MIIT: The app should be easy to uninstall, and shall not maliciously obstruct

The Ministry of Industry and Information Technology (MIIT) today publicly solicited comments on the “Notice of the Ministry of Industry and Information Technology on Further Improving the Service Capability of Mobile Internet Applications (Draft for Comments).

Source Pexels

It is mentioned that the recommended downloading behavior of web pages should be regulated. When users browse the content of the page, without the user’s consent or active choice, shall not automatically or forcibly download the App, or force the user to download or open the App by folding display, active pop-up window, frequent prompts, etc., affecting the user’s normal browsing information. Without reasonable and justifiable reasons, users shall not be required not to download the App, or not to read the full text. Easy uninstallation. Except for the basic functional software, the App should be easily uninstalled and should not maliciously obstruct users from uninstalling by blank names, transparent icons, hidden in the background, etc.

Ministry of Industry and Information Technology Notice on Further Improving Mobile Internet Application Service Capability (Draft for Comments)

In recent years, the Ministry has vigorously promoted the improvement of mobile Internet application service quality, effectively safeguarding the legitimate rights and interests of users, and achieving positive social results, but some enterprise’s service behavior is not standardized, the implementation of the relevant links of responsibility is not in place, the problem still occurs from time to time. In order to optimize service supply, improve user experience, maintain a good information consumption environment, and promote the high-quality development of the industry, according to the “Personal Information Protection Law” “Telecommunications Regulations” “regulate the Internet information services market order of some provisions” “telecommunications and Internet users personal information protection regulations” and other relevant laws and regulations is hereby notified of the following matters.

First, to enhance the whole process of service perception, to protect the legitimate rights and interests of users
(A) regulate the installation and uninstallation behavior

1. Ensure informed consent for installation. Recommend to users to download App should follow the principle of openness and transparency, true, accurate, and complete disclosure of developer information, product features, privacy policies, permission lists, and other necessary information, and synchronize the provision of obvious “cancel” option, the user to confirm consent before downloading and installation, to effectively protect the user’s right to know, the right to choose. Do not deceive and mislead users to download and install by “stealing”, “forced bundling”, “silent download” and other ways.
2. Standardize the recommended downloading behavior of web pages. When the user browses the content of the page, without the user’s consent or active choice, do not automatically or forcibly download the App, or force the user to download and open the App by folding the display, active pop-up windows, frequent prompts, etc., affecting the user’s normal browsing information. Without reasonable and justifiable reasons, do not require users not to download the App will not be given to see, or not to read the full text.
3. Realize convenient uninstallation. In addition to the basic functions of the software, the App should be easy to uninstall, and not to blank name, transparent icon, a background is hidden or other ways to maliciously obstruct the user uninstallation.

(B) Optimize service experience

4. Window closure is optional for users. Provide clear and effective close buttons for open screen and pop-up information windows, and do not frequently interfere with the normal use of pop-up windows, or use “full-screen heat map”, highly sensitive “shake” and other methods that may cause mistriggering to induce users to operate.
5. Advance notice of service matters. Clearly expressing the product features and rights and tariff levels, there are additional conditions for opening membership, fees, etc., which should be significantly prompted. Without express, not in the process of providing product services without adding restrictive conditions, and as a reason to terminate the user’s normal use of product features and services, or reduce the service experience.
6. Start running scenarios reasonably. When not necessary for the service or without reasonable scenarios, the company shall not start other apps or make wake-up calls, calls, updates, etc.
7. A timely reminder of service renewal. If the service is provided in the form of auto-renewal or auto-renewal, the user’s consent shall be obtained, and no default checkbox or mandatory bundle shall be opened. In the auto-renewal, auto-renewal 5 days before the user’s attention by SMS and other prominent ways to remind the service period to provide a convenient way to unsubscribe at any time and auto-renewal, auto-renewal cancellation.

