"Playing a game, the privacy is stripped away."

Han Dandong and Guan Chuyu/Rule of Law Daily
"Just playing a game, why do you want me to open so many permissions? !” Mr. Li from Quanzhou, Fujian recently played a small game called ×× Bottle, and found that this game actually requires the player to authorize the phone address book, location, access to photo albums, text messages and storage to play. "This is simply more detailed than checking the account."
Mr. Li is not the only one who over-requests permission for online games. A number of gamers recently said in an interview with the reporter of the Rule of Law Daily that many online games, especially small games, have the problem of asking for excessive permissions. For example, if you play a small game, you have to authorize your camera, microphone, positioning and address book. If you don’t agree, you can’t play the game.

"Playing a game, privacy is stripped away." A player said.

Why do players have to open so many permissions to play a game? What impact may excessive permission have on players? Why has this chaos been repeatedly banned? With these questions, the reporter launched an investigation.

Online games ask for permission excessively.

Illegal collection of personal information


"Some large online games don’t need to open so many permissions. Instead, some casual games require opening various permissions. Moreover, once the storage permission is obtained, various advertisements will pop up soon, and some will be automatically downloaded to’ My File Management’. The game didn’t have fun, and the garbage had to be cleaned up. " Mr. Li complained rather helplessly.

The reporter’s investigation found that some games will clearly explain the role of opening various permissions when applying for access rights. For example, in the privacy permission setting of the next popular hero competitive mobile game, there are explanatory information on the right side of each permission: you can experience game functions such as voice, voice to text, etc. by opening the microphone permission; Open the location permission to experience the game functions such as glory war zone and nearby people.

However, some installation-free applet games have a large number of requests for content rights unrelated to the game, and there is no relevant explanation. In the "Play Small Games in XX seconds" App, there are many small games that can be played without installation and opening. The reporter tried to play more than a dozen of them. Almost all of these games require a number of permissions from the player’s mobile phone, and they cannot enter the game without consent.

The privacy policy of a small program game named "XX Model" reads: "When you use the network service of this software, this software automatically receives and records the information on your mobile phone, including but not limited to your health data, voice used, date and time of visit, software and hardware feature information and the webpage you need."

It is understood that this is a cosmetic game. The privacy policy of this game does not indicate what the purpose of obtaining these rights information is, and "health data" has nothing to do with the game experience itself. There are many similar Applet games in the above-mentioned app, and there is this one in the privacy policy.

The reporter noticed that there are some boutique games in the App that are free of installation, but if you want to play these games, you must allow the App to access the applications on the player’s device, including photos, audio and video, and files, otherwise you will not be able to enter the game.

In fact, it is very common for online games to ask for permission excessively. In the list of apps that infringe on users’ rights and interests notified by the Ministry of Industry and Information Technology in recent years, game software has been listed many times, and the problems involved in the software can hardly be avoided in two categories: "App is forced, frequent and excessively asks for permission" and "illegally collects personal information".

On March 21 this year, the Ministry of Industry and Information Technology reported the latest batch of 55 apps that infringe on users’ rights and interests, including 7 game products. The main problems are excessive permission and illegal information collection.

In January this year, the Hainan Provincial Network Information Office conducted technical tests on various applications with a large number of users and closely related to people’s lives, in view of the illegal acquisition, out-of-range collection and over-requesting permission of apps strongly reflected by the masses. The results showed that all 17 online game apps of stick figure with a Line Drawing had behaviors such as forcing users’ permission, not specifying the purpose of requesting permission and over-collecting personal privacy information to varying degrees.

On March 27th, Chongqing Communications Administration and Sichuan Communications Administration notified the list of Apps infringing on users’ rights and interests in Sichuan and Chongqing in the third phase of 2023. A game App "illegally collects personal information, illegally uses personal information, is forced by the App, frequently and excessively asks for permission, and the app frequently starts itself and is associated with it", which became one of the typical cases that were notified.

The principle of minimization should be followed.

Obtain the necessary permissions to run.


How to measure whether a game excessively asks for permission?

Xie Lianjie, a lawyer of Beijing Yingke (Shanghai) Law Firm, believes that it can be considered from four aspects: the type, scope, quantity and purpose of authority. For example, if the game software reads contacts and short messages in the address book, the permissions are beyond the scope of its functional requirements, or reads permissions unrelated to the game, or the number of requested permissions is too large, and the requested permissions are inconsistent with the purpose of using its functions, etc., which are all excessive requests for permissions.

