Technology / Reportage

How Truecaller’s success banks on India’s inadequate privacy laws

ILLUSTRATION BY VARSHA GOVIL
Rachna Khaira
09 March, 2022

In October 2021, I called a journalist based in Pakistan, who did not know me. Surprisingly, they greeted me by my name when they received the call. When asked how they identified me, they sent a screenshot of a notification received from the Truecaller app on their phone. The notification had my name, my former employer’s name, my designation at my former company, the state I was based in and the name of my mobile operator. The journalist told me that they had recently installed the Truecaller app, from the Google Play Store, on an Android phone.  

Humne aapko pehchaan liya. Humein toh yeh bhi pata hai ki aapka yeh number WhatsApp par registered hai”—I recognised you. I even know that this number is registered on WhatsApp—the journalist from Lahore giggled. They sent me another screenshot of a notification sent by Truecaller, which stated that my number was registered on Whatsapp. I was stunned, as I had never used Truecaller on this number, nor downloaded the app on the device I was using. In addition, neither Truecaller, nor Google, had ever sought my consent to use or display my private number.

Truecaller was developed by True Software Scandinavia, a Swedish company founded in 2009 by Nami Zarringhalam and Alan Mamedi. Mamedi is of Kurdish descent and was born in a refugee camp in north Sweden, and Zarringhalam moved to Sweden from Tehran at the age of three; both are Swedish citizens now. “The app began when our co-founders were just students who wanted to create a service that would easily identify incoming calls from unknown numbers,” its website says, adding that Truecaller “is the go-to app for Caller ID and spam blocking.” On 8 October 2021, the company listed its initial public offering on Nasdaq Stockholm. According to crunchbase, the firm raised a total of $98.6 million over eight rounds of funding, with Zenith Venture Capital, Atomico and Sequoia Capital India among the lead investors.

As of March 2021, the website claims, its app had been downloaded over 581 million times—India accounts for over a third of these—and its database had a staggering 5.7 billion unique phone identities. The firm is headquartered in Stockholm, but the majority of its employees are Indian. This is no surprise as, according to the firm’s statistics, out of its over 278 million monthly active users across 175 countries, over 205 million MAUs are from India alone, making the country its biggest market.

While India is a huge and lucrative market for digital solutions of all hues and purposes, a weeks-long investigation by The Caravan shows that Truecaller’s apparent success in the country is based on rather dubious grounds. Conversations with a former employee who worked with the company for over half a decade in various senior positions, lawyers specialising in privacy laws and experts in think-tanks dealing with policy research revealed that a majority of Truecaller’s datasets are comprised of details which have been collected without consent—a feat made possible by the lack of a comprehensive legal framework surrounding data protection in India. Another aspect that cropped up during our investigation was the fact that the firm may also be building a complete financial profile of its registered users.

In a series of written responses to The Caravan, Truecaller insisted that it is a “privacy-focused service” that is “committed to being transparent and compliant with the laws of the countries we operate in.” But, as Prasanna S, a coder-turned-lawyer who specialises in privacy issues, told me, “They are correct to the extent that there may not be a statutory breach in doing so. However, breach of privacy is an actionable wrong, and their activity, to the extent that they reveal personally identifiable information to the callee without the consent of the caller, is certainly a breach of privacy.” He added that this “has been Truecaller’s business since quite a while. Truecaller is a case where your personal data is collected from a contact of yours which gets used without your consent.” With parliament not having passed the Personal Data Protection Bill, which was first introduced in 2018, Prasanna said, “the state of privacy protection is minimal, if any.”

In its 2017 ruling in KS Puttaswamy vs Union of India, the Supreme Court held that the right to privacy is a fundamental right under Articles 14, 19 and 21 of the Constitution. However, five years later, the government is still holding deliberations on the data-protection bill, despite several iterations—each more controversial than the last. This legal lacuna has made Indian citizens vulnerable to monitoring, surveillance and data-mining by government agencies and private companies alike.

Truecaller’s database has been built by tapping four main sources: downloads of the app; white and yellow pages of a handful of countries where these directories are still available and not restricted by privacy concerns; partnerships with social-media platforms, which publicly display numbers; and free authentication of application-programming interfaces, or APIs, and software-development kits, or SDKs. According to the former employee, the number of users who have given consent for their phone numbers to be identified and added to the Truecaller database is negligible compared to those who have been added without their consent.  

In a detailed report, Techcabal, a Nigeria-based tech platform, pointed out that, once a user signs up for or downloads Truecaller, a give-and-take dynamic comes into play—if you want access to caller ID features and the app’s other functions, then you have to give up your contact list so other users can access the same functions you want. Every single contact in your phone then becomes part of Truecaller’s database that includes users who did not register and did not give consent to having their numbers identified.

