随着App使用者数量迅速增长，个人信息主体隐私泄露问题也日渐严重。近年来我国相继出台了有关App个人隐私信息安全的相关法律法规，以规范App个人信息的采集、存储和处理等方面。隐私政策是附加在一个App中的、关于该App如何收集、管理、使用、披露个人信息主体数据的声明，它是个人信息安全保护的“第一道防线”。但App隐私政策不完整、可读性不好等情况大量存在，App用户的隐私面临极大威胁。尽管我国颁布了个人用户隐私保护相关的法律法规，但抽象的法律文本与具体的App隐私政策间仍存在一定的语义鸿沟，App隐私政策的合规性认定仍面临一系列挑战性问题。针对该问题，本文开展以下研究工作：

（1）在对App隐私政策完整性、一致性和可读性检测方法进行深入分析和综述的基础上，给出了App隐私政策完整性和一致性的数学定义。分析了我国目前颁布的App个人信息保护相关法律法规以及技术规范，用知识图谱描述了法律法规间的引用关系、《信息安全技术——个人信息安全规范》的部分要求和App合规性检测的要点。

（2）提出了一种App隐私政策参考模板的结构化处理方法。以三类App（交通票务类、网络约车类、网上购物类）为例，根据相关法律法规和App的类别，利用人工和NLP技术相结合的方法，对App隐私政策进行处理，得到相应类别App隐私政策的参考模板，并采用XML语言描述了这些模板的结构。

（3）提出了一种App隐私政策完整性检测方法。该方法把待检测的App隐私政策与上面得到的相应类别的App隐私政策参考模板进行匹配，包括结构匹配和要点匹配两个步骤：结构匹配是检测待测App隐私政策的标题是否完整，要点匹配是检测待测App隐私政策的内容是否满足相关法律法规的要求。为验证该方法的有效性，与现有的App合规检测平台进行了对比。结果表明，该方法不仅能够准确给出App隐私政策的完整度，还能提供待测App隐私政策缺失的标题和要点。

With the rapid growth of the number of App users, the problem of privacy leakage of personal information subjects is becoming more and more serious. In recent years, China has successively issued relevant laws and regulations on App personal privacy information security to regulate the collection, storage and processing of App personal information. The privacy policy is a statement attached to an App on how the App collects, manages, uses, and discloses personal information subject data. It is the ' first line of defense ' for the protection of personal information security. However, there are a large number of situations such as incomplete App privacy policies and poor readability, and the privacy of App users is greatly threatened. Although China has promulgated laws and regulations related to personal user privacy protection, there is still a certain semantic gap between abstract legal texts and specific App privacy policies, and the compliance of App privacy policies still faces a series of challenging problems. In view of this problem, this paper carries out the following research work :

(1)Based on the in-depth analysis and review of App privacy policy integrity, consistency and readability detection methods, the mathematical definition of App privacy policy integrity and consistency is given. This paper analyzes the relevant laws, regulations and technical specifications of App personal information protection currently promulgated in China, and describes the citation relationship between laws and regulations, some requirements of information security technology-personal information security specification and the main points of App compliance testing with knowledge graph.

(2)A structured processing method of App privacy policy reference template is proposed. Taking three types of Apps (traffic ticketing, online car-hailing, online shopping) as examples, according to the relevant laws and regulations and the categories of Apps, the App privacy policy is processed by using the method of combining artificial and NLP technology, and the reference templates of App privacy policy are obtained. The structure of these templates is described by XML language.

(3)An App privacy policy integrity detection method is proposed. This method matches the App privacy policy to be detected with the App privacy policy reference template of the corresponding category obtained above, including two steps: structure matching and point matching: structure matching is to detect whether the title of the App privacy policy to be tested is complete, and point matching is to detect whether the content of the App privacy policy to be tested meets the requirements of relevant laws and regulations. In order to verify the effectiveness of the method, it is compared with the existing App compliance detection platform. The results show that this method can not only accurately give the integrity of the App privacy policy, but also provide the title and key points of the missing App privacy policy.

[1] 魏立斐, 李梦思, 张蕾, 陈聪聪, 陈玉娇, 王勤. 基于安全两方计算的隐私保护线性回归算法[J]. 计算机工程与应用, 2021, 57(22): 139-146.

