基于《个人信息保护法》的App隐私政策合规性检测

doi:10.19678/j.issn.1000-3428.0069804

摘要/Abstract

摘要：

数据隐私保护已成为社会关注的焦点，各国和地区正在陆续制定相关的法律法规，但是由于App产品发布的隐私政策存在篇幅长、专业性强等问题，利用自动化手段检测隐私政策的合规性成为亟待解决的技术难题。作为主流解决方法的机器学习模型需要标签注释的数据集进行支撑，而国内目前缺少这样的App隐私政策数据集。在分析欧盟《通用数据保护条例》(GDPR)合规性分析相关工作的基础上，设计适合我国《个人信息保护法》的标签方案，具体包括15个要求标签，然后使用网络爬虫获取10个类别、363个App的中文隐私政策，并对这些隐私政策进行语句级划分和标注，构建包括104 134个隐私政策语句及标签组成的中文隐私政策语料库。采用百度最新开源的预训练语言模型ERNIE对语料库进行训练与测试，实验结果表明，该方案检测准确率达到85.75%。

关键词: 隐私政策, 《个人信息保护法》, 合规性分析, 语料库, 自然语言处理

Abstract:

Data privacy protection has become the focus of social attention, and countries and regions are gradually formulating relevant laws and regulations in this regard. However, because of the long and professional privacy policies released by App products, the use of automated methods to detect compliance with privacy policies has become an urgent technical challenge. Machine learning models, the widely popular solutions for this challenge, require labeled annotated datasets for support; however, a lack of such App privacy policy datasets currently exists in China. Based on the EU General Data Protection Regulation (GDPR) compliance analysis, a labeling scheme suitable for China′s Personal Information Protection Law is designed, which includes 15 required labels. Subsequently, Chinese privacy policies for 363 Apps in 10 categories are obtained using Web crawlers, and these privacy policies are classified and annotated at the sentence level. A Chinese privacy policy corpus consisting of 104 134 privacy policy statements and labels is constructed. The corpus is trained and tested using the latest open-source pretraining language model from Baidu, ERNIE, with a detection accuracy of 85.75%.

Key words: privacy policy, Personal Information Protection Law, compliance analysis, corpus, Natural Language Processing (NLP)

孙雯倩, 徐天辰, 余佩厚, 陈云芳, 张伟. 基于《个人信息保护法》的App隐私政策合规性检测[J]. 计算机工程, 2025, 51(12): 189-201.

SUN Wenqian, XU Tianchen, YU Peihou, CHEN Yunfang, ZHANG Wei. Compliance Detection of App Privacy Policies Based on Personal Information Protection Law[J]. Computer Engineering, 2025, 51(12): 189-201.

https://www.ecice06.com/CN/Y2025/V51/I12/189

图/表 9

图1 方法流程

Fig.1 Method process

图2 多标签示例

Fig.2 Example of multiple labels

图3 ERNIE模型结构

Fig.3 ERNIE model structure

图4 隐私政策满足《个保法》标签的占比

Fig.4 The proportion of privacy policies that meet the label requirements of the Personal Information Protection Law

