair trade between consumers and enterprises and the order of fair competition among enterprises. The goal of regulation is not to keep businesses from making money, but to create a consumer-friendly society where consumers have a sense of well-being, access and security. To create a multi-win *** enjoyment, honesty and credit, fairness and justice, mutual tolerance of the Internet market ecological environment, to promote the sustainable development of Internet enterprises. Personally, I think it is short-sighted and not a wise enterprise to build a business profit model at the expense of consumers, and smart enterprises should take the initiative to stand with consumers, take the initiative to respect and protect consumers' right to know, right to privacy, right to protection of personal information, and take the initiative to fulfill the enterprise's safety and security obligations."
Qiu Baochang believes that the relevant government departments do need to increase administrative supervision to regulate the behavior of operators, but also consumers need to find out and then promptly complain to the market supervision departments and industry authorities, after which the government departments should investigate and deal with the matter in a timely manner, to form a social **** governance on the protection of consumers' personal information.
Zhu Wei said, in the era of big data, the Internet, in fact, everyone's concepts also need to change and adapt, it is now not possible with the same as in the past, their own personal information are regarded as privacy can not be touched, a lot of personal information has been extracted, and may be more to be considered from the perspective of big data. In addition, it is still a credit society, not long ago, Sesame Credit and other eight market institutions and market self-regulatory organization China Internet Finance Association **** with the formation of a market-based personal credit agency called Baixing Credit. The basis of credit is personal information, without personal information can not do personal credit. In this process, the user must give up part of the right to privacy, but the prerequisite is to tell the user, this information how to use, if the user wants to cancel their account, the credit agency to ensure that the relevant information are deleted, can not be used in violation of the law, as long as the guarantee of this part of the right, there is no problem.
"This incident further enhances people's awareness of self-protection of personal information and privacy in the era of big data, interpreting the protection of personal information and privacy from the traditional sense of 'exemption from disclosure' passive protection, to the modern information society, 'active control' transformation." Kong Dechao suggested that to improve the personal information and privacy legislation and protection system, first of all, to strengthen the top-level design, while improving the collection and utilization of personal information technical rules system, from the technical level, but also to implement the information subject enjoys the rights.
No matter what the bill, the utilization of the user is not right.