Original title: Tencent apologizes, PC version QQ read browsing records: only to determine whether malicious login, data is not uploaded, not stored
Author: Zhang Yating intern Yan zhiting
“Strengthening user data access specification.”
Recently, a technician posted that QQ is trying to read the user’s browsing records, causing widespread concern.
Since then, there have been programmers to verify, found that QQ read browser history behavior includes: read browser browsing history, read the URL MD5, and compare locally, in the case of MD5 match, upload the corresponding group ID.
“We are sorry. We are sorting out the historical problems and strengthening the user data access specification.” On the morning of January 18, Tencent responded that PC QQ has read the browser history to judge the security risk of user login, and the read data is used to judge whether malicious login occurs in the local client of PC QQ. All relevant data will not be uploaded to the cloud and stored.
At present, Tencent said that it has replaced the technical logic for detecting malicious and abnormal requests to solve the problem, and released a new version of PC QQ.
Relevant experts said that if Tencent’s statement is true, it is only the software itself that reads the relevant data and does not upload it to the cloud or store it, which does not constitute an infringement of personal privacy. The key to infringement lies in whether there is “upload Tencent server” behavior, not in whether local capture or not.
“QQ is trying to read your browsing record”
A technician named mengyx published a post called “QQ is trying to read your browsing record” on the V2EX community.
The picture shows the post content of mengyx
Mengyx said that in the process of using QQ, in order to prevent some “rogue behavior”, we specially went to the MS store to install the QQ desktop version. Because it uses the customized interception function of velvet, it sets up the protection of some important or sensitive data directories. Finally, mengyx concludes that QQ is trying to read the browsing records in chrome.
After the post was issued, it attracted the attention of many programmers. The netizen qwqdanchun verified this and found that the reading behavior was not only aimed at chrome, but would try to read the history of all Google browsers in the computer and extract links. The browsers confirmed to be successful include but not limited to chrome, chrome, 360 speed, 360 security, cheetah, 2345 and so on. At the same time, the netizen found that Tim, another office software owned by Tencent, also has the behavior of reading browser history.
The picture shows the post content of netizen qwqdanchun
Since then, some programmers have verified this problem. On the morning of the 18th, mengyx concluded that, The software related to reading browser history involves the versions after QQ windows 9.0.4 and Tim windows 3.1.0. The specific behaviors include: after logging in for 10 minutes, reading the browser browsing history, making MD5 on the URL read, and comparing it locally. In the case of MD5 matching, uploading the corresponding group ID (mainly E-commerce, stock and other keywords).
At the same time, it was also said that QQ background reading history, perhaps not against user privacy. After the technical comparison, anhkgg, the programmer of the operating system, thinks that there is no such operation as uploading the server between reading the history and deleting the temporary files, all of which are completed locally. He can’t draw a conclusion on the behavior of QQ, and can’t judge Tencent as an infringement on the user’s privacy just because he temporarily reads and calculates the URL.
However, anhkgg also agrees that QQ is not entirely innocent in this case. Reading the history of users’ browsers is a very sensitive behavior. It should be clear to users that you have not done anything harmful to users’ interests with this information.
In response to anhkgg’s view, qwqdanchun told the 21st century business reporter that his verification only carried out the comparison of MD5, and the latter part did not reverse, so he did not express further opinions. If time permits, he will make a reverse comment.
Tencent: to judge whether malicious login
On the morning of the 18th, Zhihu account, which has been certified as “Tencent QQ”, responded by saying that PC QQ reads the browser history to judge the security risk of user login, and the data read is used to judge whether malicious login occurs in the local client of PC QQ. All relevant data will not be uploaded to the cloud, stored or used for any other purpose.
The specific situation is that this operation is a technical solution against malicious login on the history line: because the system recognizes that many forged QQ clients will visit multiple websites maliciously as the preliminary auxiliary work, the interview logic of detecting malice and exception is added to the PC QQ client as an auxiliary means to judge malicious clients.
“We are sorry for this incident. We are sorting out the historical problems and strengthening the user data access specification.” Tencent said that at present, it has replaced the technical logic of detecting malicious and abnormal requests to solve the above security risk problems, and released a new version of PC QQ. To reduce the inconvenience, all affected PC QQ historical versions will be hot updated and upgrade packages will be pushed from January 18. At the same time, mobile QQ does not exist the above operation, not affected.
The 21st century business reporter did not find the introduction of reading the history of the browser after consulting the Tencent service agreement, privacy policy and QQ privacy protection guidelines.
“Tencent can use this method to detect malicious login. However, in any case, it is inappropriate to read the browsing records. I hope Tencent can find a better way to solve the problem of malicious login as soon as possible. ” Qwqdanchun responded to Tencent’s clarification.
According to the latest mengyx post, QQ 9.4.2 and Tim 3.3.0 released on the evening of the 17th removed the corresponding code and suspended the behavior of reading browser history.
Uploading data is the key to infringement
Does the enterprise’s behavior of reading the browser infringe the user’s privacy?
“Any company that reads its browser history without informing users is an infringement of users’ privacy.” Xiong Dingzhong, chief partner of Qinglu law firm, told 21st century business reporter that the browser history records not only personal privacy, but also sensitive personal information, which is protected by law.
Specifically, Xiong Dingzhong believes that if Tencent’s statement is true, only the software itself reads the relevant data, does not upload to the cloud, does not store it, and has no contact with Tencent’s related systems, it does not constitute an infringement of personal privacy, because the software is installed on the user’s personal computer, and if the processing is completed locally, it is actually not “Tencent reads the history of the browser”, but rather “Tencent reads the history of the browser” “A software installed by the user can read the history of other browsers locally”. Therefore, it does not constitute Tencent’s improper behavior.
“However, according to the current description of netizens, the browser has a behavior of” uploading the corresponding group ID in the case of MD5 matching. “. If the description is true, it means that it is not “local processing” but “uploading to Tencent server”. The uploaded data will be mastered and controlled by Tencent. No matter whether Tencent stores it or not, this behavior is suspected of infringement without the informed consent of users. ” Xiong Dingzhong stated that the core of the problem lies in whether there is an “upload Tencent server” behavior, not whether it is local crawling or not.
At the same time, Xiong Dingzhong reminded that privacy and personal information rights and interests are civil rights (rights and interests) stipulated in the personality rights section of the civil code, which belong to absolute rights, that is, as long as the user’s consent is not obtained, the user’s control over his personality rights and interests will be destroyed, and he can claim his rights and interests to the court according to the civil code. For large-scale violations of individual rights and interests of citizens, users can also report to the relevant regulatory agencies, such as the Internet information office or the market supervision and Administration Bureau, or apply to the procuratorate or the consumer association to initiate public interest litigation to protect their rights.