"To measure whether the game software excessively requests permission, we need to comprehensively consider various factors, but there is a principle that must be followed, that is, the principle of minimizing permission. The game software should only request necessary permission and cannot abuse it." Xie Lianjie said.

Xie Lianjie said that excessive access may have a series of adverse effects on users. For example, game software requires users to authorize information such as address book and location. Once users are authorized, personal privacy may be leaked; Excessive request for permission may also lead to system security risks, and malicious software can use the obtained permission to attack and tamper, bringing security risks to users; There are also some applications that must be recharged to use certain functions, and careless authorization by users may lead to unnecessary expenses.

What legal provisions are suspected of violating the game’s excessive request for permission?

Yao Jinju, a professor at Beijing Foreign Studies University, said that over-requesting permission is not necessary for providing services or unreasonable application scenarios, especially when it is silent or running in the background, and it is suspected of violating the relevant provisions of the Personal Information Protection Law, the Network Security Law and the Data Security Law. At the same time, if this behavior causes the personal dignity of natural persons to be violated or the personal and property safety to be endangered, it will violate the provisions of the Civil Code on personal rights and property rights.

"By asking for permission, the game software may directly obtain the identified or identifiable personal information, and collect, store, use, process, transmit, disclose and delete it. The Personal Information Protection Law stipulates that the processing of personal information should have a clear and reasonable purpose, and should be directly related to the purpose of processing, and adopt a method that has the least impact on personal rights and interests. " Yao Jinju said that the collection of personal information should be limited to the minimum range of processing purposes and should not be over-collected. Therefore, game software should obtain the necessary permissions to maintain the normal operation of the game strictly and limited based on clear and reasonable purposes.

Establish and improve the supervision system

Special rectification and strengthening punishment

The regulatory authorities have repeatedly stressed that it is forbidden to ask for excessive rights and constantly expose illegal game software. Why is this problem still banned?

In the view of Zhu Jie, a lawyer of Taihetai (Chongqing) Law Firm, there are three main reasons for repeated violations:

Rich profits bring great temptation. The acquisition of user rights is essentially to obtain user’s personal information. These personal information, whether processed by game operators themselves or provided directly to others, can be transformed into huge benefits.

The punishment for violations is not strong and the deterrence is insufficient. For such violations, the punishment measures of the regulatory authorities mainly include rectification within a time limit, removal from the shelves, administrative punishment, etc. These measures are not enough to offset the profits brought by violations.

Regular rectification of regulatory measures, the coverage is not large enough and the duration is not long enough, which makes some illegal manufacturers feel lucky or take temporary rectification to cope with supervision.

"The reason why game operators ask for permission excessively is to collect a large amount of personal information and dig deep into users’ consumption habits in order to seek more benefits. For game software and its operators who repeatedly violate regulations or cause serious consequences and adverse effects due to excessive permission, they should be directly punished. " Zhu Jie said that only by bringing the long-term mechanism into the supervision system and strengthening the punishment measures can the illegal manufacturers be banned.

"The problem now is not that the punishment prescribed by law is not enough, but that the corresponding law enforcement punishment has not been fully kept up." Xie Lianjie suggested that the special rectification of personal information protection in the game industry should be launched.

Some players suggested that the punishment for game operators who ask for too much authority should be strengthened, not only the illegal game software should be rectified and removed from the shelves, but also the game operators should be punished accordingly, and those who refuse to change their education should be restricted from putting their products on the shelves in the future; To further compact the platform’s responsibility, the platform should focus on the supervision of illegal game software, and smooth the reporting channels to respond to the demands of the masses.

Si Binbin, a lawyer of Beijing Tao ‘an Law Firm, also proposed to further implement the responsibility of the platform or application store. Game software on the shelves of regular application stores generally needs to access its SDK (Software Development Toolkit), which can be set to a strict form by default by the platform, and it is not allowed to be modified at will. If it is really necessary to ask for more user rights for the game software to run, it needs to be verified and confirmed by the game developer and the platform. "If there is a problem, the regulatory authorities can consider double penalties for game operators and platforms to promote the dual implementation of responsibilities."

Many experts suggested that users should also enhance their awareness of security, protect their personal information, choose a regular platform to download game software, try not to download from browsers or game stores with unknown sources, read the Privacy Agreement and User Agreement in detail, and do not authorize it easily; Find out the problem of asking for permission excessively, actively report it and jointly safeguard the online game environment.
Zhou Yuhua, senior editor of this issue.