(III) Strengthen the protection of personal information

8. Adhere to the principle of legal and legitimate necessity. Engaged in personal information processing activities, should have a clear and reasonable purpose, not only for service experience, product development, algorithm recommendations, risk control, etc., illegal collection of personal information, or mandatory user consent to collect personal information unrelated to the service scenario. When the user refuses to provide personal information that is not necessary for the current service, it shall not affect the user’s use of the basic functions of the service.
9. Explicit personal information handling rules. Users are informed of the personal information processing rules in a concise, clear and understandable manner, highlighting the purpose, manner and scope of handling sensitive personal information, establishing a list of collected personal information, and not using default checkboxes, reduced text, lengthy text, etc. to induce users to agree to the personal information processing rules.
10. Reasonable application for permission to use. When corresponding business functions are launched, dynamically apply for the required permissions, and do not require users to agree to open multiple non-essential permissions in one package. When invoking permissions such as photo album, address book, location, etc. of the terminal, inform the user of the purpose of applying for such permissions simultaneously. The permission status set by the user shall not be changed without the user’s consent.

(D) Respond to user requests

11. Establish a customer service hotline. Encourage Internet enterprises to establish customer service hotlines, and major Internet enterprises to prominently display the phone numbers of customer service hotlines on their websites and apps to simplify the manual service transfer procedures. Encourage the improvement of customer service hotline capacity, the average monthly response time limit of up to 30 seconds, and the response rate of manual services exceeding 85%.
12. Properly handle user complaints. Publish effective contact information and accept user complaints. Respond to complaints on the Internet information service complaint platform in accordance with the standard requirements, ensure completion of processing within 15 days, and improve the satisfaction rate of complaint processing. Encourage the setting of user satisfaction assessment links in the App to guide users to participate in the assessment.

Second, improve the whole chain of management capabilities to create a healthy service ecology
(A) implement the main responsibility of App developers and operators

1. Improve the internal management mechanism. Identify the leading management department and person in charge of user services and rights protection, establish a full life-cycle personal information protection mechanism, improve the assessment and accountability system, implement relevant regulations and policies into all aspects of product development, promotion and operation, and continuously improve the level of compliance. Regularly conduct independent audits of personal information protection measures and implementation, etc. to effectively prevent potential risks.
2. Enhance technical security capabilities. Adopt security technical measures such as access control, technical encryption, de-identification, etc. to strengthen front-end and back-end security protection. Proactively monitor the discovery of personal information leakage, theft, tampering, destruction, loss, illegal use and other risk threats, and respond to disposal requirements in a timely manner.
3. Strengthen the use of software development tools (SDK) management. Before using the SDK to assess their ability to protect personal information, through contracts and other forms of clear agreement on their rights and obligations to ensure that the handling of personal information is in accordance with the law. Centrally display and timely update the names and functions of all embedded SDKs and their rules for handling personal information. Joint processing of user personal information, and infringement of user rights and interests resulting in damage, shall be jointly and severally liable in accordance with the law.

(2) Strengthen platform distribution management

4. Strictly review App uploads. Accurately register and verify the real identity and contact information of the App developer and operator, the main functions and uses of the App and other basic information, and conduct technical testing of the App to be listed. The relevant audit should be clearly responsible for, and keep audit log records, and do not meet the requirements of the shelves. The full amount of the App on the shelf should be publicized, and the App name, developer and operator, version number, the list of user terminal permissions to be obtained and their uses, and the rules for handling personal information should be prominently displayed. If you have not yet established a clear interface for distribution, you should link App downloads to application stores and guide users to download the distributed App from regular channels.
5. Strengthen the inspection of the App on the shelf. Strengthen the dynamic inspection of the App to ensure that the public information is true and accurate. For a non-compliant App that is inconsistent with the published information, or uses “hot update, hot cut” and other ways to change the main functions of the App, the permissions applied, the scene and scope of personal information collection and use, should stop providing services.
6. Improve the distribution management mechanism. Establish credit evaluation and risk alert mechanisms for App developers and operators, encourage electronic signature authentication for App distribution, and realize the traceability of the whole process of application and distribution behavior on the shelves. Strengthen the linkage with the public service platform for mobile Internet application testing and certification, with the regulatory authorities to do a good job of data reporting, monitoring and tracing, information sharing, and response disposal.

