On July 26, the Ministry of Public Security and the Cyberspace Administration of China released the “Administrative Measures for Public Services for National Online Identity Authentication (Draft for Comments)” (hereinafter referred to as the “Draft for Comments”) and solicited public comments.
The “Draft for Comments” consists of 16 articles, clarifying the establishment of a system for the application, promotion, and use of online numbers and online certificates. Natural persons holding valid legal identification documents can voluntarily apply for online numbers and online certificates from the national unified online identity authentication public service platform. Subsequently, when receiving internet platform services, they can present their online numbers and online certificates to verify their real identity information, without needing to provide detailed personal identity information to the platform.
This news has sparked much discussion. Can presenting certified unified online numbers and online certificates instead of providing personal real-name identity authentication information to the platform reduce issues such as platforms over-collecting and leaking personal information? Will using online numbers and online certificates for internet access affect individuals’ autonomous rights to use the internet?
The Southern Metropolis Daily reporter noted that the “National Online Identity Authentication Public Service Platform” mentioned in the “Draft for Comments” already has a mobile version launched. The “National Online Identity Authentication” APP was launched a year ago, developed by the Ministry of Public Security, and is currently in a pilot phase. Research on applicable application scenarios includes real-name registration and login of internet user accounts, and re-verification of the identity of abnormal account users. 10 government affairs APPs and 57 internet APPs have connected to this identity authentication service.
Proposed Regulation: No need to provide personal information to the APP, online certificates can be presented
The drafting instructions of the “Draft for Comments” show that the establishment of the National Online Identity Authentication Public Service Platform aims to provide the public with real identity registration and verification services based on legal identification document information, achieving the goals of facilitating the public’s use, protecting personal information security, and promoting a trustworthy online identity strategy. Its basis for formulation includes the “Cybersecurity Law”, “Data Security Law”, “Personal Information Protection Law”, and “Anti-Telecommunications and Online Fraud Law”, among others.
First, the “Draft for Comments” explains the meanings of concepts such as “online number” and “online certificate”. The National Online Identity Authentication Public Service refers to the state providing natural persons with services such as applying for online numbers and online certificates, and conducting identity verification, based on legal identification document information and relying on the national unified online identity authentication public service platform.
An online number refers to an online identity symbol composed of letters and numbers, corresponding to the identity information of a natural person, without explicit identity information; an online certificate refers to an online identity authentication credential carrying the online number and non-explicit identity information of a natural person. Online numbers and online certificates can be used for non-explicit registration and verification of the real identity information of natural persons in internet services and relevant departments, industry management, and services.
The “Draft for Comments” proposes that after an internet platform accesses the public service, if a user chooses to use an online number and online certificate to register and verify their real identity information and passes the verification, the internet platform shall not require the user to provide explicit identity information separately, unless otherwise provided by laws and administrative regulations or agreed upon by the user.
Professor Shen Kui of Peking University Law School pointed out in an article that, from a practical level, it can be understood that natural persons can consider no longer providing detailed personal identity information to the platform, but instead provide the online number and online certificate obtained from the National Online Identity Authentication Platform after application, when receiving services and engaging in related activities on internet platforms, if it is legally required to register and verify their real identity information.
In addition, if an internet platform needs to verify the real identity information of a user without retaining the user’s legal identification document information, the public service platform should only provide the user’s identity verification result. According to the provisions of laws and administrative regulations, if an internet platform does need to obtain and retain the user’s legal identification document information, the public service platform should provide it in accordance with the principle of minimization, with the user’s authorization or separate consent.
Regarding the personal information collection authority of the public service platform, the “Draft for Comments” stipulates that the processing of personal information shall not exceed the scope and limit necessary for providing natural persons with services such as applying for online numbers and online certificates and conducting identity verification, and it should fulfill the obligation to inform and obtain consent when providing public services to natural persons. Without the separate consent of the natural person, the public service platform shall not process or provide relevant data information to the outside; the public service platform shall, in accordance with the provisions of laws and administrative regulations or the user’s request, promptly delete the user’s personal information, etc.
