Nearly 1.2 Billion E-Commerce Users' Information Has Been Leaked: What Is The Responsibility Of The Platform For Data Crawling?

Recently, Taobao's nearly 1.2 billion users' information was leaked, causing concern.

According to a case announced by Suiyang District People's Court of Shangqiu City, Henan Province, criminals crawled nearly 1.2 billion pieces of Taobao customers' digital ID, Taobao nickname, mobile phone number and other information through their own development software, which was used to engage in Taobao customer promotion business, with a total profit of more than 340000 yuan, and was finally sentenced to the crime of infringing citizens' personal information.

In recent years, data leakage cases occur frequently. Some experts pointed out that although enterprises are also one of the victims, from the perspective of personal information protection, as long as users suffer losses due to information leakage, the platform should shoulder certain responsibilities.

With the implementation of national and local legislation, the burden of enterprise data security in China is increasing, and those who fail to fulfill relevant obligations will face fines. On the other hand, the application of web technology such as crawler also needs legal regulation, and the use boundary of these technologies needs to be further standardized.

Nearly 1.2 billion users' information of Taobao has been leaked

According to the judgment document, in August 2020, Taobao (China) Software Co., Ltd. reported that from July 6 to 13, some illegal products bypassed the platform risk control through the MTop order evaluation interface to crawl encrypted data in batches. During this period, the number of crawling fields is huge, with an average daily crawling amount of 5 million. Crawling content includes sensitive fields such as buyer's user nickname, user evaluation content, nickname, etc.

After Taobao investigation, it was found that he was suspected of committing a major crime. He was a technician in Liuyang Taichuang Network Technology Co., Ltd. (hereinafter referred to as "Liuyang Taichuang") which was established by Li.

The main business of Liuyang Taichuang is Taobao customers, that is to promote Taobao products in wechat group, so as to obtain Taobao Commission and merchant service fee.

Since November 2019, he has developed a crawler software "taoappraisal" at home, crawling customer information through Taobao web interface, and providing Li with the mobile phone number.

Where is crawling information used? Li imported these information data into a software called "wechat plus people" to add wechat friends. According to the company's employees, the company has created several wechat groups, up to 1100, with the number of people in each group ranging from 90 to 200. These employees are responsible for sending advertising links in the group. Once Taobao users buy goods in the advertising group, the company can get a commission.

As of July 2020, the company has made a total profit of 340187.68 yuan by using crawling information. After judicial identification, a total of 1180738048 pieces of Taobao customer information such as Taobao customer's digital ID, Taobao nickname, mobile phone number and other Taobao customer information were crawled through the software developed by him, and a total of 1972611 items were sent to the defendant Li in the form of wechat file.

Is the crawled information used elsewhere? In addition to the mobile phone number provided to Li, the customer ID and Taobao nickname were stored in their own computer hard disk, and there was no leakage. Li argued that the indictment alleges that more than 3.95 million yuan is the total business volume of the company, and the profit amount should be 370000 yuan, without using the information for illegal purposes. The above information was adopted by the court.

In the end, the court held that both of them had violated the state regulations and illegally obtained citizens' personal information, and the circumstances were particularly serious, which constituted the crime of infringing on citizens' personal information. Considering the criminal circumstances and social harmfulness, the court sentenced Li to three years and six months' imprisonment and a fine of 350000; He was sentenced to three years and three months in prison and fined 100000 yuan.

"Generally speaking, platforms are also victims in similar incidents. As long as the platform takes necessary technical protection measures and has no fault in the data leakage incident, it can timely inform users and regulatory authorities of the relevant situation after the incident, and take remedial measures to actively recover the losses. Generally speaking, the platform will not be subject to administrative punishment." Xia Hailong, a lawyer from Shanghai Shenlun law firm, analyzes that, from the perspective of personal information protection, as long as users suffer losses due to information leakage, the platform needs to first compensate users for the losses.

Enterprise data security responsibility increases

In recent years, the frequent data leakage incidents in the world not only make the involved platforms bear high loss costs, but also may face huge fines for endangering the personal information security of a large number of users.

In November 2020, Marriott, an American Hotel Group, received a huge fine of 18.4 million pounds issued by the British regulator (ICO) for the leakage of personal data of millions of customers due to cyber attacks. The ICO survey found that Marriott did not take appropriate technical or organizational measures to protect personal data on its systems in accordance with the general data protection regulations (gdpr).

Facebook, a social giant, has been mired in data leaks on many occasions. In April, Facebook was accused of leaking 533 million user data, although it was later clarified that it was an old message two years ago and that the vulnerability had been fixed. However, it is reminiscent of the case that Cambridge analytics illegally obtained 87 million Facebook user data in 2018, which ended with Facebook agreeing to pay a fine of $5 billion.

With the implementation of national and local legislation, the burden of data security on Chinese enterprises will gradually become heavier.

