• Proceedings of the Korea Information Processing Society Conference
• /
• 2022.05a
• /
• pp.221-224
• /
• 2022

모바일 사용자가 증가함에 따라 모바일 앱에서 사용자가 허용하지 않은 개인정보가 유출되는 프라이버시 문제가 많아졌다. 이를 해결하기 위해 구글은 앱스토어에 등록된 앱이 사용자의 개인정보를 어떻게 활용하는지 개인정보 처리방침에 명시하도록 했다. 하지만 개인정보 처리방침이 실제로 앱의 개인정보 수집 및 처리 과정을 정확히 공개하는지 확인할 수 있는 해결책이 없으며, 사용자는 앱이 개인정보를 어떻게 활용하는지 알기 위해 개인정보 처리방침에 의존해야만 한다. 본 연구에서는 안드로이드 정적 분석으로 앱이 접근할 수 있는 데이터를 확인하고, 개인정보 처리방침의 텍스트를 추출 및 분석한 뒤 결과를 비교하여 개인정보 처리방침의 신뢰성을 분석한다. 실험을 위해 구글 앱스토어에 등록된 13,223개 앱의 패키지 파일과 부가정보를 수집했고 전처리 과정을 거쳐 분석 가능한 앱을 선정했다. 선정한 앱의 모바일 앱 분석 결과와 텍스트 분석 결과를 비교하여 모바일 앱이 개인정보 처리방침에 명시된 것보다 더 많은 개인정보에 접근할 수 있음을 입증한다.

• KIPS Transactions on Computer and Communication Systems
• /
• v.12 no.1
• /
• pp.17-24
• /
• 2023

Mobile apps frequently request permission to access sensitive data for user convenience. However, while using mobile applications, sensitive and personal data has been leaked even if users do not allow it. To deal with this problem, Google App Store has required developers to disclose how the mobile app handles user data in a privacy policy. However, users are not certain that the privacy policy describes all the app's behavior. They have no choice but to rely on the privacy policy to confirm how the app uses data. This study designed a system that checks the reliability of privacy policies by analyzing the privacy policy texts and mobile apps. First, the system extracts and analyzes the privacy policy texts to check which personal data the privacy policy discloses that the mobile apps can collect. After analyzing which data apps can access using android static analysis, we compare both results to analyze the reliability of privacy policies. For the experiment, we collected the APK files and metadata of about 13K android apps registered in the Google Play Store and preprocessed the apps by four conditions. According to the comparison between privacy policies and mobile app behavior, many apps can access more personal data than disclosed in the privacy policy.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.30 no.2
• /
• pp.305-312
• /
• 2020

The Privacy Act stipulates that the privacy policy document, which is a privacy statement, should be disclosed in order to guarantee the rights of the information subjects, and the Fair Trade Commission considers the privacy policy as a condition and conducts an unfair review of the terms and conditions under the Terms and Conditions Control Act. However, the information subjects tend not to read personal information because it is complicated and difficult to understand. Simple and legible information processing policies will increase the probability of participating in online transactions, contributing to the increase in corporate sales and resolving the problem of information asymmetry between operators and information entities. In this study, complex personal information processing policies are analyzed using deep learning, and models are presented for acquiring simplified personal information processing policies that are highly readable by the information subjects. To present the model, the personal information processing policies of 258 domestic companies were established as data sets and analyzed using deep learning technology.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.34 no.2
• /
• pp.207-216
• /
• 2024

As big data was built due to the 4th Industrial Revolution, personalized services increased rapidly. As a result, the amount of personal information collected from online services has increased, and concerns about users' personal information leakage and privacy infringement have increased. Online service providers provide privacy policies to address concerns about privacy infringement of users, but privacy policies are often misused due to the long and complex problem that it is difficult for users to directly identify risk items. Therefore, there is a need for a method that can automatically check whether the privacy policy is safe. However, the safety verification technique of the conventional blacklist and machine learning-based privacy policy has a problem that is difficult to expand or has low accessibility. In this paper, to solve the problem, we propose a safety verification technique for the privacy policy using the GPT-3.5 API, which is a generative artificial intelligence. Classification work can be performed evenin a new environment, and it shows the possibility that the general public without expertise can easily inspect the privacy policy. In the experiment, how accurately the blacklist-based privacy policy and the GPT-based privacy policy classify safe and unsafe sentences and the time spent on classification was measured. According to the experimental results, the proposed technique showed 10.34% higher accuracy on average than the conventional blacklist-based sentence safety verification technique.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.22 no.6
• /
• pp.1419-1427
• /
• 2012