[2] Voigt P, Von Dem Bussche A. The eu general data protection regulation (gdpr) [J]. A Practical Guide, 1st Ed., Cham: Springer International Publishing, 2017, 10(31526 76): 10.5555.

[3] 市场化个人征信行业个人信息保护问题分析[EB/OL]. (2021-07-14)[2023-01-20]. https://www. creditchina.gov.cn/home/lfyj/202107/t20210714_239446.html.

[4] 朱侯, 张明鑫, 路永和. 社交媒体用户隐私政策阅读意愿实证研究[J]. 情报学报, 2018, 37(04): 362-371.

[5] 信息安全技术个人信息安全规范[EB/OL]. (2020-03-07)[2023-01-20]. https://www.secrss.com/articles/17713

[6] 个人信息保护法一周年[EB/OL]. (2022-11-02)[2023-01-20]. https://www.secrss.com/articles/48577.

[7] 回顾| 2022年度APP治理白皮书[EB/OL]. (2023-01-31)[2023-02-20]. https://docs.pingcode.com/info/14669.html.

[8] 张艳丰, 邱怡. 硬规则下我国移动阅读App隐私政策合规性研究[J]. 现代情报, 2022, 42(01): 167-176.

[9] 移动互联网应用程序(App)收集使用个人信息自评估南[EB/OL]. (2020-07-27)[2023-01-20]. https://www.cebnet.com.cn/20200727/102678352.html.

[10] 张艳丰, 邱怡. 我国移动阅读应用个人信息保护政策合规性测度研究[J]. 图书情报工作, 2021, 65(22): 9.

[11] Torre D, Abualhaija S, Sabetzadeh M, et al. An AI-assisted approach for checking the completeness of privacy policies against GDPR[C]//2020 IEEE 28th International Requirements Engineering Conference(RE). IEEE, 2020.

[12] Amaral O, Abualhaija S, Torre D, et al. AI-enabled automation for completeness checking of privacy policies[J]. arXiv preprint arXiv: 2106. 05688, 2021.

[13] Fan M, Yu L, Chen S, et al. An empirical evaluation of GDPR compliance violations in Android mHealth Apps[C]//2020 IEEE 31st International Symposium on Software Reliability Engineering(ISSRE). IEEE, 2020: 253-264.

[14] Müller N M, Kowatsch D, Debus P, et al. On GDPR compliance of companies’ privacy policies[C]//International Conference on Text, Speech, and Dialogue. Springer, Cham, 2019: 151-159.

[15] 朱璋颖, 陆亦恬, 唐祝寿, 张燕. 基于隐私政策条款和机器学习的应用分类[J]. 通信技术, 2020, 53(11): 2749-2757.

[16] Verderame L, Caputo D, Romdhana A, et al. On the (un)reliability of privacy policies in android Apps[C]//2020 International Joint Conference on Neural Networks (IJCNN). IEEE, 2020: 1-9.

[17] 赵波, 刘贤刚, 刘行, 胡影. Android应用程序个人信息安全量化评估模型研究[J]. 通信技术, 2020, 53(08): 2019-2026.

[18] Sun R, Xue M. Quality assessment of online automated privacy policy generators: an empirical study[M]//Proceedings of the Evaluation and Assessment in Software Engineering. 2020: 270-275.

[19] 姚胜译, 吴丹. App隐私政策用户友好度评价研究[J]. 信息资源管理学报, 2021, 11(1): 30-39.

[20] 徐磊, 郭旭. 大数据时代读者个人信息保护的实践逻辑与规范路径——以图书类App隐私政策文本为视角[J]. 图书馆建设, 2021, 1: 74-83.

[21] 杜永欣,周茂君. 我国网站个人信息保护的合规性考察——基于九家网站隐私政策的文本分析[J]. 重庆邮电大学学报(社会科学版), 2021, 33(04): 62-72.

[22] 唐远清, 赖星星. 社交媒体隐私政策文本研究——基于Facebook与微信的对比分析[J]. 新闻与写作, 2018(08): 31-37.

