TrueCaller - Crowdsourcing or Massive Violation of Privacy?

in #privacylast year

A few days back, I was approached by an insurance agent on the street. After a brief conversation, I agreed to meet her up on a later date to discuss further. She gave me her card and I gave her a missed call. To my surprise, my name appeared on her phone even though we had never met before. She then told me that she is using this application called TrueCaller which allowed her to see the caller's ID depending on what is available in TrueCaller's database.

Concerned about my privacy, I went on to research about this application. In essence, TrueCaller's mission is,

... create a service that would easily identify incoming calls from unknown numbers. Today, Truecaller is loved by over 150 million daily active users around the world, and is the go-to app for Caller ID, spam blocking and payments.

While I understand the business use case, the approach used by TrueCaller to build up their database is a massive violation of privacy.

TrueCaller


Owners' consent was not sought

Technical details aside, the basic level of respect for users' privacy involves seeking consent from the data owner when collecting data. However, TrueCaller does not do that as I clearly did not grant consent for them to add my number to their database nor did I grant consent for them to display my name to a third-party.

TrueCaller harvest these contact information by requesting users to allow the app to access their phonebook, which contains tons of information on non-users. Information of these non-users are then added to TrueCaller's database. Here is an extract from TrueCaller's privacy policy,

You may share the names, numbers, Google ID’s and email addresses contained in Your address book (“Contact Information”) with Truecaller by enabling the Truecaller Enhanced Search Functionality. ... In addition to Contact Information, if You choose to activate use of a third party service, such as social networks services, within the Services, Truecaller may collect, store and use the list of identifiers associated with said services linked to the Contact Information in order to enhance the results shared with other Users.

Source: Charitarth Unagar CC BY-SA 4.0 (https://creativecommons.org/licenses/by-sa/4.0)

When answering a FAQ on "Does Truecaller upload my phonebook?", the company carefully worded their reply,

Your phonebook is never made publicly searchable to others on Truecaller if you install our app from the Google Play Store or Apple App Store or if you are a user in the EU. For users in certain countries outside the EU, if you download the app from our website, or if the app comes pre-loaded on your phone, or if you use our website to search, then you have the option to share your phonebook by registering for ‘Enhanced Search’ and confirming that you have obtained consent to upload such details from those in your phonebook. Enhanced Search is permission-based and is displayed to users when registering. You can switch off Enhanced Search at any time.

If you have a friend who is using TrueCaller and he/she decides to allow the app to access his/her phonebook, your contact information then gets uploaded to the TrueCaller database. Depending on situation, it may be publicly searchable. However, regardless it is searchable or not, TrueCaller had already collected the information without explicit consent from the data owner. Period.

When asked "Do you share our information with third party companies?", here is their response,

Yes, but only in limited circumstances. However, we need to work with third parties in order to give our users the best user experience and support development of our services. For instance, when you download Truecaller for the first time, we need to verify your number via an SMS – for this, we work with an SMS provider to deliver the verification code to confirm your number. Another example is that we use certain third party services to find bugs, analyze crash reports, to improve the apps functionalities, or to show you ads (from trusted third parties like Google) etc.

So they make use of our information which was collected without our consent to monetize their services to existing users.


Excessive permissions requested

When installed, the TrueCaller app requests for the following permissions:
Mandatory permissions,

  • Allow Truecaller to access your phone call logs
  • Allow Truecaller to make and manage phone calls
  • Contact access

Optional permissions,

  • Receive/Read your text messages (SMS or MMS)
  • Full network access
  • Location
  • Camera
  • View network and Wi-Fi connections
  • Receive data from Internet
  • Microphone
  • Directly call phone numbers
  • Read phone status and identity
  • Reroute outgoing calls
  • Modify phone state
  • Modify or delete the contents of your USB storage
  • Disable your screen lock and prevent the device from sleeping
  • Modify your contacts


Source

While most of these permissions are optional, majority of the users will likely just grant them blindly. These are all sensitive permissions that will typically requested by malware to snoop around on your phone. Don't get me wrong, I am not saying that TrueCaller app is a malware, I am just trying to emphasize that the permissions requested are excessive and most users will just grant them without question.


