Skip to content

How Truecaller is exploiting India’s toothless privacy laws

  • by
  • 6 min read

India is a huge market for Truecaller, a statement backed by the fact that out of the 278 million monthly active users on the app across 175 countries, 205 million are from India. However, as a report from The Caravan shows, this success is based on exploiting India’s inadequate data laws. 

In conversation with a former employee at Truecaller, it turns out that a majority of Truecaller’s database consists of data that has been collected without consent. What’s worse, is that Truecaller might be building a complete financial profile of its registered users.

The lack of a proper legal framework revolving around data privacy is a major problem in India. The Personal Data Protection Bill, first introduced in 2018 is still up for deliberations in the parliament five years later, and that’s after several iterations. This has left a gap that is being exploited by government agencies and private companies alike to monitor, surveil and collect data on Indian citizens.

In the News: Tinder now allows background checks of your prospective date for $2.50

Truecaller’s dubious success

As The Caravan explains, Truecaller’s database is built from four major sources — app downloads, white and yellow pages from a handful of countries, partnerships with social media platforms and free authentication of API and SDKs. 

According to the aforementioned former employee, the number of users who gave their consent to their phone numbers getting registered in Truecaller’s database is nothing compared to the ones added without consent.

This is possible thanks to Truecaller mining contacts on the phones that the app is downloaded on, a side-effect of their give and takes dynamic. Truecaller provides a service where users can see who’s calling them even if the number isn’t saved on their phone. In order to use this service, users have to give up their contacts, meaning every contact they have on their phone becomes part of Truecaller’s databases immediately. 

This process hasn’t faced any legal scrutiny so far because technically, Truecaller is asking the user for consent. It’s harmful to those who get added inadvertently with the person providing consent. After speaking to around a hundred Truecaller users, The Caravan found that most of them just tap the I Agree button without much thought. 

Those who even try to read the agreement, are intimidated by the sheer complexity and length of it, a phenomenon called consent fatigue. Most of these users also weren’t aware of the fact that accepting Truecaller’s terms made every contact on their phone a “registered phone identity” in Truecaller’s database. 

Another source of data for Truecaller is the people who get the app preinstalled on their phones. A number of brands, including Micromax, Samsung and Wileyfox pre-install the app on their phone. These users end up granting access to their contacts because a feature called “Enhanced Search” remains enabled by default. According to the former employee, this feature is simply automatic consent by the end-user to upload contacts synced to their email accounts. 

Since people save their phone numbers based on personal connections and convenience, a lot of people end up getting registered in the Truecaller database ender weird names and get identified that way for global identification by the app. 

According to Google and Apple’s guidelines, Truecaller cannot download the phonebooks from their users, but this doesn’t apply to pre-installed apps and shared APKs. This means that if your phone number is saved by someone who uses Truecaller, your phone number and possibly professional identity has already been compromised. 

According to Truecaller’s data, it has 5.7 billion phone identities. Additionally, for every downloaded and registered user since 2014, about one in two is still a monthly active user. This means that the company with over 278 million monthly active users only has about half a billion consented phone identities. 

Financially profiling users

One use of Truecaller’s enormous database is financial profiling. The Caravan’s investigation revealed that it might as well be the case for the app’s registered users. 

Truecaller has another feature called SMS Categoriser, allowing the app to recognise personal, spam and OTP or bank transaction messages for registered users. According to the former employee, this could allow the app to send loan offers to people when their bank balances are below a certain amount.

Truecaller is already offering a short-term loan facility of up to INR 5 lakhs for registered users. The sign-up process doesn’t take much paperwork meaning users are more likely to sign up for said loans. The app has partnered with firms like Whizdm Innovations, a company offering personal loans.

Apart from the financial profiling issue, the access to SMS feature is quite problematic as it puts the entire data at risk if Truecaller gets compromised or develops a bug, something that’s already happened before in 2019 when a bug was automatically created UPI accounts with ICICI Bank.

The app has denied that it has access to SMS content instead saying that it only analyses SMS content locally to identify the sender and determine spam. However, they also claim that they can keep users’ SMS inboxes clean by categorising messages such as OTPs, spam, unsaved numbers and more. 

Adopting to changing regulations

Truecaller has constantly evolved to keep up with changing regulations around data handling practices in different parts of the world. It has rebuilt its app for European users offering multi-layered protection based on six legal aspects. Nigeria, another big market for Truecaller, has also seen strict privacy regulations from the app. Users in India however, have not been so lucky. 

The Data Protection Bill also doesn’t hold out much hope for Indian users as it only offers compensation when the affected person can demonstrate damage other than loss of privacy. Just how much will this bill address the privacy issues with Truecaller, still remains to be seen. 

In the News: SEC proposes public companies to report cyberattacks within four days

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here:

Exit mobile version