Is Truecaller Really Being True?

“You have my number, but you don’t have my consent.”

That was the line, with the hashtag #ItsNotOK, used in a series of recent front-page ads in major Indian dailies by Truecaller, a caller id and spam blocking app infamous for it's history of data breaches and intrusion of privacy.

In May 2019, Privacy International (PI), a UK-registered charity that promotes the right to privacy at an international level, published a story “concerning a journalist who was placed at risk due to the use of Truecaller by one of her sources”.

Chloe (name changed by PI) is an investigative journalist working for an international broadcast service.

“She travels around the world to work with local journalists on uncovering stories that make the headlines: from human trafficking to drug cartels and government corruption. While her documentaries are watched by many and inspire change in the countries she works in, you would not know who Chloe is if we were to tell you her real name. That is because Chloe works hard to protect her anonymity…. She values this anonymity, which allows her to approach sources without raising suspicions or concerns. When necessary, it also allows her to engage in undercover reporting,” reported PI.

In February 2019, Chloe travelled to a country in West Africa for an undercover reporting assignment. She was expecting to be there for a while and might have had to return many times over the course of the year. As a part of her job, she had to “gain the trust of several sources who are in extremely vulnerable positions”.

She bought a local SIM card to communicate with her sources. Since the people she was investigating were not state actors and had no tech resources, she was reassured that she “does not need to worry about state surveillance of her communications”.

As a part of the investigation, Chloe told her sources who she is, who she works for and what she was trying to achieve. One day, Chloe books a cab to go and meet her source. When she entered the cab, the driver greeted her “So… you work for The Inquirer (name changed by PI)?”

The driver pointed at his phone. Her number was registered as “Chloe The Inquirer Journalist.”

Shocked, Chloe called her office to try and find out how her identity had been breached. On probing, it was found that one of her sources was using Truecaller. “She called her source and after they hung up, Truecaller offered the source the option to tag Chloe’s number, since the number was not in their database. The source did not see the potential for harm and tagged Chloe’s number as “Chloe The Inquirer Journalist.” Now every time Chloe makes a phone call using that phone number, her name appears to Truecaller users, like the cab driver, as ‘Chloe The Inquirer Journalist’.”, PI reported.

Chloe’s case is not a classic case of state surveillance. “Chloe was betrayed by an app she had never even heard of: TrueCaller”. It was a systematic breach by Truecaller, an app which claims to enable you to “block unwanted calls & SMS”. It says, “Truecaller stands against women’s harassment and strives to make communication more safe and efficient.” And hence the campaign #ItsNotOk.

Other than the systematic breaches by the app, there are several cases which raise questions about the integrity of the app.

Through the tagging option on Truecaller, the person who is tagged ends up having his/her name and phone number stored on the Truecaller database. All of this is done without consent or even the awareness about the process. In 2017, the Article 29 Working  Party, an independent European advisory body on data protection and privacy, called Truecaller out for collecting and tagging non-users’ data without their consent.

Like many other applications, Truecaller’s holds two sets of privacy policy-- one for Europe and another, for the rest of the world. Needless to mention that India, which accounts is Truecaller’s largest userbase holding around 75% of its daily active users, has no Data Protection Law.

After Chloe’s case, Privacy International contacted Truecaller to enquire how they could check the safety of non-users of the app.  “ In their reply, they brought to our attention the option offered to non-users to “unlist” themselves. By unlisting oneself, a non-user prevents Truecaller from adding their number into the database,” PI revealed. During the exchange with Truecaller, they also suggested that Truecaller (a) “advertise the unlisting option more clearly” (b) “send an SMS to any non-user whose number is entered to warn them someone is attempting to enter their number and ask them for consent. This would also be an opportunity to inform them about the unlisting option.”

In the exchanged published on the website of PI, it is evident that the company didn’t pay much heed to the suggestion. The reply was, “Thanks for sharing your response. We truly appreciate the professionalism you’ve shown throughout this process, and we appreciate the feedback you’ve shared.”

Truecaller, however, claims that “the Privacy International article failed to address some of the key points, and points out that “There are privacy safeguards in place for people who are not Truecaller users but have their names tagged by a Truecaller user.

According to them, “One cannot just search for a name on our application and get a number of any user or non-user. By default, non-public numbers are shown as ‘private’ and hence hidden. A contact request must be sent to the number owner for any exchange of information to take place. This means that the number owner has full control of who can receive their number details.

The statement added, “We would point out that the investigative reporter would have been able to withhold her identity by changing her phone settings by choosing not to "Show My Caller ID" in the settings on the operating system of her phone.”

