Reports came out on Tuesday that the Truecaller app had sent SMS messages from phones of unsuspecting users to create UPI IDs with ICICI Bank. A payments feature had been added to the app two years ago in partnership with ICICI Bank. The feature is called Truecaller Pay. After facing criticism on social media, NPCI and Truecaller have issued statements . Truecaller has since issued an app update to stop this automated process.
In February this year, Truecaller stated that they have more than 100 million daily active users in the country. The figure for monthly active users could be higher. While Truecaller said yesterday that all affected users would be deregistered, it is still unclear how many people were affected and what information was shared. Information regarding their existing bank accounts was revealed in the process, and their phone numbers and other information may have been shared with ICICI Bank. Exact details are scant at the moment. It is unclear how Truecaller discovered the identity of Bank(s) with which the user had an account. Annexure IV of NPCI’s Unified Payments Interface – Procedural Guidelines states that a PSP (Payment Service Provider) application has to send an SMS from the mobile device to fetch the mobile number and bind it to the device, but the name of the bank has to be selected manually by the user. After that step, the app can use the mobile number to generate a request with the bank. The bank would then send “ the account details including Account Number & IFSC registered for that mobile Number in a masked format to UPI. UPI sends this to the PSP which in turn passes this information to the PSP App.” It is worth noting that Truecaller is not a PSP as per the list of members on NPCI’s website. The PSP for Truecaller is ICICI Bank.
NPCI has an FAQ on UPI which reads:
How are you getting all my bank A/C information?
This is a feature of the UPI payment platform (built by NPCI – an RBI regulated entity). The UPI platform retrieves the accounts details linked with your mobile number in a masked manner i.e. UPI app can’t see all the details. This exchange is done over secure banking networks and we don’t store or ever use it.
One might assume that since Truecaller has this feature built into their app, that the sharing of this personal information for this purpose would be covered by Truecaller’s Privacy Policy. The privacy policy states the following, among others, about sharing your data:
“Truecaller may use the personal information collected to provide, maintain, improve, analyze and personalize the Services to its Users, partners and third party providers. More specifically, Truecaller may use such information to:
f. enable You to use and share Your information in connection with Your registration, login or other use of third party services e.g. payment service providers, online services, social networking sites and other third party API’s; and”
Note that the words used are ‘enable You to use and share Your information’. It does not grant permission for Truecaller to share your information with payment service providers automatically, as has happened in the present case. This is a clear violation of their own privacy policy, which could allow affected users a route to pursue legal action against the company.
With the current laws in the country, a user hardly gets any protection from such misuse of data. Vague promises to correct one’s actions and to do better in future are insufficient and come with minimal accountability. This issue further highlights the need for a dedicated data protection law in the country. In 2017, a nine-judge bench of the Supreme Court of India recognized that the right to privacy is a fundamental right. Since then, the draft Personal Data Protection Bill, 2018 was published for which public comments were invited. SFLC.in submitted its comments and suggestions on this bill. The bill is expected to be tabled soon in the parliament.
Truecaller is not new to controversy and privacy violations. The very structure of the base service rests on granting itself the permission to collect and share personal information about you that is not publicly available, even if you never signed up for the service and never agreed to their Terms of Service and Privacy Policy. The app collects information from multiple users, and then shares that information with third parties, without consent from or even notice to users to whom that information pertains. Consent is taken from users that provide their address book to Truecaller, and not from users to whom that information pertains.
The service does allow people to opt-out of displaying their information to other users. The Privacy Policy states “If any persons do not wish to have their names and phone numbers made available through the Enhanced Search or Name Search functionalities, they can exclude themselves from further queries by notifying Truecaller via its website at www.truecaller.com or as set forth in the contact details below.” This does not stop them from storing and processing your information or from transferring your information to third parties for other purposes, it only results in delisting your information so that it doesn’t show up in public results anymore.
The Privacy Policy for people in Europe differs significantly from the policy on offer to people in the rest of the world. Thanks to strong data protection laws in Europe, no address book information is collected from users in the region. Information that is collected is held to higher standards of protection, even offering deletion of your personal information, while the privacy policy for the rest of the world offers deletion “When required by applicable law […]”.
Two years ago, UIDAI had suspended Airtel and Airtel Payments Bank’s eKYC license for automatically creating Airtel Payments Bank accounts for people without their consent or knowledge when they performed eKYC for Airtel’s telecom arm. This resulted in loss for INR 190 crore of subsidies for millions of people. Airtel later offered to return this money, but the harm to affected parties could be irreversible considering that these subsidies are meant for people that would not be able to afford the products without them.
We strongly suggest that you grant only the essential permissions for apps to function as intended. Think before you grant any permission. If a flashlight app, for example, asks for your contact information, do not grant that permission to it. If the app refuses to function without that permission, uninstall that app and do not use it any further. Both Android and iOS allow you to go into your phone’s settings and revoke any permission that you had previously granted to an app, or to grant a permission that you had previously refused. SFLC.in regularly conducts digital security trainings for people of all backgrounds to better educate users on safe usage of communication devices.
In the absence of a data protection law, our privacy and data are being treated as a free-for-all. We must take charge of protecting our own privacy, especially so until we have a data protection law. Yet, a data protection law would not be a magic bullet that would fix all issues. We would have to remain vigilant to protect ourselves, but it would at least create a deterrence and would empower us to act against errants.