[23] 马骋宇, 刘乾坤. 移动健康应用程序的隐私政策评价及实证研究[J]. 图书情报工作, 2020, 64(07): 46-55.

[24] 杨瑞仙, 沈嘉宁, 许帆, 臧国全. 社交媒体APP隐私政策评价指标体系构建及实证研究[J]. 情报理论与实践, 2023, 46(01): 81-89.

[25] 徐奇睿. 基于《个人信息保护法》的移动互联网APP隐私政策合规研究[D]. 武汉: 武汉大学, 2022.

[26] Arzt S, Rasthofer S, FRITZ C, et al. Flowdroid: Precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for android Apps[J]. Acm Sigplan Notices, 2014, 49(6): 259-269.

[27] Qian C, Luo X, Le Y, et al. Vulhunter: toward discovering vulnerabilities in android applications[J]. IEEE Micro, 2015, 35(1): 44-53.

[28] Church K W. Word2Vec[J]. Natural Language Engineering, 2017, 23(1): 155-162.

[29] Andow B, Mahmud S Y, WHITAKER J, et al. Actions speak louder than words: entity-sensitive privacy policy and data flow analysis with policheck[C]//29th USENIX Security Symposium(USENIX Security 20). 2020: 985-1002.

[30] Yu X, Yang Y, Wang W, et al. Whether the sensitive information statement of the IoT privacy policy is consistent with the actual behavior[C]//2021 51st Annual IEEE/IFIP International Conference on Dependable Systems and Networks Workshops (DSN-W). IEEE, 2021: 85-92.

[31] Guamán D S, Del Alamo J M, Caiza J C. GDPR compliance assessment for cross-border personal data transfers in android apps[J]. IEEE Access, 2021, 9: 15961-15982.

[32] OlukoYA O, Mackenzie L, Omoronyia I. Security-oriented view of App behaviour using textual descriptions and user-granted permission requests[J]. Computers&Security, 2020, 89: 101685.

[33] Yu L, Luo X, Qian C, et al. Enhancing the description-to-behavior fidelity in android Apps with privacy policy[J]. IEEE Transactions on Software Engineering, 2017, 44(9): 834-854.

[34] Pan Y, Ge X, Fang C, et al. A systematic literature review of android malware detection using static analysis[J]. IEEE Access, 2020, 8: 116363-116379.

[35] Wang R, Wang Z, Tang B, et al. Smartpi: Understanding permission implications of android Apps from user reviews[J]. IEEE Transactions on Mobile Computing, 2019, 19(12): 2933-2945.

[36] 贺雪乔. iOS应用隐私条例与敏感行为一致性检测系统的设计与实现[D]. 北京: 北京邮电大学, 2020.

[37] Ma Z, Wang H, Guo Y, et al. Libradar:fast and accurate detection of third-party libraries in android Apps[C]//Proceedings of the 38th International Conference on Software Engineering Companion. 2016: 653-656.

[38] 胡杰克. 基于敏感数据流的Android恶意程序及隐私泄露检测方法研究[D]. 深圳: 哈尔滨工业大学, 2021.

[39] 王靖瑜. Android应用隐私条例一致性检测及其生成技术的研究与实现[D]. 北京: 北京邮电大学, 2018.

[40] 王靖瑜, 徐明昆, 王浩宇, 徐国爱. Android应用隐私条例与敏感行为一致性检测[J]. 计算机科学与探索, 2019, 13(01): 56-69.

[41] Zhang C, Wang H, Wang R, et al. Re-checking App behavior against App description in the context of third-party libraries[C]//SEKE. 2018: 665-664.

[42] Feng Y, Chen L, Zheng A, et al. Ac-net: Assessing the consistency of description and permission in android Apps[J]. IEEE Access, 2019, 7: 57829-57842.

[43] Yu L, Luo X, Chen J, et al. PPchecker: Towards accessing the trustworthiness of android Apps’ privacy policies[J]. IEEE Transactions on Software Engineering, 2018, 47(2): 221-242.

[44] 杜代忠. Android应用隐私政策与权限使用的一致性分析引擎的研究与实现[D]. 北京:北京邮电大学, 2021.