图5 隐私政策符合标签个数

Fig.5 Number of labels that comply with privacy policy

图6 合规性结果统计

Fig.6 Compliance result statistics

参考文献 25

1	刘颖, 郝晓慧. 个人数据交易的法律基础. 学术研究, 2022 (11): 85- 94.
	LIU Y , HAO X H . Legal basis for personal data transaction. Academic Research, 2022 (11): 85- 94.
2	LIU S, ZHAO B Y, GUO R J, et al. Have you been properly notified? Automatic compliance analysis of privacy policy text with GDPR article 13[C]//Proceedings of the Web Conference 2021. New York, USA: ACM, 2021: 2154-2164.
3	RAHAT T A, LONG M J, TIAN Y. Is your policy compliant? A deep learning-based empirical study of privacy policies' compliance with GDPR[C]//Proceedings of the 21st Workshop on Privacy in the Electronic Society. New York, USA: ACM, 2022: 89-102.
4	CEJAS O A , AZEEM M I , ABUALHAIJA S , et al. NLP-based automated compliance checking of data processing agreements against GDPR. IEEE Transactions on Software Engineering, 2023, 49 (9): 4282- 4303. doi: 10.1109/TSE.2023.3288901
5	WILSON S, SCHAUB F, DARA A A, et al. The creation and analysis of a website privacy policy corpus[C]//Proceedings of the 54th Annual Meeting of the Association for Computational Linguistics (Volume 1: Long Papers). Stroudsburg, USA: ACL, 2016: 1330-1340.
6	SRINATH M, WILSON S, GILES C L. Privacy at scale: introducing the PrivaSeer corpus of Web privacy policies[EB/OL]. [2024-02-02]. https://arxiv.org/pdf/2004.11131.
7	KUZNETSOV M , NOVIKOVA E , KOTENKO I , et al. Privacy policies of IoT devices: collection and analysis. Sensors (Basel), 2022, 22 (5): 1838. doi: 10.3390/s22051838
8	ZHAO K F, ZHAN X, YU L, et al. Demystifying privacy policy of third-party libraries in mobile apps[C]//Proceedings of the IEEE/ACM 45th International Conference on Software Engineering. Melbourne, Australia: IEEE Press, 2023: 1583-1595.
9	ZHAO K F, YU L, ZHOU S Y, et al. A fine-grained Chinese software privacy policy dataset for sequence labeling and regulation compliant identification[C]//Proceedings of the 2022 Conference on Empirical Methods in Natural Language Processing. Stroudsburg, USA: ACL, 2022: 10266-10277.
10	HAMDANI R, MUSTAPHA M, AMARILES D R, et al. A combined rule-based and machine learning approach for automated GDPR compliance checking[C]//Proceedings of the 18th International Conference on Artificial Intelligence and Law. New York, USA: ACM, 2021: 40-49.
11	HARKOUS H, FAWAZ K, LEBRET R, et al. Polisis: automated analysis and presentation of privacy policies using deep learning[C]//Proceedings of the 27th USENIX Conference on Security Symposium. [S. l. ]: USENIX Association, 2018: 531-548.
12	KIM N , OH H , CHOI J K . A privacy scoring framework: automation of privacy compliance and risk evaluation with standard indicators. Journal of King Saud University-Computer and Information Sciences, 2023, 35 (1): 514- 525. doi: 10.1016/j.jksuci.2022.12.019
13	BANNIHATTI K V, IYENGAR R, NISAL N, et al. Finding a choice in a haystack: automatic extraction of opt-out statements from privacy policy text[C]//Proceedings of the Web Conference 2020. New York, USA: ACM, 2020: 1943-1954.
14	LIPPI M , PAŁKA P , CONTISSA G , et al. CLAUDETTE: an automated detector of potentially unfair clauses in online terms of service. Artificial Intelligence and Law, 2019, 27 (2): 117- 139. doi: 10.1007/s10506-019-09243-2
15	TORRE D, ABUALHAIJA S, SABETZADEH M, et al. An AI-assisted approach for checking the completeness of privacy policies against GDPR[C]//Proceedings of the IEEE 28th International Requirements Engineering Conference. Zurich, Switzerland: IEEE Press, 2020: 136-146.
16	AMARAL O , ABUALHAIJA S , TORRE D , et al. AI-enabled automation for completeness checking of privacy policies. IEEE Transactions on Software Engineering, 2022, 48 (11): 4647- 4674. doi: 10.1109/TSE.2021.3124332
17	TORRE D, SOLTANA G, SABETZADEH M, et al. Using models to enable compliance checking against the GDPR: an experience report[C]//Proceedings of the 2019 ACM/IEEE International Conference on Model Driven Engineering Languages and Systems. Munich, Germany: IEEE Press, 2019: 10-20.
18	HAMDANI R, MUSTAPHA M, AMARILES D, et al. A combined rule-based and machine learning approach for automated GDPR compliance checking[C]//Proceedings of the 18th International Conference on Artificial Intelligence and Law. New York, USA: ACM, 2021: 40-49.
19	李昕, 唐鹏, 张西珩, 等. 面向GDPR隐私政策合规性的智能化检测方法. 网络与信息安全学报, 2023, 9 (6): 127- 139.
	LI X , TANG P , ZHANG X H , et al. GDPR-oriented intelligent checking method of privacy policies compliance. Chinese Journal of Network and Information Security, 2023, 9 (6): 127- 139.
20	LIAO S, ALDEEN M, YAN J W, et al. Understanding GDPR non-compliance in privacy policies of alexa skills in European marketplaces[C]//Proceedings of the ACM Web Conference 2024. New York, USA: ACM, 2024: 1081-1091.
21	赵杨, 严周周, 沈棋琦, 等. 基于机器学习的医疗健康APP隐私政策合规性研究. 数据分析与知识发现, 2022, 6 (5): 112- 126.
	ZHAO Y , YAN Z Z , SHEN Q Q , et al. Research on privacy policy compliance of medical health APP based on machine learning. Data Analysis and Knowledge Discovery, 2022, 6 (5): 112- 126.
22	徐奇睿. 基于《个人信息保护法》的移动互联网APP隐私政策合规研究[D]. 武汉: 武汉大学, 2022.
	XU Q R. Research on privacy policy compliance of mobile Internet APP based on Personal Information Protection Law[D]. Wuhan: Wuhan University, 2022. (in Chinese)
23	MOTLAGH N Y, KHAJAVI M, SHARIFI A, et al. The impact of artificial intelligence on the evolution of digital education: a comparative study of OpenAI text generation tools including ChatGPT, Bing Chat, Bard, and Ernie[EB/OL]. [2024-02-02]. https://arxiv.org/abs/2309.02029.
24	SHANG W Q, JI J L, LIU Y R. Chinese text correction system based on ernie[C]//Proceedings of the 26th ACIS International Winter Conference on Software Engineering, Artificial Intelligence, Networking and Parallel/Distributed Computing. Washington D. C., USA: IEEE Press, 2023: 103-108.
25	盛小平, 唐筠杰. 我国个人信息权利与欧盟个人数据权利的比较分析: 基于《个人信息保护法》与GDPR. 图书情报工作, 2022, 66 (6): 26- 33.
	SHENG X P , TANG J J . A comparative analysis of personal information rights in China and personal data rights in EU: based on the Personal Information Protection Law and GDPR. Library and Information Service, 2022, 66 (6): 26- 33.

