移动社交应用跨用户隐私分享行为的最小必要合规检测方法  

作　　者：朱启瑞 陈荣华[1] 杨哲慜[1] 李帅[1] 张源[1] 杨珉[1] ZHU Qirui;CHEN Ronghua;YANG Zhemin;LI Shuai;ZHANG Yuan;YANG Min(System Software and Security Laboratory,Fudan University,Shanghai 200438,China)

机构地区：[1]复旦大学系统软件与安全实验室,上海200438

出　　处：《网络空间安全科学学报》2024年第3期3-12,共10页Journal of Cybersecurity

基　　金：移动社交应用隐私收集行为的分析检测技术及应用示范(2021YFB3101200)。

摘　　要：移动社交应用提供的社交互动功能使得用户可以轻松地获取其他用户的个人信息,进而促成跨用户的隐私分享。根据相关法律规定的最小必要原则,应用分享的个人信息应当限定于展示功能所需要的最小范围,因此不得分享未在隐私政策声明且未在用户界面上展示的个人信息。目前相关工作缺少对跨用户隐私分享合规性的研究,因此设计了自动化合规检测系统,以隐私政策和用户界面作为判定是否符合最小必要原则的依据,检测违规的跨用户隐私分享行为。该系统面向应用市场509个移动社交应用展开合规检测,对每个移动社交应用进行20 min的动态测试发现,47个移动社交应用存在合计101次非重复的违规隐私分享行为,涉及18类用户隐私数据。经过人工验证,确认91.09%的违规隐私分享行为实际存在。实验结果表明,该系统相较先前工作在精准率和召回率上均有良好表现。The social interaction functions provided by mobile social applications(apps)allow users to easily obtain the personal information of other users,thereby promoting cross-user privacy sharing.According to the data minimization principle stipulated in relevant laws and regulations,the personal information shared by the application should be limited to the minimum scope necessary to the display function.Therefore,personal information not stated in the privacy policy and not displayed on the user interface shall not be shared.However,security communities barely pay attention to the compliance of cross-user privacy sharing.Therefore,an automated compliance detection system was designed to use privacy policies and user interfaces as the basis for determining whether the data minimization principle is met in cross-user privacy sharing behaviors.According to the compliance inspection results of 509 mobile social apps,which each app is dynamically tested for 20 minutes,a total of 101 unique violations of privacy sharing behaviors was found in 47 mobile apps,involving 18 types of user privacy data.Through manual verification,it was confirmed that 91.09%violations of privacy sharing behaviors actually exist.Experimental results show that the system performs well in both precision and recall compared to previous work.

关 键 词：移动社交应用 隐私数据 跨用户隐私分享 最小必要原则 合规检测 隐私政策 

分 类 号：TP309[自动化与计算机技术—计算机系统结构]