This may be an obvious point, but I think the Internet in China is headed towards an interesting fork in the online road. Either the Net is going to become more safe and trustworthy with respect to personal data, or dodgy practices will be accepted as commonplace and Netizens will find new and interesting ways to avoid disclosing genuine information. Using dating/matchmaking sites as an example, a recent China Daily article highlights the problem:
[S]ecurity experts say that the poor protection offered to customers by many Chinese websites means the country’s 400 million-odd netizens – the largest population in the world – actually hand over the exact details these criminals need every time they sign up for a Web service.
Research carried out by China Youth Daily shows that almost 90 percent of online users receive spam e-mail and text messages, as well as unsolicited sales calls, after entering their data online.
I’m making some very broad generalizations here, but consider this dynamic:
1. Disclosure of personal data is increasing, particularly among younger folks who are turning to the Net for banking, shopping, dating and other online services.
2. Service providers routinely misuse data, either in terms of poor security or direct commercial exploitation of customers’ information.
3. Everyone knows that #2 is going on, so when possible, some users opt to provide fake personal information.
4. At the same time, there is a general regulatory trend towards “real ID” requirements, whereby Netizens wishing to use certain services (e.g. post a comment on a BBS, set up a web site, play an online game) must input their real name and ID card number.
So we have two trends here that are somewhat incompatible. The government wants to see less anonymous/fake online activity, while users are less and less inclined to do so in the face of data security and misuse problems.
How is this going to shake out? It’s difficult to say, because you have several interrelated trends here that are affected by business practices and new regulations. For example, we are still only in the beginning stages of Real ID, and no one knows if, and to what extent, these rules will be enforced. Needless to say, there are some obvious user workarounds to Real ID requirements. Is the government more interested in the idea of a Read ID system or actually making sure that folks follow the rules?
Even if Real ID is a paper tiger, there is still a problem since many online services (e.g. banking) require the use of genuine information; if data is routinely misused, then users will either migrate towards firms that have better security or simply opt out of online services altogether (this last possibility seems unlikely of course). Technical solutions might provide some answers for security concerns, but this will not stop service providers from sharing or selling user data. This issue received a great deal of attention last week when the new Tort Liability Law, and its “right of privacy” language, came into effect.
It’s far from clear, however, that the Tort Liability Law will be a panacea for the problems of data misuse. As I wrote last week, although the new law affirms the rights of privacy and reputation (among others), no one yet knows what personal information really means or what actions might be seen as infringements of those rights.
Even if the new tort law allows users to sue service providers for misuse of personal information, that may be a poor solution to the overall problem. Let’s face it, if your bank gives out your mobile number, it’s doubtful that you will sue them. Not only will it be almost impossible to prove the misuse in a formal court setting, but your damages would probably not even be sufficient to cover your litigation costs.
Yes, I am deliberately directing this entire argument towards one conclusion: sooner or later, we are going to need a data privacy law. To some extent, this will be a retread of the privacy and reputation rights listed in the tort law. The big difference, though, is that a data privacy law would establish specific requirements for operators and service providers, including how third party information can be used and penalties for violations.
If a data privacy law can establish industry norms and if (a very big if) the law can be enforced, then this would go a long way towards strengthening trust in online platforms. With more trust, the motivation to sidestep Real ID requirements decreases.
I see this as a win-win for the government. If they want to normalize the Net and force more people out into the open in the name of social stability and national security, they need to make it safe to do so.