[1]	郑诚, 李鹏飞. 基于双超图神经网络特征融合的文本分类[J]. 计算机工程, 2025, 51(6): 127-135.
[2]	庄紫薇, 朱俊国. 面向多源文本的越南语文本检错方法[J]. 计算机工程, 2025, 51(5): 93-102.
[3]	郝志峰, 黎阳霖, 许柏炎, 蔡瑞初. 面向跨域自然语言生成SQL语句的超图神经网络[J]. 计算机工程, 2025, 51(5): 114-123.
[4]	程腾腾, 姚春龙, 于晓强, 李旭, 王庆丰. 基于多头注意力机制融合常识知识的共情对话生成[J]. 计算机工程, 2024, 50(6): 94-101.
[5]	曹渝昆, 程宇, 何祯奕, 徐康乐, 颜家洛, 李云峰. 文档上下文异构表示的句子级关系抽取方法[J]. 计算机工程, 2024, 50(5): 111-119.
[6]	朱贵德, 黄海. 文本视觉问答综述[J]. 计算机工程, 2024, 50(2): 1-14.
[7]	张文博, 黄浩, 吴迪, 唐敏杰. 基于MEGA网络和分层预测的标点恢复方法[J]. 计算机工程, 2024, 50(12): 396-406.
[8]	崔蒙蒙, 刘井平, 阮彤, 宋雨秋, 杜渂. 基于双重多视角表示的目标级隐性情感分类[J]. 计算机工程, 2024, 50(1): 79-90.
[9]	李鸿鹏, 马博, 杨雅婷, 王磊, 王震, 李晓. 基于槽位语义增强提示学习的篇章级事件抽取方法[J]. 计算机工程, 2023, 49(9): 23-31.
[10]	郭艳霞, 金勇, 唐宏, 彭金枝. 基于动态卷积与残差门控的多模态情感识别[J]. 计算机工程, 2023, 49(7): 94-101.
[11]	李静雯, 赵奎. 基于改进PCFG算法的口令猜测方法[J]. 计算机工程, 2023, 49(5): 38-47.
[12]	杨文忠, 丁甜甜, 康鹏, 卜文秀. 基于舆情新闻的中文关键词抽取综述[J]. 计算机工程, 2023, 49(3): 1-17.
[13]	蔡瑞初, 张盛强, 许柏炎. 基于结构感知混合编码模型的代码注释生成方法[J]. 计算机工程, 2023, 49(2): 61-69.
[14]	王春东, 孙嘉琪, 杨文军. 基于矫正理解的中文文本对抗样本生成方法[J]. 计算机工程, 2023, 49(2): 37-45.
[15]	田乔鑫, 孔韦韦, 滕金保, 王照乾. 基于并行混合网络与注意力机制的文本情感分析模型[J]. 计算机工程, 2022, 48(8): 266-273.

选择文件类型/文献管理软件名称

选择包含的内容