Reporter’s investigation: information security is in urgent need of “sweeping black”

“Try to use voice, don’t send text!”

“You can rest assured that we are working together for a long time, and the data is real.”

“Pay with **, and I will send you an email when the time comes.”

The “Data Security Law of the People’s Republic of China” will be officially implemented on September 1, and my country’s cyberspace security governance legal system will be further improved. However, recent investigations by reporters have found that there are still gray data transactions hidden in hidden corners in online spaces such as forums, communities, and e-commerce platforms, including private data transactions for personal information.

Private data that is publicly sold

Gray transactions are hidden in Tieba, Taobao and other online platforms

Contact the intermediary to sell the house, and the next day, a loan company will ask you if you need a loan; every year, the auto insurance is about to expire, and I inexplicably receive sales calls from various insurance companies… Which link has the problem?

On Baidu Tieba, some personal privacy data and industry data are publicly sold.

“National corporate internal employee address book, real and measurable” “Dianping shop data, a large volume of 30 million” “Receive video and mobile phone data, support testing” “Receive Weibo original data”…

Gray data transactions are hidden in some online platforms

“0.9 yuan per piece, captured in real time.” The reporter contacted one of the sellers, “Lin Feng” through QQ, and the other party said that they could provide data customization services in various industries including auto insurance, online loans, and credit cards. The seller especially emphasized that all the data is extracted in real time, not the kind of “bad, resold several lots” data, and emphasized that “the price can be lower for large quantities.”

The seller showed reporters the chat records of previous transactions and data samples of auto insurance information, and assured that “the information is true.” The data sample he showed includes detailed information such as the owner’s name, ID number, mobile phone number, license plate, model, engine number, frame number, and vehicle inspection date.

Data samples shown by sellers to reporters

The seller said that the auto insurance data comes from different platforms, and the order placed on the same day will not be sent until the next day, and data screening needs to be carried out.

The reporter asked if there was any online loan data. The other party said that at present, only the number can be provided. If the amount is large, more detailed data such as address can be obtained.

During the conversation, the seller reminded “Try to use voice, don’t send text”.

Another seller told reporters that while selling auto insurance by himself, he can also sell auto insurance customer information, including “precise services” such as vehicle age and insurance expiration time. “If you want auto insurance information that expires in October, you have it now, and you need to wait until next month for November.” The seller told reporters.

On Taobao, Xianyu and other e-commerce platforms, the reporter found that many merchants have listed crawler services such as data query and data collection. The contents involved include: relevant data of local officials in various cities, MIMIC clinical database, and a database of a brokerage institution. Query and download, Meituan data collection, etc.

On Taobao, a merchant named “Qihang Cashmere Products” actually provides a customizable information collection service, involving the phone number information of the POI points of interest of Sogou, Baidu, AutoNavi, and 360 map merchants. “Personal information cannot be collected, but companies, shops, stores, and industrial and commercial enterprises can.” The businessman told reporters that these are public information and “there is no risk.”

Another businessman named “CityData” told reporters that it can provide second-hand housing information including contact information, and it will be shipped within 24 hours after placing the order.

A crawler is an auxiliary tool for quickly and automatically crawling public information on the Internet. For example, the search engines we use all use crawler technology.

“Generally speaking, if the crawler is crawling public data, it is not prohibited by law to package and sell it. However, even if the crawling of public data, if the crawling behavior is improper, there are still certain legal risks. The parties may face infringement or anti-unfair competition lawsuits.” Xiao Sa, director of the Bank of China Law Research Association, told People’s Daily Online.

Liu Gang, technical director of a technology company in Beijing, pointed out that the information that crawlers can obtain is actually limited, and most of them are public. However, the behavior of obtaining big data information by means of credential stuffing, inducement, mass posting, and phishing is no longer simply the use of crawler technology to obtain information, but should be classified into the category of hackers and Trojans.

Industry swaps become regulatory difficulties

More and more data breaches occur within the enterprise

“I just registered the company at 9:22 in the morning, and our tax office has not leaked any information. Immediately, a bunch of phone calls started to come and ask me if I want to keep an account and file a tax return.” A few days ago, a citizen from Longhua District, Shenzhen was in the People’s Net leader message board complained.

The reporter’s investigation found that information leakage is common in important livelihood areas such as real estate transactions, education and training, and financial insurance. Many respondents said that sometimes personal information data is leaked for no reason, and the “precision marketing” of some companies makes people have nowhere to hide. In this regard, industry insiders said that the exchange of data industry is one of the main ways of information leakage, and the private data exchange between enterprises and individuals has become a difficulty in supervision.

“The phenomenon of industry exchanges is very common, such as: real estate agency employees exchange customer contact information privately, car dealers and insurance agencies exchange resources, etc. These private behaviors are more difficult to supervise.” Liu Gang told reporters that currently companies that generally involve data security are All of them need to pass the network security level protection evaluation. It is very difficult and risky to obtain data on a large scale by hacking, Trojan horses and other technical methods. At present, a large amount of private data is leaked through industry exchanges, and some small service intermediaries and agencies have little awareness of customer information protection.

In fact, with the continuous enhancement of citizens’ awareness of personal information protection and the continuous improvement of the regulatory system, some gray transactions are emerging.

According to media reports, the Zhejiang Provincial Communications Administration verified in its reply letter to the complainant on July 5 that on November 11, 2019, Alibaba Cloud Computing Co., Ltd. leaked the registration information retained by the user to a third party without the user’s consent. Cooperative company, this behavior violated Article 42 of the “Internet Security Law of the People’s Republic of China”.