It should be pointed out that the “Draft for Comments” emphasizes the principle of voluntariness, clarifying that natural persons holding valid legal identification documents can voluntarily apply for online numbers and online certificates from the public service platform; it encourages relevant competent authorities and key industries to promote the application of online numbers and online certificates on a voluntary basis, providing users with safe and convenient identity registration and verification services; it encourages internet platforms to access public services on a voluntary basis, to support users in using online numbers and online certificates to register and verify users’ real identity information, etc.
At the same time, to ensure the promotion effect, the public security department of the State Council and the Cyberspace Administration of China are responsible for the supervision and management of the national online identity authentication public service, supervising and guiding the public service platform to implement data security and personal information protection obligations in accordance with the law. The civil affairs, culture and tourism, radio and television, health, railway, postal and other departments of the State Council are responsible for the promotion, application, supervision and management of the above services within their respective responsibilities.
“Using Certificates to Access the Internet” triggers concerns about privacy and internet freedom, and the “Draft for Comments” has sparked a lot of controversy after its release.
Shen Kui believes that the benefits of providing online numbers and online certificates to internet platforms instead of providing detailed personal identity information include maximizing personal information security. The reason is that the fewer the subjects collecting actual personal identity information, the smaller the possibility of being required to provide personal information beyond the scope, and the smaller the possibility of the subjects collecting and storing user information leaking and illegally using information.
The “Draft for Comments” promotes the application of the online number and online certificate system on the one hand based on the principle of voluntariness, and on the other hand encourages relevant competent authorities and key industries. Shen Kui believes that in this case, the use of unified online numbers and online certificates will become more and more common, and it is not ruled out that internet platforms will directly require users to use them in the future, without giving them a choice.
The Southern Metropolis Daily reporter noted that the drafting statement of the draft for comments shows that the authentication service can minimize the internet platform’s over-collection and retention of citizens’ personal information under the guise of implementing “real-name registration”. Can this effect be achieved?
Professor Zhao Hong of Administrative Law at Peking University Law School believes that the default premise of adopting new measures to issue online numbers and online certificates to protect personal information security is that the state uniformly collects information and conducts identity verification, which is definitely safer than internet platforms. But the fact is that both private individuals and the state will have the risk of over-collecting personal information, abusing personal information, and even manipulating and monitoring individuals through information.
“If it is only for the consideration of information security, and it is believed that it is definitely safer and more reliable for the state to collect and verify information uniformly than for private enterprises, it may not be justified,” Zhao said.
Shen Kui also believes that the authentication service may bring great risks to personal privacy and personal autonomy. Originally, users were “fragmentarily exposed” as privacy in the multi-center, commercialized platform network existence. After the popularization of online numbers and online certificates, it may be very easy to become a “completely exposed” network existence on a centralized and unified platform.
In addition to privacy concerns, the controversy brought about by the online certificate and online number system also includes the impact on “internet freedom”.
Professor Lao Dongyan of Criminal Law at Tsinghua University believes that the promotion of online numbers may make all traces of an individual on the internet (including browsing traces) be easily collected “in one fell swoop”, which is equivalent to installing a surveillance tracker for everyone when they go online. Once the relevant departments do not allow individuals to use the corresponding authentication service, the right of individuals to use the internet will be restricted or even deprived, and they will lose freedoms including speaking, commenting, and obtaining information online.
Zhao Hong believes that the online number and online certificate system binds all browsing, speaking, and dissemination processes of an individual on the internet with their real identity, which is equivalent to completely eliminating the anonymity and mystery of the speaker. The public, because of their fear of being held accountable afterwards, will be cautious in their words and deeds, which may achieve the effect of “clear” governance of the internet to some extent, but the chilling effect it triggers and the damage to freedom of speech are also worrying.
Shen Kui emphasized that the vitality of the digital economy and the network society lies in multi-center rather than centralized monopoly. The online number and online certificate system may make users more cautious, and this phenomenon of self-restraint and self-binding is not conducive to stimulating the vitality of the digital economy, optimizing the digital social environment, and building a digital cooperation pattern – and the purpose of preventing platforms from over-collecting and leaking personal information can be completely achieved through existing other systems.
An expert who did not want to be named told the Southern Metropolis Daily reporter that the online number and online certificate system is actually just trying to promote an official unified identity credential, similar to an electronic ID card, which is presented when registering online, without providing more information on the APP, “there is no more complex purpose, no need to be overly alarmed”.
