Tao Jing, School of Cyber Science and Engineering, Huazhong University of Science and Technology, JinYinHu Laboratory, Hubei Key Laboratory of Distributed System Security, Hubei Engineering Research Center on Big Data Security; Yao Li and Jingzhou Ye, University of Central Florida; Jie Wang, School of Cyber Science and Engineering, Huazhong University of Science and Technology, JinYinHu Laboratory, Hubei Key Laboratory of Distributed System Security, Hubei Engineering Research Center on Big Data Security; Xueqiang Wang, University of Central Florida
In recent years, major privacy laws like the GDPR have brought about positive changes. However, challenges remain in enforcing the laws, particularly due to under-resourced regulators facing a large number of potential privacy-violating software applications (apps) and the high costs of investigating them. Since 2019, China has launched a series of privacy enforcement campaigns known as Special Privacy Rectification Campaigns (SPRCs) to address widespread privacy violations in its mobile application (app) ecosystem. Unlike the enforcement of the GDPR, SPRCs are characterized by large-scale privacy reviews and strict sanctions, under the strong control of central authorities. In SPRCs, central government authorities issue administrative orders to mobilize various resources for market-wide privacy reviews of mobile apps. They enforce strict sanctions by requiring privacy-violating apps to rectify issues within a short timeframe or face removal from app stores. While there are a few reports on SPRCs, the effectiveness and potential problems of this campaign-style privacy enforcement approach remain unclear to the community. In this study, we conducted 18 semi-structured interviews with app-related engineers involved in SPRCs to better understand the campaign-style privacy enforcement. Based on the interviews, we reported our findings on a variety of aspects of SPRCs, such as the processes that app engineers regularly follow to achieve privacy compliance in SPRCs, the challenges they encounter, the solutions they adopt to address these challenges, and the impacts of SPRCs, etc. We found that app engineers face a series of challenges in achieving privacy compliance in their apps. For example, they receive inconsistent app privacy review reports from multiple app stores and have difficulties confirming the issues flagged by these reports; they also lack institutional support for studying privacy laws, self-validating privacy compliance of their apps, communicating effectively between multiple stakeholders, and ensuring fairness in accountability when privacy non-compliance occurs. Furthermore, we found that while SPRCs have introduced several positive changes, there remain unaddressed concerns, such as the potential existence of circumvention techniques used to evade app privacy reviews.
Open Access Media
USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.