But this begs the question: If I download Truecaller, do I have to be tech-savvy enough to understand the risks I might invite? Would I also have to ensure that all the people in my contact list are equally sound and competent when it comes to technology?  

In May 2019, Economic Times reported that the data of over 300 million Truecaller users in India were being sold for about Rs 1.5 lakh on the dark web. Truecaller, however, claimed that the ‘majority’ of data that was being allegedly sold on the dark web did not match their database.

On this issue, Truecaller told Outlook, “We had long conversations with them and confirmed that there was no sensitive user information that was accessed or extracted, especially financial or payment information. This incident was not an attack on our database, as data stored on our servers is highly secured. This is something that we have communicated to Cyble as well.”

In Nov 2019, Zak Doffman from Forbes reported that “India-based researcher Ehraz Ahmed discovered the flaw, disclosing it to local media and the company and waiting for a fix before going public.” Doffman adds, “He explained to me that ‘the flaw allows an attacker to inject his malicious link as the profile URL. The user viewing the attacker’s profile by search or through a popup gets exploited.” Ahmed presented a proof of concept to demonstrate that he was able “to fetch a user's information like IP address, User-Agent, and time. The user visiting the profile would not notice this as it all happens in the background, and for the user, it would look like any other profile.”

In a statement to Outlook, Truecaller said, “As for the Ehraz Ahmed case, we have been very diligent and responsive in all communication with him. We clarified all his concerns and at the end, the error was ‘not reproducible’.”

In September 2019, the National Information Technology Development Agency (NITDA) opened an investigation into Truecaller over its privacy policy. NITDA released a statement for alerting the public on possible infringement of data. It cited Article 1.1 of the privacy policy of the app, ‘Truecaller may supplement the information provided by You with information from third parties and add it to the information provided by you.’ Quoting Article 3, ‘Truecaller may also share personal information with third-party advertisers, agencies and networks,’ NITDA observed that Truecaller collects too much data, far beyond what is necessary for the app to perform its basic function.

However, Hitesh Raj Bhagat, Truecaller’s Director of Corporate Communications, India, told Outlook that “the data protection investigation is now closed with a “favourable outcome”.

In July 2019, Internet Freedom Foundation flagged the automatic registration of unified payments interface (UPI) based IDs of Truecaller users without their knowledge and consent. As a result, the National Payments Corporation of India (NPCI) stopped onboarding new Truecaller users on the UPI Platform.

 “It’s true that in 2019 there was a bug in the app that led to the digital payment authorities to impose restrictions while onboarding new payment users. However, the issue was quickly fixed, no data was compromised and the overall app was not affected,” says Bhagat.  

In May 2020, an American cyber intelligence firm Cyble Inc revealed a data leak of the names, gender, age, city, telecom service provider, Facebook account, email id and mobile number of 4.75 crore Indians from the Truecaller database. The personal data was put up on sale for $1,000 on the dark web. In an email statement, Truecaller, however, denied any breach of its database and claimed that all user information is saved securely.

Emmanuel Paul from techpoint. Africa sought help from a developer who goes by the name Angry Wizard and dug deep into Truecaller’s algorithms and found two major loopholes.

(1)The developer hinted that all the information collected from the users is uploaded to “a third-party domain belonging to a company called CleverTap, a mobile marketing company located in Mountain View, California which enables marketers to identify, engage, and retain user info in an automated process.”

(2) “According to Angry Wizard, the information of over 30,000 contacts and names of spammers reported by Truecaller users are made public, requiring no authentication for anyone to access”, techpoint. Africa reported. On December 3, 2019, they reached out to Truecaller’s Director of Communications, Kim Fai Kok, and demanded clarification. Mr Kok refuted all the allegations.

In the article dated Dec 18, 2019, Paul, however, mentions, “To double-check these claims, on December 5, we sent two mobile numbers to the Wizard: one of a Truecaller user, and the other belonging to a non-Truecaller user and surprisingly, he sent back URLs containing information of both numbers. A day or two after, the links stopped working, so we briefly thought Truecaller had fixed the issue. But last week Friday, we received another link containing the same information from both numbers.”

If the tech companies spent half the money, time and energy to mend their algorithms and uphold the digital rights and privacy of their users, then such paint-me-in-good-light campaigns like #ItsNotOK would not be required.

This long list of allegations and data breaches by Truecaller, which according to the company were committed by "some bad actors" who would "compile databases from different sources and label them as Truecaller data", is in stark contrast to its recent campaign. But given the conflicting positions, perhaps one needs to knock on the doors of Truecaller and ask, “Was That Ok?”