BENGALURU, Karnataka—On July 29, Truecaller users updating to the latest version of the app got a rude shock when they found it was starting the process of linking their bank accounts to Truecaller UPI without their consent or even properly informing them.
By Tuesday, enough people had noticed and raised a hue and cry online, after which the company said that the incident had been caused by a bug and immediately issued a fix. Affected accounts were fixed the same day, Truecaller noted.
The shocking incident also showed how few people actually know what Truecaller does. Many people we spoke to outside the tech industry still see Truecaller as a called ID and call blocking company.
But Truecaller also runs ads on the popups it shows — for which it tracks your activities to show “relevant” advertising, and is rapidly morphing into a financial technology company tracks how your spend your money to eventually create and rank detailed financial profiles of users.
Earlier this year, Truecaller acquired MessAI, an offline credit scoring engine, which can be used for building a credit report and offering loans, while in June last year, the company acquired Chillr , an Indian payments start up that allowed users to transfer money, pay bills, or book flights.
Truecaller’s evolution from a free phone directory for the cellphone age into a payments and credit-scoring app — that evaluates your credit-worthiness by reading your SMSes — is emblematic of a broader shift in how the tech industry handles your data.
Where companies like Google, Facebook and Truecaller once served advertisements in return for free services, these companies are looking to actively “monetise” their users by providing them with financial services.
The catch, of course, is that users are often unaware that their data is being gathered and could subsequently be used against them — in the form of either lower credit-ratings and higher interest rates on loans.
It also points to how individual cell-phone numbers are being increasingly “unique identifiers” linking everything from banking, to government service delivery, to social media and email accounts.
“The battle for privacy is pretty much over at this point. You can try, but ad-tech is so mature that you can’t hide anything anymore,” said a developer, who works for a company whose tracking SDK is bundled into the Truecaller app. “People get excited about microphone access, but it’s nothing compared to the kind of information you can extract from metadata.”
Phone book to phone snoop
Truecaller has long been seen as a company that doesn’t take the privacy of people seriously. Although Europe is supposed to be one of the regions with the greatest regard for user privacy, this Swedish firm is hoovering up all kinds of data when you install it on your phone. The iOS version of the app is significantly less useful than the Android version, so its usage is particularly high in countries like India (its largest market) where Android dominates.
Most people still believe that the way Truecaller creates its shared phonebook of contacts is to scrape the information from each users’ list of contacts, thus giving up your information even if you don’t use the app, as long as someone you know does. However, Truecaller stated that this is not the case. In a blog post, the company said that it uses phone directories, social networks, and also adds names when the “community suggests names through our website and apps.”
It also noted, “Truecaller does not upload phonebooks to make them searchable or public from Google Play or Apple App Store downloads. We follow Google Play and Apple App Store guidelines strictly, which prohibits any app from doing so.” However, before Google and Apple changed their guidelines, Truecaller did in fact upload your contacts.
“When we were allowed to upload phonebooks, this was never done without an explicit consent of the user and was an optional permission,” Manan Shah, Director Marketing — India, Truecaller, wrote to HuffPost India. “The app’s core features remained fully functional even if the user chose not to share their phonebook. We always have and will continue to abide by all regulations/policies and hence when the Play Store and App Store changed these policies, we complied with them.”
“The app collects information from multiple users, and then shares that information with third parties, without consent from or even notice to users to whom that information pertains. Consent is taken from users that provide their address book to Truecaller, and not from users to whom that information pertains.”
Permissions include microphone, your device information, camera, location, photos, media, and files, sending and receiving text messages, all your contacts, Wi-Fi connections, and much more.
“There are reasons for all these permissions, and many apps that are harmless are also using many similar permissions,” pointed out Saravanan K, a mobile security consultant in Bengaluru — which points to the larger worrying state of affairs.
Third-party trackers in Truecaller
Things get murkier as you consider Truecaller’s evolution from being an app that sits in everyone’s phone, gathering a huge swathe of data, into an ad platform and a financial services providers. When the Truecaller UPI linking incident took place, an Indian security researcher who goes by Nemo decided to analyze the app and found that it was filled with third-party tracking Software Development Kits (SDKs), essentially pieces of code from other companies that sit inside the Truecaller application and can be used to track users.
These include SDKs developed by MessAI which Truecaller acquired in April; and Walnut, an expense tracking app. Meanwhile Walnut was acquired by digital lending company Capital Float last year. The SDKs might be used to gather user data and build profiles without users knowing what’s going on.
With Walnut, he noted: “If you’ve ever received any SMS with any of these words, Walnut read it: salary, sal, credit, deposit, reimb, debit.” He also posted the complete list of trigger words for Walnut online here.
Does this mean Walnut is reading any SMS in your inbox with the trigger words?
“I can’t say for sure. Without running a test with a running app, it is hard to be certain,” he said. “But there are still attack-vectors: I could register on an SMS Gateway and send SMSs to you that result in your score dropping.”
Walnut replied with the following statement from ‘Team Walnut’:
“The Walnut SDK is used independently by the Truecaller app as per their own privacy policies and controls. Walnut does not get access to any data unless a Truecaller customer consents to the data being shared. We have discontinued the SDK model and Truecaller will confirm on removal of the SDK as well as respond to any further queries on this topic.”