Since Truecaller already seeks approval from its registered user to list every contact on their database, there has never been a legal complication for the company. As the Truecaller spokesperson told The Caravan, the company provides the option for people to share their contacts of their own accord, and this helps improve their algorithmic accuracy.

I spoke to around a hundred of Truecaller’s Indian users, over a span of three months, and found that, when they signed up for Truecaller, the majority of them had indiscriminately clicked “I Agree” to share their contacts with the company, due to the sheer complexity and length of the agreement text. This is a well-documented phenomenon known as consent fatigue. Most of them were not even aware that every phone number in their contact list had become a “registered phone identity” in Truecaller’s database.

In addition, there is also the case of Truecaller users who have not directly downloaded the app from the Google and Apple stores but are instead using devices that have the app pre-installed, such as some models of Micromax, Samsung and Wileyfox. In such cases, most users have granted access to share the names, numbers, Google IDs and email addresses of their contacts because a functionality called “Enhanced Search” is auto-checked. This functionality was also given a default approval by the company on its website and is mentioned in its privacy policy.

According to the former employee, the Enhanced Search functionality is nothing but automatic consent by the end user to upload the contacts synced to their email account. “The login page clearly states that, by checking the enhanced search option, you will be sharing your contacts with Truecaller,” they told me. “As soon as someone logs into the website using his email, his contacts get uploaded into the Truecaller servers.”

Since every one saves a phone number based on convenience, the Truecaller algorithm uploads the contact details as they are saved by the individual user. For instance, if someone has saved a spam phone number as “chor ka phone mat uthaiyyo”—don’t pick up when this thief calls—it will be listed exactly like that in Truecaller’s database for global identification.

“Truecaller is bound by the Google and Apple store guidelines and cannot download the phone book from their users, but they do not follow such a rule in case of pre-installed apps and shared APKs”—Android packages—the former employee, who also worked with Truecaller’s data-quality department, told me. “So, if you are listed in any of the phonebooks of a registered user of Truecaller, your privacy has already been compromised without your consent, and your phone number, possibly with your professional identity, is ready to be viewed by the whole world.” 

As per the company’s red-herring prospectus, and the responses to The Caravan, Truecaller also provides app developers free authentication of APIs and SDKs. The SDK and authentication services are offered to app developers for free, ostensibly “in the interest of Truecaller’s users. It allows app developers to quickly and easily on-board new users, provided they are also users of Truecaller. It reduces the time and friction of the typical on-boarding process, which traditionally relies on missed calls or OTPs.” The SDK enables user verification of unregistered customers by making a dropped call—triggered by the user number in the background to complete the verification flow. It should be noted here that, due to the lack of stringent privacy laws, this option is currently available only in India. “It is due to this fact only that sometimes people get weird caller names like ‘Delhi waale chacha’ or ‘Pinky parlour waali,’” the former employee said. “These contacts are of people who are not aware that their name and professional identities were [collected] by Truecaller without their consent.”

A Truecaller spokesperson confirmed that the company is sharing names and verified phone numbers with app developers, but stated that it is not in violation of Google guidelines. “Apart from name and Truecaller-verified number, no additional data is shared with the app developer,” the spokesperson said. “This is not a violation of Google guidelines. Google offers a similar service to app developers themselves.” The firm also claims that, “As of the date of the prospectus, logins have been requested more than 1.2 billion times and over 745 million logins have been made using Truecaller. Approximately 23 percent of Truecaller for Business customers are leads from existing API SDK partners.”

Surprisingly, the company has not taken any measures to seek consent from the billions of unconsented numbers, and is silently building up its enormous database through third-party APIs.

As per Truecaller’s own data, it has a total of 5.7 billion phone identities; and, for every downloaded and registered user since 2014, approximately one in two is still a MAU. This means that the company, which currently has over 278 million MAUs, has about half a billion consented phone identities. Even considering the other three sources of data, it seems unlikely that more than one third of Truecaller’s total database is comprised of consented data.  

The massive size of Truecaller’s database begs the question of what the firm is doing with this database. Our investigation revealed that one of the possibilities was that the firm may be building a complete financial profile of its registered users.

In June 2020, an assistant manager with a nationalised bank, who did not want to be named, moved to Bangladesh to join their partner, who was employed with India’s diplomatic mission. The bank employee told The Caravan that, once they reached Bangladesh, the regular SMS feature on their device stopped working due to the service provider’s rules. However, the bank employee was still receiving SMS notifications, including one-time passwords for every online transaction, through the Truecaller app installed on their mobile. They shared screenshots of some of these messages with The Caravan. The logo of the nationalised bank, with their name and the last four digits of the account number, as well as the bank balance, was listed in every single message. This leads to the question of whether Truecaller has access to SMS content and is able to witness every “secret handshake”—OTP-based financial transactions—with your bank.