What can I do to protect my own privacy?

To unlist your number on TrueCaller, you can head over to this site and request TrueCaller to unlist your number. However, unlisting just makes your number not searchable through the app. The page did not mention if your name will still appear as a caller ID nor did it mention if your number will be removed from the database. Hence, there is a good chance that your contact information will still sit on their database; waiting to be "activated".

While you can unlist your number on TrueCaller, there is seriously nothing much you can do to prevent future occurrence. There are dozens of similar apps as TrueCaller and they all harvest contact information the same way. At a personal level, we have to be mindful of what the permissions are an app requesting. In this case, the TrueCaller app is requesting for information (contact information on my phonebook) that does not belong to me. As a responsible person, I should not be exposing my friends' and families' information without their consent. However, such mindset shift is likely going to take years if not decades.


Why is this important?

It may seem trivial to you to have your contact information exposed. However, there are many people who rely on their anonymity for their work and even to stay alive. This can be seen in this story of how TrueCaller's caller ID system jeopardized the life of a journalist who relied on her anonymity to help uncover stories on human trafficking, drug cartels and government corruption.

In addition, TrueCaller's database represents a huge single point of failure as it contains massive amount of Personal Identifiable Information (PII). These are prized information that hackers will try to target as they are very useful for targeted phishing attacks and scams.

Source: Owen Moore, CC BY 2.0 (https://creativecommons.org/licenses/by/2.0)


Conclusion

What TrueCaller should have done is to just collect the information of registered users who have granted them explicit consent to do so. By harvesting users' phonebook information and monetizing them is hugely unethical.

As I have mentioned before, the internet is broken in the sense that data can be freely copied and the owner of the data has zero control. I am looking forward to a future where we have 100% control over our own data. Blockchain is an enabler for this but it will still take quite some time for that to be realized. While we wait for that future, all we can do is to remain vigilant and be mindful of what you share online. Also, it will be good to hold a perspective that whatever you share will be exposed. That will make you think twice before sharing.


10% of post rewards goes to @ph-fund and 5% goes to @steemstem to support these amazing projects.


This article is created on the Steem blockchain. Check this series of posts to learn more about writing on an immutable and censorship-resistant content platform:

Sort:  

I think our lives, our world even, are heading in that direction - no more anonymity - unless you decide to live off grid. As long as you own a smart phone, you are in some data base somewhere and that is enough to get to you, if need be. I don't think it is going to get better, nor will it ever get better. We have gone beyond the point of no return. We just have to think twice before doing anything, or else don't do anything that we do not want others to know. 😊

Ah that is so true. If our generation has already reached the point of no return, I hope at least our future generations can still protect their privacy 😅

 last year (edited)

If you watch the video I posted earlier, Google is even harvesting health records - (in the name of curing diseases of course)...

the world of AI, 5G and Blockchain will disrupt the world in a major way and in a speed that no one has seen before..

Hello dear @culgin.

As I have mentioned before, the internet is broken in the sense that data can be freely copied and the owner of the data has zero control.

We are literally exposed on the internet, and I think we can do nothing, today companies do not respect anyone and simply believe they have the right to use your data for any purpose. The question is. Where do you claim?

There is nothing much we can do really. I am only hoping that through blockchain technology, we can one day allow individuals to have full ownership and control over his/her data

Yeah, I cannot understand how so many companies these days are getting away with this kind of harvesting.... even if you are doing everything you can to protect your privacy, your friends and family can unknowingly undermine that just by posessing your information and participating in these companies' services.... it blows my mind.

That is so true. Thanks for your comment!

This post was shared to Twitter,

This post received a 30% vote from @randowhale thanks to @culgin! All funds sent to @randowhale will be used to improve the SBD peg and will be burned at a later date.


ibt
Congrats! on your upvotes from the IBT Community