The company added that the SDK was “only a proof of concept,” which was discontinued on July 18. A vulnerability report on June 2 identified the Walnut SDK (com.daamitt.prime.sdk) as a potential vulnerability in the Truecaller app that could be used to tamper with the data.
Ad platforms like Inmobi and Facebook also had SDKs inside the Truecaller app. “Almost every app has ad-tech SDKs now,” Nemo said. Another researcher recently discovered that several music applications, including a Sai Baba bhajans app and an Ilaiyaraaja songs app, carried the SDK of CreditVidya, a credit ratings agency.
Although people were downloading apps to listen to songs and bhajans, each install of the apps meant that the company could start to build a detailed profile of users, with their phone number acting as a common identifier.
This was done without informing the users, and detailed profiles of millions of users were created to decide about people’s eligibility for loans.
“There are a lot of companies in this space now, but their algorithms are a black box, and the data they use is usually not clear either.”
Standard industry behaviour
Truecaller’s response made Nemo want to check what changes had been made, and in doing so, he came across the details of the various SDKs in the app. The specific details of how the SDKs would impact users however are unclear.
“I did a completely static analysis, which means I never actually ran the app,” Nemo explained. “Running it might lead to some additional insights regarding who is contacted and with what data.”
Although Truecaller is available on both Android and iOS, users on the former platform who are more likely to be affected, owing to how apps can access data on the two systems. HuffPost India has asked Truecaller for more details on information collected on iOS, but for Walnut at least, Nemo noted the SDK only works on Android.
He said, “SDK literally has this line in its code: ‘Cannot perform scoring without read SMS permission.’”
Truecaller responded by pointing out that this behavior is standard in the industry.
“In order to offer new features to enhance user experience and improve the services, third-party solutions may be utilized from time to time. As already stated, we do not share any user’s personal data with a third party without the explicit consent of the user. MessAI is now an in-house technology to Truecaller after we acquired this Bangalore based start-up in April 2019, which included its talented team and their technology to provide enhanced features like Smart Notifications and seamless communication experience to our app users.”
Companies have learned to extract as much data from users as possible, both openly and without telling us, regardless of how much of an impact this can actually have on their business. The model, one developer told HuffPost India on the condition of anonymity, is “grab everything you can, and figure out if it’s useful later.”
“Given how untransparent the industry is,” Fredrike Kaltheuner, from the Data Exploitation Programme of Privacy International, a privacy-focused global non-profit organisation that investigates and advocates for user privacy, told HuffPost India in an earlier interview. “It’s hard to say if this information is actually helping anyone get a loan. There are a lot of companies in this space now, but their algorithms are a black box, and the data they use is usually not clear either.”
This behaviour is often hard to understand for users. For example, this blog post that showed how companies even look at details like how many fields users fill on contact details, and how this information is used to extrapolate how likely they are to purchase insurance, as an example of metadata leading to conclusions that are completely non-obvious to users.
A report by Aayush Rathi and Shweta Mohandas for the Centre for Internet and Society that researched the privacy commitments taken by Indian fin-tech companies also goes over some of this ground.
“The unprecedented growth of this sector with a number of players that have an amorphous nature (not banking entities) has concomitantly come with regulatory challenges around inter alia privacy and security concerns,” Rathi and Mohandas say in their report. “For instance, a survey of 1,300 senior executives in the global financial services, and fintech industries revealed that 54% of respondents identified privacy and data protection as barriers to fintech innovation.”
Can Truecaller do this?
“Information regarding their existing bank accounts was revealed in the process, and their phone numbers and other information may have been shared with ICICI Bank.”
It also notes, “Truecaller reserves the right, at its own discretion, to freely assign and transfer the rights and obligations under these Terms to any third party.”
Also in its terms, Walnut notes that it may share user data with third parties without seeking consent under certain circumstances: if a court or government agency asks for the information, or if personally identifiable information has been removed.
As SFLC, India noted, “While Truecaller said yesterday that all affected users would be deregistered, it is still unclear how many people were affected and what information was shared. Information regarding their existing bank accounts was revealed in the process, and their phone numbers and other information may have been shared with ICICI Bank. Exact details are scant at the moment.“
“With the current laws in the country, a user hardly gets any protection from such misuse of data. Vague promises to correct one’s actions and to do better in future are insufficient and come with minimal accountability. This issue further highlights the need for a dedicated data protection law in the country.“
Unfortunately, in the absence of data privacy laws in India, we are reliant on the ethics of companies, and the actions of regulatory bodies, and there seems to be a lack of action taking place on that front. The National Payments Corporation of India (NPCI), which regulates the UPI issued much more relaxed statement, “This is enrolling mistake by the app without customer consent. With this, customer can’t do any UPI txn. For onboarding to UPI the customer still has to enter 2FA (issuer OTP and debit card) and set UPI pin. The workflow mistake is limited to enrolling and will not have any impact on any customer whatsoever.”
Replying on Twitter, the official BHIM NPCI handle also said, “Truecaller is working on a solution. In the meantime they have asked the customers to manually de-register in case of any unauthorised UPI registration.”