A few days back, I was approached by an insurance agent on the street. After a brief conversation, I agreed to meet her up on a later date to discuss further. She gave me her card and I gave her a missed call. To my surprise, my name appeared on her phone even though we had never met before. She then told me that she is using this application called TrueCaller which allowed her to see the caller's ID depending on what is available in TrueCaller's database.
Concerned about my privacy, I went on to research about this application. In essence, TrueCaller's mission is,
... create a service that would easily identify incoming calls from unknown numbers. Today, Truecaller is loved by over 150 million daily active users around the world, and is the go-to app for Caller ID, spam blocking and payments.
While I understand the business use case, the approach used by TrueCaller to build up their database is a massive violation of privacy.
Owners' consent was not sought
Technical details aside, the basic level of respect for users' privacy involves seeking consent from the data owner when collecting data. However, TrueCaller does not do that as I clearly did not grant consent for them to add my number to their database nor did I grant consent for them to display my name to a third-party.
You may share the names, numbers, Google ID’s and email addresses contained in Your address book (“Contact Information”) with Truecaller by enabling the Truecaller Enhanced Search Functionality. ... In addition to Contact Information, if You choose to activate use of a third party service, such as social networks services, within the Services, Truecaller may collect, store and use the list of identifiers associated with said services linked to the Contact Information in order to enhance the results shared with other Users.
When answering a FAQ on "Does Truecaller upload my phonebook?", the company carefully worded their reply,
Your phonebook is never made publicly searchable to others on Truecaller if you install our app from the Google Play Store or Apple App Store or if you are a user in the EU. For users in certain countries outside the EU, if you download the app from our website, or if the app comes pre-loaded on your phone, or if you use our website to search, then you have the option to share your phonebook by registering for ‘Enhanced Search’ and confirming that you have obtained consent to upload such details from those in your phonebook. Enhanced Search is permission-based and is displayed to users when registering. You can switch off Enhanced Search at any time.
If you have a friend who is using TrueCaller and he/she decides to allow the app to access his/her phonebook, your contact information then gets uploaded to the TrueCaller database. Depending on situation, it may be publicly searchable. However, regardless it is searchable or not, TrueCaller had already collected the information without explicit consent from the data owner. Period.
When asked "Do you share our information with third party companies?", here is their response,
Yes, but only in limited circumstances. However, we need to work with third parties in order to give our users the best user experience and support development of our services. For instance, when you download Truecaller for the first time, we need to verify your number via an SMS – for this, we work with an SMS provider to deliver the verification code to confirm your number. Another example is that we use certain third party services to find bugs, analyze crash reports, to improve the apps functionalities, or to show you ads (from trusted third parties like Google) etc.
So they make use of our information which was collected without our consent to monetize their services to existing users.
Excessive permissions requested
When installed, the TrueCaller app requests for the following permissions:
- Allow Truecaller to access your phone call logs
- Allow Truecaller to make and manage phone calls
- Contact access
- Receive/Read your text messages (SMS or MMS)
- Full network access
- View network and Wi-Fi connections
- Receive data from Internet
- Directly call phone numbers
- Read phone status and identity
- Reroute outgoing calls
- Modify phone state
- Modify or delete the contents of your USB storage
- Disable your screen lock and prevent the device from sleeping
- Modify your contacts
While most of these permissions are optional, majority of the users will likely just grant them blindly. These are all sensitive permissions that will typically requested by malware to snoop around on your phone. Don't get me wrong, I am not saying that TrueCaller app is a malware, I am just trying to emphasize that the permissions requested are excessive and most users will just grant them without question.
What can I do to protect my own privacy?
To unlist your number on TrueCaller, you can head over to this site and request TrueCaller to unlist your number. However, unlisting just makes your number not searchable through the app. The page did not mention if your name will still appear as a caller ID nor did it mention if your number will be removed from the database. Hence, there is a good chance that your contact information will still sit on their database; waiting to be "activated".
While you can unlist your number on TrueCaller, there is seriously nothing much you can do to prevent future occurrence. There are dozens of similar apps as TrueCaller and they all harvest contact information the same way. At a personal level, we have to be mindful of what the permissions are an app requesting. In this case, the TrueCaller app is requesting for information (contact information on my phonebook) that does not belong to me. As a responsible person, I should not be exposing my friends' and families' information without their consent. However, such mindset shift is likely going to take years if not decades.
Why is this important?
It may seem trivial to you to have your contact information exposed. However, there are many people who rely on their anonymity for their work and even to stay alive. This can be seen in this story of how TrueCaller's caller ID system jeopardized the life of a journalist who relied on her anonymity to help uncover stories on human trafficking, drug cartels and government corruption.
In addition, TrueCaller's database represents a huge single point of failure as it contains massive amount of Personal Identifiable Information (PII). These are prized information that hackers will try to target as they are very useful for targeted phishing attacks and scams.
What TrueCaller should have done is to just collect the information of registered users who have granted them explicit consent to do so. By harvesting users' phonebook information and monetizing them is hugely unethical.
As I have mentioned before, the internet is broken in the sense that data can be freely copied and the owner of the data has zero control. I am looking forward to a future where we have 100% control over our own data. Blockchain is an enabler for this but it will still take quite some time for that to be realized. While we wait for that future, all we can do is to remain vigilant and be mindful of what you share online. Also, it will be good to hold a perspective that whatever you share will be exposed. That will make you think twice before sharing.
This article is created on the Steem blockchain. Check this series of posts to learn more about writing on an immutable and censorship-resistant content platform:
- What is Steem? - My Interpretation
- Steem Thoughts - Traditional Apps vs Steem Apps
- Steem Thoughts - A Fat or Thin Protocol?
- Steem Thoughts - There is Inequitable Value Between Users and Apps
- Make my votes count! Use Dustsweeper!
- What caused STEEM to get dumped? Why I think the worst might be over
- Steem 2020 is about having a "SMART U"