According to the "data security law" passed on June 10, organizations and individuals carrying out data activities who fail to fulfill the obligations of data security protection (including taking necessary measures to ensure data security, strengthening risk monitoring, and carrying out risk assessment, etc.), the relevant competent authorities shall order them to make corrections, give them a warning, and may also impose a fine of not less than 50000 yuan but not more than 500000 yuan.

The draft of personal information protection law, which is being reviewed in the second instance, also puts forward corresponding requirements for personal information processors, such as formulating internal management system and operating procedures, implementing classified management of personal information, adopting corresponding encryption, adopting corresponding encryption and de identification and other security technical measures, formulating and organizing the implementation of emergency plans for personal information security incidents.

Data legislation in Shenzhen, Shanghai, Tianjin, Anhui and other places also attach great importance to data security.

For example, the "Shenzhen Special Economic Zone data regulations (Draft)" issued on June 2 states that data processors should implement the responsibility of data security management, prevent data leakage, damage, loss, tampering and illegal use, implement monitoring and early warning measures, formulate data security emergency plans, and timely inform relevant right holders when risks occur, And report to the network information department and the relevant industry authorities.

Improper use of crawlers involves multiple legal risks

Internally, enterprises as data collectors and processors should establish a sound data protection system; In addition, the application of crawler and other network technologies also needs to be further standardized.

Web crawler is a very common network information search technology in the Internet era. It was first used in the field of search engine. It collects information or data on the web page and brings it into the database.

Improper use of web crawler technology may bring multiple legal risks. In addition to the above-mentioned crimes of illegally obtaining computer information system data, illegally controlling computer information system and infringing citizens' personal information, they may also touch the crimes of infringement of copyright and fraud, and constitute unfair competition.

For example, in a case announced by the people's Court of Xuhui District, Shanghai, Duan opened a video website in 2013. Without the permission of the copyright owner, Duan used the crawler technology to set framed links to the film and television works of LETV, Tudou and other video websites, blocked the title ads, and instead published advertisements in his own web pages, making a profit of more than 740000 yuan. The court finally decided that Duan constituted a crime of copyright infringement.

In another case announced by the people's Court of Baoshan District, Shanghai, crawler technology has become a tool for fraud. Ye hired others to obtain the information of Taobao's newly opened store by purchasing crawler software, and pretended to be Taobao customer service personnel to send false information such as shop deactivation and transaction closing to the store, so as to help the store solve the problem, so as to induce the victim to agree to remote assistance and provide Alipay account and password, After that, they use the victim Alipay to recharge the video account through remote computer operation. The court held that ye's behavior constituted the crime of fraud.

The legal issues related to reptiles are more about monopoly and unfair competition. For example, "Baidu v. 360 case" in 2013, "Kumi guest suing car to settle the case" in 2017, and "micro blog lawsuit pulse illegally grabbing user information case" in 2016.

On June 14, the U.S. Supreme Court asked lower courts to re-examine the case of HiQ labs, a competitor in the LinkedIn lawsuit, for grabbing users' public information. Previously, LinkedIn lost the lawsuit because the relevant laws did not prohibit companies from grabbing publicly accessible data on the Internet.

Most of the disputes in these cases are about the ownership of data. Web crawlers can easily collect user data. In the future of data, that is, oil, it is a must for Internet operators to keep control of user data.

Take the case of "micro blog suing pulse for illegally grabbing user information", for example, when the social networking application was launched, it cooperated with sina Weibo at the beginning of its launch. Users can register and log in through microblog account and personal mobile phone number. However, Sina Weibo found that the pulse also grabs and uses a large number of sina Weibo users' Avatar, name, occupation, education and other information. The two sides terminated their cooperation and Sina Weibo filed a lawsuit.

Both the first and second instance courts hold that the above-mentioned behaviors constitute unfair competition. The second instance judgment of the Court pointed out that in the case that data resources have become an important competitive advantage and commercial resources of Internet enterprises, the competitiveness of enterprises in the Internet industry is not only reflected in the technical equipment, but also in the data scale they own. Pulse violates the developer agreement. Without the consent of users and without authorization of sina Weibo, it obtains the relevant information of its users and displays it in the personal details of pulse application. It infringes on the commercial resources of sina Weibo and obtains the competitive advantage improperly. This kind of competitive behavior has gone beyond the legitimate competition behavior protected by law.

At present, there are no supporting laws and regulations for web crawler technology in China. Under multiple disputes, the use boundary of web crawler is being regulated. In the "data security management measures (Draft)" released by the office in May 2019, the legal red line of web crawler is defined for the first time.

Article 16 of Chapter 2 of the draft provides that network operators shall not hinder the normal operation of the website by using automatic means to access and collect website data; This kind of behavior seriously affects the operation of the website. If the automatic access collection flow exceeds one third of the daily average flow of the website, it should be stopped when the website requests to stop the automatic access collection.

?