19 highlights
-
Truecaller was developed by True Software Scandinavia, a Swedish company founded in 2009 by Nami Zarringhalam and Alan Mamedi. Mamedi is of Kurdish descent and was born in a refugee camp in northern Sweden, while Zarringhalam moved to Sweden from Tehran at the age of three; both are Swedish citizens now.
-
As of March 2021, the app has been downloaded over 581 million times, the website claims. India accounts for over a third of these downloads, and its database has a staggering 5.7 billion unique phone identities. The firm is headquartered in Stockholm, but the majority of its employees are Indian.
-
Interviews with a former senior employee who worked with the company for over half a decade, lawyers specializing in privacy laws, and experts at policy research think tanks revealed that the majority of Truecaller’s datasets are comprised of information that has been collected without a user’s consent — a feat made possible by the lack of a comprehensive legal framework surrounding data protection in India.
-
In a series of written responses to The Caravan, Truecaller insisted that it offers a “privacy-focused service” that is “committed to being transparent and compliant with the laws of the countries we operate in.” But, as Prasanna S., a coder-turned-lawyer who specializes in privacy issues, told The Caravan, “They are correct to the extent that there may not be a statutory breach in doing so. However, breach of privacy is an actionable wrong, and their activity, to the extent that they reveal personally identifiable information to the callee without the consent of the caller, is certainly a breach of privacy.”
-
In the 2017 ruling for K.S. Puttaswamy vs. Union of India, the Supreme Court held that the right to privacy is a fundamental right under Articles 14, 19 and 21 of the Constitution. However, five years later, the government is still deliberating on the data protection bill, despite several iterations — each more controversial than the last.
-
Truecaller’s database has been built by tapping four main sources: downloads of the app; white and yellow pages of foreign countries not restricted by privacy concerns; partnerships with social media platforms that publicly display numbers; and free authentication of application-programming interfaces (APIs) and software development kits (SDKs).
-
I spoke to about a hundred Indian users of Truecaller over a span of three months and found that the majority of them had indiscriminately clicked “I Agree” to sharing contacts with the company when they signed up, due to the sheer complexity and length of the agreement text. This is a well-documented phenomenon known as consent fatigue.
-
In addition, there is also the case of Truecaller users who have not directly downloaded the app from the Google or Apple stores but are instead using devices that have the app pre-installed, such as some models of Micromax, Samsung, and Wileyfox. In such cases, most users have granted access to share the names, numbers, Google IDs, and email addresses of their contacts because a feature called “Enhanced Search” is auto-checked.
-
According to the company’s red herring prospectus and statements to The Caravan, Truecaller also provides app developers free authentication of APIs and SDKs. The SDK and authentication services are offered to app developers for free, ostensibly “in the interest of Truecaller’s users. It allows app developers to quickly and easily onboard new users, provided they are also users of Truecaller. It reduces the time and friction of the typical onboarding process, which traditionally relies on missed calls or OTPs.”
-
The SDK enables user verification of unregistered customers by making a dropped call—triggered by the user number in the background to complete the verification flow. It should be noted here that, due to the lack of stringent privacy laws, this option is currently available only in India.
-
Surprisingly, the company has not taken any measures to seek consent from the billions of phone numbers, and is silently building up its enormous database through third-party APIs.
-
The massive size of Truecaller’s database begs the question of what the firm is doing with this database. The Caravan’s investigation revealed one possibility: The firm may be building a complete financial profile of its registered users.
-
Once they reached Bangladesh, the regular SMS feature on their device stopped working due to the service provider’s rules, the bank employee told The Caravan. However, the bank employee was still receiving SMS notifications, including one-time passwords for every online transaction, through the Truecaller app installed on their phone. They shared screenshots of some of these messages with The Caravan, featuring the logo of the national bank, their bank balance, and the last four digits of the account number on every message. This leads to the question of whether Truecaller has access to SMS content and is able to witness every “secret handshake” — OTP-based financial transactions — with a bank.
-
They confirmed that the company’s algorithm can read the content of text messages. “With a special feature called ‘SMS categorizer,’ the Truecaller software is able to recognize personal, high-priority [bank OTPs and transactions], and also spam messages of its registered user.” This ability, they added, could allow the app to send loan offers to people when their bank balance goes below a certain number. Truecaller already has a short-term loan offer up to 5 lakh rupees (around $6,600) for registered users without much paperwork.
-
Moreover, the way Truecaller has adapted to evolving legislation in parts of the world also raises some serious questions about its practices in India. The company has formulated stringent privacy regulations in Nigeria, another major market, and has rebuilt its app for European users after the European Union adopted the General Data Protection Regulation in 2016. However, a similar level of rigor has not been applied to the Indian market.
-
For instance, EU users of the app have multi-layer protection based on six legal checkpoints: consent, performance of a contract, a legitimate interest, a vital interest, a legal requirement, and a public interest. Accordingly, EU users of the app have been provided additional access and control features in the app’s privacy center, which allow them to access, rectify, erase, restrict processing, and transfer their data. No such options are available for Indian users.
-
Prasanna, the coder-turned-lawyer, told The Caravan that “Google’s privacy policy unfortunately is very limited,” since it is designed to regulate how apps collect personal data from users. “Truecaller is a case where your personal data is collected from a contact of yours, which [then] gets used without your consent.”
-
In July 2021, the Bombay High Court issued notices to the government of India, the state government of Maharastra, and the National Payments Corporation of India to respond to public interest litigation that claimed the Truecaller app was sharing user data in breach of rules. Shashank Posture, a lawyer-in-training who filed the petition, has claimed that Truecaller shares data with some of its partners without its users’ consent and then dumps the liability on the users.
-
Prasanna did not hold out much hope from the bill. Although it explicitly prohibits data collection without consent, he said, it only provides for compensation when the affected party can demonstrate harm other than loss of privacy. “This will likely make the DPB a toothless tiger — even if there are provisions for fines and penalties.”