[45] Slavin R, Wang X, Hosseini M B, et al. Toward a framework for detecting privacy policy violations in android application code[C]//Proceedings of the 38th International Conference on Software Engineering. 2016: 25-36.

[46] Solnyshkina M I, Zamaletdinov R R, Gorodetskaya L A, et al. Evaluating text complexity and Flesch-Kincaid grade level[J]. Journal of Social Studies Education Research, 2017(3).

[47] Farooq E, Ghani Manui, Naseer Z, et al. Privacy policies’ readability analysis of contemporary free healthcare Apps[C]//2020 14th International Conference on Open Source Systems and Technologies(ICOSST). IEEE, 2020: 1-7.

[48] 苗慧. 中外移动App的个人信息保护研究[D]. 北京: 北京邮电大学, 2021.

[49] Fowler L R, Gillard C, Morain S R. Readability and accessibility of terms of service and privacy policies for menstruation-tracking smartphone applications[J]. Health Promotion Practice, 2020, 21(5): 679-683.

[50] 王英. 若干国家或地区图书馆协会隐私政策的纵向分析[J]. 图书馆理论与实践, 2020 (4):28-34.

[51] Javed Y, Al Qahtani E, Shehab M. Privacy policy analysis of banks and mobile money services in the middle east[J]. Future Internet, 2021, 13(1): 10.

[52] Zhang M, Chow A, Smith H. COVID-19 contact-tracing Apps: analysis of the readability of privacy policies[J]. Journal of Medical Internet Research, 2020, 22(12): e21572.

[53] Basch C H, Mohlman J, Hillyer G C, et al. Public health communication in time of crisis: Readability of on-line COVID-19 information[J]. Disaster medicine and public health preparedness, 2020, 14(5): 635-637.

[54] Krumay B, Klar J. Readability of privacy policies[C]//IFIP Annual Conference on Data and Applications Security and Privacy. Springer, Cham, 2020: 388-399.

[55] Zhou, Lu, et al. POLICYCOMP: Counterpart Comparison of Privacy Policies Uncovers Overbroad Personal Data Collection Practices[J]. USENIX Security 2023.

[56] Huanling T, Hui Z, Hongmin W, et al. Representation of Semantic Word Embeddings Based on SLDA and Word2vec Model[J/OL]. Chinese Journal of Electronics, 2023(03): 1-8[2023-04-07].

[57] 席笑文, 郭颖, 宋欣娜等. 基于word2vec与LDA主题模型的技术相似性可视化研究[J].情报学报, 2021, 40(09): 974-983.

[58] 谭文成. 基于文字内部信息的中文词向量的研究[D]. 成都: 电子科技大学, 2020.

[59] 黄俞婷. 基于随机游走与自编码器的异质信息网络表示学习研究[D]. 西安: 西安电子科技大学, 2021.

[60] 姚振民, 邢家溧, 承海等. 基于TF-IDF的食品风险分析模型的构建与应用[J]. 中国食品学报, 2022, 22(12): 324-331.

[61] 王一宾, 郑伟杰, 程玉胜, 曹天成. 基于PLSA学习概率分布语义信息的多标签分类算法[J]. 南京大学学报(自然科学), 2021, 57(01): 75-89.

[62] 吕鲲, 陈箫羽, 靖继鹏. 基于组合分词方法和LDA模型的区块链金融产业关键技术识别研究[J]. 图书情报工作, 2022, 66(19): 110-121.

[63] 杨泉, 孙玉泉. 基于《同义词词林》深度的词义相似度计算研究[J]. 计算机工程与应用, 2020, 56(17): 48-54.

[64] 张涛, 马海群. 基于文本相似度计算的我国人工智能政策比较研究[J]. 情报杂志, 2021, 40(01): 39-47+24.

[65] 中华人民共和国个人信息保护法[EB/OL]. (2021-08-20)[2023-01-20]. http://www.npc.gov.cn/npc/c30834/202108/a8c4e3672c74491a80b53a172bb753fe.shtml

[66] 刘大为, 车超, 魏小鹏. 融合多层次信息的海关同义词识别方法[J]. 计算机科学, 2022, 49(S2): 159-163.