67 APPs participate in the pilot of the “National Online Identity Authentication” APP, with different applicable scenarios
According to the “Draft for Comments”, the service of providing natural persons with the application of online numbers and online certificates mainly relies on the national unified construction of the online identity authentication public service platform. The Southern Metropolis Daily reporter noted that this public service platform already has a mobile client pilot version launched.
“National Online Identity Authentication” APP in Apple App Store
An APP named “National Online Identity Authentication” introduces that in order to implement the relevant requirements of the state to promote the development of the digital economy and protect personal information security, the Ministry of Public Security, together with relevant ministries and commissions, organized the construction of the National Online Identity Authentication Public Service Platform. The launch time of this App was a year ago, and the developer is the Ministry of Public Security, and it is still a pilot version.
The version history of the Apple App Store shows that two months ago, the “National Online Identity Authentication” APP added the function of supporting minors to apply, and a month ago, it added the function of supporting “online number + dynamic password authentication”, etc.
The Southern Metropolis Daily reporter’s actual test found that the application process for a personal online number and online certificate is divided into four steps: using the mobile phone’s NFC function to read the ID card, then facial recognition, then setting an associated mobile phone number, and finally setting an eight-digit password.
Online number and online certificate application process
The “National Online Identity Authentication” APP states that the National Online Identity Authentication Public Service has three major advantages: first, authority, using legal identification document information and the national population basic information, and combining biometric features and other factors to verify identity, ensuring the result is authoritative and credible; second, security, not using personal explicit identity information, avoiding being over-collected, retained, and misused by relevant parties, effectively protecting personal information and privacy security; third, convenience, users can verify their identity using a smartphone.
According to official information, the National Online Identity Authentication service is mainly used for real-name registration and login of internet user accounts, re-verifying the identity of users with fraudulent accounts, and identity verification when handling government affairs service matters online. Currently, 10 government affairs APPs and 57 internet APPs have accessed the platform to pilot related services.
The scenarios piloted by these 67 APPs are not exactly the same. Some, such as the “National Government Service Platform”, can achieve “one-click login” operation, while others, such as Taobao, WeChat, and Xiaohongshu, are limited to the single scenario of re-verifying the identity of abnormal account users.
In terms of specific operation process, the Southern Metropolis Daily reporter tested with the “National Government Service Platform” APP and found that when clicking the “Online Identity Authentication Login” option of the APP, the system will automatically jump to the “National Online Identity Authentication” APP for authentication authorization, and then return to the “National Government Service Platform” APP to complete the facial recognition verification.
According to the “Personal Information and Privacy Protection Rules of the National Online Identity Authentication APP”, if the relevant application needs to conduct identity authentication through facial comparison, the relevant application collects the facial image itself and sends it to the “National Online Identity Authentication” APP. After the comparison is completed, the “National Online Identity Authentication” APP will delete the facial image information.
Online identity authentication on the “National Government Service Platform” APP
And on a “Air Travel Vertical” APP used for flight inquiries, if you choose the “Online Identity Authentication Login” option, you will still need to bind your mobile phone number again to complete the registration. Compared with the general registration process that only needs to bind a mobile phone number, the operation steps of online identity authentication are more cumbersome.
Regarding the personal information collected by the “National Online Identity Authentication” APP, the official stated that, in accordance with the provisions of laws and regulations and the requirements of network security level protection, a security management system has been established, and security measures such as data transmission encryption, de-identification processing, authentication log isolation storage, minimum access rights, and intelligent terminal local encryption have been adopted to protect user personal information from loss, leakage, damage, and unauthorized access and use.
The outside world’s concern is whether the “National Online Identity Authentication” APP will collect users’ browsing records and other personal information on other third-party platforms through online numbers and online certificates, and monitor users. The customer service of the “National Online Identity Authentication” APP responded to the Southern Metropolis Daily reporter that it will not collect information such as users’ usage records on third-party platforms, but only provide identity verification services.
If users want to cancel their online number, they can operate directly on the “National Online Identity Authentication” APP. According to the personal information and privacy protection rules of the APP, when a user actively cancels their online number, the corresponding operation will be executed immediately in the background, and the user’s personal information will be deleted immediately, except for the information that needs to be retained according to relevant laws and regulations.
Discover more from 自由档案馆
Subscribe to get the latest posts sent to your email.