(C) standardize the SDK application services

7. Establish an information disclosure mechanism. Publicly express the SDK name, developer, version number, main functions, instructions for use, and other basic information, as well as personal information handling rules. SDK independent collection, transmission, and storage of personal information should be made separately 6 out of the description. Encourage the role of SDK management services platform to guide App development operators to use compliant SDKs.
8. Optimize functional configuration. Follow the principle of minimum necessary, according to different application scenarios or uses, to clarify the scope of SDK functions and corresponding personal information collection.

9. Strengthen service collaboration. During the whole lifecycle of product use, we take the initiative to provide compliance guidelines to App developers and operators in a clear and easy-to-understand manner to guide App developers and operators to use it correctly and reasonably and improve the level of compliance together. When the rules for handling personal information change or risks are discovered, we will update and inform App developers and operators in a timely manner.

(D) Build a firm terminal security defense line

10. Strengthen App operation management. Provide users with the functions of closing App self-launch and associated launch, as well as the convenient option of resetting the device identification code, strengthening monitoring of App silent download and hot update, and preventing private download and installation without users’ consent.
11. Strengthen the reminder of App behavior records. Enhance the ability to record permission invocation behavior, and provide convenience for users to inquire about permission invocation. Establish obvious alert mechanisms for the use of permissions such as address book, microphone, camera, location, clipboard, etc. to ensure that users know the collection status of personal information timely and accurately.
12. Improve App risk warning capability. Promote the development of App electronic signature certification, and provide early warning alerts to users to improve the identification of counterfeit, undesirable, illegal and other risky App.

(E) consolidate the responsibility of access enterprises

13. Accurate registration information. In the App, SDK provides network access services, registration and verification of the App, SDK development and operation of the real identity, contact information, and other information to improve traceability.
14. Ensure effective disposal. In accordance with the requirements of telecommunications regulators, take necessary measures to stop access to non-compliant App, and SDK, and effectively stop its violation of user rights.

III. Work requirements
(A) grasp the organization to implement. All units should adhere to the people-centered development thinking, raise the political stance, strengthen responsibility, refine the decomposition of tasks, and carefully grasp the requirements of the organization and implementation to ensure effective results. The relevant enterprises should implement the main responsibility to carry out self-examination and self-correction against the requirements of this notice, and effectively safeguard the legitimate rights and interests of users. At the same time, improve the long-term mechanism, innovative models and methods, and constantly improve the level of mobile Internet application services, so that the majority of users have a greater sense of access, happiness and security.

(B) strengthen supervision and guidance. Ministry of Industry and Information Technology to improve the measurement, notification, ranking, and public mechanism to promote the work in a solid and orderly manner, and timely summary and promotion of excellent cases and experience and practices. The local communications authority to strengthen supervision and inspection, guidance and supervision of local enterprises to implement the requirements of this notice. The implementation is not in place or irregularities, according to the law to take a deadline for rectification, public announcements, organizations off the shelves, suspension of services, administrative penalties and other measures, serious accountability investigation and punishment.

(C) strengthen the technical means. China Academy of Information and Communication Research to organize industrial forces, the comprehensive use of artificial intelligence, big data and other new technologies and new means to upgrade the national testing and certification of mobile Internet applications for the public service platform, continue to improve the platform function, do a good job of technical testing, monitoring services and regulatory support. Actively promote the application of electronic signature authentication and other traceable technical means to promote improved service management capabilities.

(D) promote industry self-regulation. Encourage industry associations and related institutions to develop industry self-regulatory conventions, and technical standards, and strengthen the assessment of certification and talent training. Further open channels to listen to the views of the public promote the exchange and interaction of all parties, guide enterprises to operate in accordance with the law, and constantly optimize and improve services, create a good environment for excellence and mutual promotion, and promote high-quality development with high-quality services