At present, for large enterprises, especially large Internet companies, data security is regarded as the “lifeline”. Once a data security incident occurs, the consequences will be unbearable. Article 21 of the Cybersecurity Law clearly stipulates that “the state implements a network security level protection (“equal protection”) system, requiring network operators to perform security protection obligations in accordance with the requirements of the network security level protection system.” Industry insiders said that generally large and medium-sized Enterprises will comprehensively improve their data security protection capabilities through “equal protection”.

However, “preventing data leakage and data compliance operations are the current difficulties faced by most enterprises.” Tong Lei, consulting director of the National Engineering Laboratory for Big Data Collaborative Security Technology of 360 Group, said frankly that medium and large enterprises basically have a network in the process of completing digital transformation. Basic security protection capabilities, companies with higher maturity generally implement traditional data security solutions, but generally do not implement separate security control for private data companies. Some overseas companies will implement the General Data Protection Regulation (GDPR) privacy for their overseas business. Compliance program.

“More and more data leakage occurs within enterprises.” Tong Lei said, on the one hand, with the increase of data value, the flow of data throughout the life cycle often involves multiple departments and multiple systems, and the corresponding access control and permissions It is difficult for management to take into account both security and business demands. Differences in demands and the lack of unified security operation control often lead to data leakage incidents.

On the other hand, in the context of data becoming a new production factor, data carriers are widely distributed, and massive data is aggregated, circulated, analyzed and shared. As a result, many companies do not understand their own data and cannot clearly know the specific distribution of sensitive data. The lack of clarity of data assets also brings difficulties to the implementation of data security control and protection strategies.

“Data security is relative, and it is difficult to achieve absolute security.” In Liu Gang’s view, in some industries oriented to C-side services, such as real estate agencies, insurance and finance, there are many grassroots outlets, a large flow of personnel, and direct access to Customer Information. These characteristics make illegal activities such as data “industry swaps” more scattered and concealed, and some companies are “overwhelmed” and “silent” in terms of supervision, contributing to this kind of gray transaction to a certain extent.

Liu Gang believes that the platform side should take the initiative to strengthen its own supervision, implement internal and external risk management and control, and improve the level of information protection. On the other hand, it is recommended to increase the penalties for personal disclosure of privacy.

At present, some institutions and enterprises are also exploring the use of technical means to make data “available, invisible, and unavailable”. For example, through privacy computing technology, without sharing plaintext data and ensuring data security and user privacy, multi-party data collaboration can be achieved, and data islands can be connected, which can effectively combat data black production.

The top-level design of data security is gradually in place

Tightening the cage of “data gray production” still requires the joint efforts of all parties

As the digital economy becomes a new engine of economic growth, the potential of data as a new factor of production is gradually emerging. How to not only release efficiency dividends in data collection, processing, transmission and other processing activities, but also ensure that sensitive data is not infringed, leaked, and sold, has become the key to the balance of supervision.

In terms of data security protection, the upcoming Data Security Law stipulates that operators of critical information infrastructure, institutions engaged in data transaction intermediary services, state agencies and other data processors are obliged to protect data security. Articles 44 to 52 also stipulate in detail the responsibilities that each subject should bear when the corresponding obligations are violated. Xiao Sa said that this is conducive to clarifying the legal responsibilities of various subjects after violations and violations occur.

“As an important factor of production, the value of data to economic development needs to be further emphasized.” Hu Ying, director of the Data Security Department of the Cyber ​​Security Research Center of the China Electronics Standardization Institute, believes that a major feature of the data security law is to take into account the overall planning of data security and development. : On the one hand, it clarifies the legal responsibilities of each subject in the privacy protection and data security chain; on the other hand, it also encourages the legal development and utilization of data to ensure the free and orderly flow of data in accordance with the law.

With the gradual implementation of the network security law, data security law, and personal information protection law, the supervision of data security and privacy protection is constantly increasing. Industry insiders believe that the top-level design is gradually in place, but to tighten the cage of “data gray production”, it still requires the joint efforts of administrative supervision, market constraints, industry self-discipline, and social supervision.

“From the perspective of regulatory trends, e-commerce, food delivery, express delivery, taxi-hailing, hotel chains, job-hunting and other industries, the information obtained not only involves user privacy and security, but may also involve national security.” Liu Gang believes that the information obtained by large companies Data is often more valuable. While strengthening the standardized management of personal information, enterprises should promote the establishment of a unified management system to ensure safe, legal and traceable data use.

According to Wei Kai, deputy director of the Cloud Computing and Big Data Research Institute of the China Academy of Information and Communications Technology, the China Academy of Information and Communications Technology has taken the lead in formulating the “Data Security Governance Capability Assessment Method”, compiled and released the “Data Security Governance Practice Guide”, and launched the first data security governance capability in China. Evaluation (DSG evaluation) service provides methodologies and operational guidelines for enterprises to build, measure and improve their own data security governance systems, and guide enterprises to comprehensively improve their security capabilities and compliance levels from the perspectives of strategy, technology and system. Up to now, more than 20 leading enterprises have actively carried out the standard implementation work.

“For the information security industry, we should actively explore how to use data in a balanced way, not only to protect personal privacy, protect single-point data, but also to further magnify the value of data, to truly realize the security of the entire data process, and to ensure that data is available and invisible and unavailable. It can play a greater role in empowering government and enterprise data,” said Fan Yuan, chairman of Anheng Information. (Lin Feng and Liu Gang are pseudonyms in the article. The intern’s wish also contributed to this article.)

The Links:   FST150Z2 ER057000NC6