Taobao of Alibaba, which has an average of 925 million consumers in China in a month, had 1.18 billion pieces of user data illegally crawled.
Recently, the criminal verdict published by the People’s Court of Suiyang District, Shangqiu City, Henan Province, showed that Lu and Li had used their own crawler software to crawl Taobao for eight months. Before Alibaba found this issue, they had obtained nearly 1.2 billion user messages.
The court ruled that Lu and Li were both guilty of infringing on citizens’ personal information and were sentenced to more than 3 years’ imprisonment and a total fine of 450,000 yuan.
The reporter contacted Alibaba about this matter. As of the time of writing, no reply has been received.
According to the Wall Street Journal, an Alibaba spokesperson was quoted as responding that the company proactively discovered and handled the incident and was cooperating with law enforcement agencies to protect users. However, the spokesperson did not specify how many users were affected, only that no user information was sold to a third party, and no economic losses occurred.
But this statement does not match the content of the judgment.
According to the verdict, the perpetrator Lu was employed by Li. Starting from November 2019, he used his own web crawler software to collect user IDs, mobile phone numbers, and user comments on Taobao, and the phone number was provided to Liuyang Taichuang Network Technology Co., Ltd. established by Li for business activities, and from August 2019 to July 2020, the company illegally made 3.95 million yuan in profits.
The judgment also showed that the main business of Liuyang Taichuang Network Technology Co., Ltd. is “introducing customers to Taobao”, mainly to promote Taobao products in WeChat groups, thereby obtaining Taobao commissions and merchant service fees. Witness Wang Mou testified that its company community members established their respective WeChat groups, and provided the group’s QR code to the boss Li, and then someone would automatically join the group.
As one of the largest shopping platforms in China, Taobao has accumulated a large amount of user privacy and consumption data. According to Alibaba’s latest financial report for the fourth quarter of fiscal 2021, its mobile monthly active users in China’s retail market reached 925 million. In fiscal 2021, Alibaba has 1 billion global active consumers.
Alibaba is not blameless for the oversight of data security protection
User privacy leaks frequently occur in Internet technology companies, and e-commerce platforms have always been the hardest hit area for information leaks. In December 2016, JD.com’s 12G data was leaked due to security vulnerabilities and circulated on the black market. The information included user names, passwords, email addresses, QQ numbers, phone numbers, ID cards, and other dimensions, with tens of millions of pieces of data.
On the dark side of user information leakage, online scalping of privacy is rampant. According to a previous investigation by the Securities Times, there are companies engaged in data collection software development that can obtain user information from the e-commerce platforms of JD.com, Taobao and Pinduoduo. The price of the software is only 3,800 yuan. As long as the user purchases, he can follow his own needs to export the data he wants by industry, region, gender, etc.
The frequent occurrence of data leakage information reflects the importance and value of data, but it also places new requirements on the data protection capabilities of Internet companies. Attorney Hu Yang from the Beijing Guantao Zhongmao Law Firm said that the suspect in this case used illegal means to crawl the Chinese data of the Alibaba system, which is highly concealed. But Alibaba is not without responsibility in the case.
Hu Yang said that the case exposed Alibaba’s omissions and deficiencies in its data security protection, and failed to find out and take remedial measures in time. According to Article 60 of the “Cyber Security Law” of China, if no immediate remedial measures are taken for the security defects, loopholes and other risks of its products or services, or the users are not notified in time and reported to the relevant competent authorities in accordance with the regulations, the relevant competent authorities shall order them to correct and give a warning.
Refusing to make corrections or endangering network security shall be fined between 50,000 yuan and 500,000 yuan, and the directly responsible person in charge shall be fined between 10,000 yuan and 100,000 yuan. Therefore, the competent authority may impose relevant penalties on Alibaba for ordering corrections and warnings.
Hu Yang believes that the frequent occurrence of data violations has exposed the importance and insufficient investment of Internet companies in China in data security protection. China recently officially issued the “Data Security Law”. For Internet companies, data security protection is no longer an “optional course” but a “compulsory course”, and data security should be protected in strict accordance with the law.
Interface management and control and third-party security cooperation
Industry insider Zhang Xuesong said that in this Taobao user information leakage incident, Alibaba has the technical ability to prevent data leakage. He speculated that the leakage of 1.2 billion pieces of information may be due to defects in Taobao’s internal interface design and the use of IP pools by illegal parties to circumvent Taobao’s counter-investigation.
Zhang Xuesong introduced that Taobao has two data interfaces. Under normal circumstances, the anti-scraping mechanism works very well, and continuous crawling behavior will be blocked in time. But in terms of interface design, Taobao did not increase authority control, prohibiting non-persons from accessing user’s mobile phone number and other information. “It may be based on communication needs or other more convenient needs to open the interface”, “I think this is a design problem, not a capability problem.”
In addition, the proxy IP pool method also makes it difficult for Taobao’s anti-check mechanism to operate accurately. Zhang Xuesong introduced that when the same IP crawls a large amount of information, it will trigger Taobao’s anti-check mechanism, but in the mode of using proxy IP, the difficulty is very high, “this is also an industry problem in itself,” he said.
In this incident, the suspect crawled Taobao data, but the actual victims were indeed the users. Regarding the maintenance of user privacy, Zhang Xuesong believes that Alibaba can strengthen management and control methods in interface settings, especially private information such as mobile phone numbers.
Aiming at the IP proxy model, Zhang Xuesong believes that Alibaba is also fully capable of constructing a risk database, setting the risk IP as a threat signature database and adding it to the prevention, control and risk control system. In addition, Alibaba can also appropriately introduce a third-party security company cooperation mechanism to conduct a more comprehensive verification of massive data, which will improve the security mechanism.
Source: Guancha