This paper deals with the online privacy policy, which is designed to solve the information asymmetry problem between websites and internet users. We empirically analyze the recognition, confirmation of the online privacy policy, and its effects on online transaction behavior using a rich survey data representing 5,422 Korean internet users. Major results are as follows. First, there exists a significant difference between recognition and confirmation, and confirmation behavior is positively related with the importance of privacy issue and the experience of privacy invasion. Second, binary variable regressions show that internet user tends to participate in online transaction if he/she confirms the online privacy policy positively. Finally, if websites would make online privacy policy easy and short, a yearly online transaction market size of Korea would increase by 0.46 million participants and 22.4 billion KRW.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.29 no.6
• /
• pp.1477-1489
• /
• 2019

In this study, we analyzed the privacy policies of 50 Android applications that are on the top chart in EU members to present the methods for enhancing transparency based on GDPR (General Data Protection Regulation). Based on the guidelines in relation to transparency stipulated in WP29, this study extracted factors of transparency in order to ensure transparency of privacy data processing and carried out the verification procedures for each factor. The results revealed that the privacy policies provided in Google Play Store and applications need to be matched, the descriptions of the privacy policies need to be written in clear and plain language for readers to understand easily. and that it is necessary to provide information quickly and improve the descriptions of information which the data controller discloses. The research findings of this study could be used as a preliminary data for proactive responses to the EU's GDPR by substantially complying with the transparency of GDPR.

• Journal of the Korea Convergence Society
• /
• v.9 no.3
• /
• pp.231-240
• /
• 2018

Recently, personal information processing are becoming more important in the behavioral advertising based on online and mobile platform. The behavioral advertising analyzes and utilizes individual's search & purchase history, hobbies, and tendency based on the personal behavior information collected using the automatic collection device. Therefore, it collects and stores other types of personal information which did't defined in Privacy Act and can analyze personal behavior. This characteristics may cause disclosure of personal information and exposure to intrusion. In this paper, we investigate and analyze the privacy policy of the advertising agencies, and discussded the measures to be taken in collecting, storing and using personal information suitable for behavior information.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.23 no.4
• /
• pp.767-779
• /
• 2013

A field of privacy protection lacks statistical information about the current status, compared to other fields. On top of that, since it has not been classified as a concrete separate field, the related survey is only conducted as a part of such concrete areas. Furthermore, this trend of being regarded as a part of fields such as informatization, information protection and law will continue in the near future. In this paper, a novel and practical way for collecting and storing a big amout of data from 110,000 privacy policies by data controller is proposed and the real analysis results is also shown. The proposed method can save time and cost compared with the traditional survey-based method while maintaining or even advancing the accuracy of results and speediness of process. The collected big personal data can be used to set up various kinds of statistical models and they will play an important role as a breakthrough of observing the present status of privacy information protection policy. The big data concept is incorporated into the privacy protection and we can observe the method and some results throughout the paper.

• The Journal of Society for e-Business Studies
• /
• v.25 no.4
• /
• pp.1-14
• /
• 2020

IT businesses in Korea have relatively strong regulations. While providing the same service, domestic businesses are in a situation of 'reverse discrimination of regulations' as they are less competitive than global IT companies in accordance with the application of the personal information protection legislation in Korea. In this paper, Personal Information Protection legislation was classified and laws of major countries were analyzed in comparative ways. It also compared and analyzed the "private policy" presented by representative Internet sites (Naver, Daum, Google, Facebook) that provide services to users in Korea. We also proposed three aspects of legislation improvement to address reverse discrimination.

• Informatization Policy
• /
• v.21 no.1
• /
• pp.17-34
• /
• 2014

The study on the structure of personal information flows is very important because government can measure and respond the risks caused by companies which collect personal information from other personal data users to operate their business. Recently, as the value of personal information is increasing, number of companies which intend to process a large scale of personal information is increasing too. Accordingly, the issue on the structure of personal data flow has become important for the leading personal information processors which receive far more personal information from others to comply the personal information protection laws. However, research on this issue has rarely performed so far. Therefore, this study proposes a framework for personal information data flow structure based on network theory. Theoretically, the results of the study may contribute to extending the application areas of the network theory to personal information area. Practically, the study may contribute to assisting regulatory authorities to find and monitor personal information processors.