“Apart from tracking your calls, their duration and your most and least favourite contacts, the Truecaller software can build your detailed financial profile as it has access to your SMS feature,” the former employee said. They confirmed that the company’s algorithm can read the content of text messages. “With a special feature called ‘sms categorizer’ the Truecaller software is able to recognise personal, high priority (bank OTPs and transactions), and also spam messages of its registered user.” This ability, they added, could allow the app to send loan offers to people when their bank balance goes down below a certain limit. Truecaller already has a short-term loan facility up to Rs 5 lakh for its registered users without much paperwork. The company has a financial partnership with firms such as Whizdm Innovations, which offers personal loans.

The former employee also pointed out that the access to text messages is a highly problematic practice, as the entire data can get compromised if the Truecaller system is infected or develops a bug. “SMS messages mostly deal with bank transactions and anyone can try and extract the financial information of millions of Truecaller users and can steal it,” they said. In 2019, they noted, “a so-called bug” automatically created unified-payment interface accounts with ICICI Bank, “triggering panic and hacking fears amongst the Truecaller users.” Alan Mamedi later apologised through a blog post that said, “We understand the frustration this news and numerous rumours may have caused to people, and we honestly apologize to them. We all at Truecaller feel awful that this even happened in the first place.”

Truecaller has denied that it has the ability to read SMS content and said that it only analyses the message locally on a phone to identify the sender and determine if it is spam. However, the company has simultaneously claimed that, by making Truecaller a default SMS app, one can keep the inbox clean by categorising messages such as OTPs, appointments, spam messages, unsaved numbers and more.

Moreover, the way Truecaller has adapted to evolving legislations in parts of the world also raises some serious questions about its practices in India. The company has formulated stringent privacy regulations in Nigeria, another major market, and has rebuilt its app for European users after the European Union adopted the General Data Protection Regulation in 2016. However, similar rigour has not been applied to the Indian market.

For instance, EU users of the app have multi-layer protection based on six legal checkpoints: consent, performance of a contract, a legitimate interest, a vital interest, a legal requirement and a public interest. Accordingly, EU users of the app have been provided additional access and control features in the app’s privacy centre, which allow them to access, rectify, erase, restrict processing and provide portability of data—no such option is available for Indian users. After the implementation of the GDPR, the Working Party, an independent European advisory body on data protection and privacy, wrote a letter to Mamedi, in June 2017, and expressed concerns on the manner and purposes for which personal data was collected by True Software. The letter, a copy of which is with The Caravan, read:

True Software appears to be sourcing personal data both from Truecaller users’ contact lists and, in some circumstances, their social media pages (including name, telephone number, email address and, where available, demographic information and additional contact information). This information is then made publicly available via reverse search on the Truecaller website and mobile app … There is no indication that True Software is making non-users aware that their data are being processed in the Truecaller app or website search, unless those individuals actively engage with the website or download the app. It is entirely possible that individuals do not have any knowledge of this use of their data at all. This means that they are being denied their rights under Directive and that their privacy is being infringed.

Soon after, in 2018, the company moved its data centres to India. According to Pranesh Prakash, a founding member of the non-profit Centre for Internet and Society, Truecaller operates more by omission than commission in India. “Truecaller is lying when they say, ‘The rights and interests of our users are a priority to us, and hence we provide largely identical rights to all our users across geographies.’” He explained, “In India, Truecaller stores personal information of contacts from your address book, and provides reverse number look up of contacts. This is not an instance of ‘largely identical rights’ across geographies. Users in the EU clearly have their privacy rights respected by Truecaller in a manner that Truecaller doesn’t respect Indians’ privacy rights.”

Truecaller’s practices also seem to be a breach of Google’s privacy guidelines. Rishitu Amarnani, the communications manager at the Google Play Store, gave a non-committal response to The Caravan’s queries on Truecaller’s practices. We were told that “the information you shared has been passed on to the relevant team,” which was “investigating this and will take appropriate action based on the outcome of the investigation.” Prasanna, the coder-turned-lawyer, told me that “Google’s privacy policy unfortunately is very limited,” since it is designed to regulate how apps collect personal data from users themselves. “Truecaller is a case where your personal data is collected from a contact of yours which gets used without your consent.”

As the Indian government drags its feet on the data-protection bill, concerned citizens have stepped into the gap. In July 2021, the Bombay High Court issued notices to the centre, the Maharashtra government and the National Payments Corporation of India to respond to a public-interest litigation that claimed the Truecaller app was sharing user data in breach of rules. Shashank Posture, a lawyer-in-training who filed the petition, has claimed that Truecaller shares data with some of its partners without its users’ consent and then dumps the liability on the users.

“A major advantage to data-driven companies like Truecaller is the fact that people in India are yet to understand the value and need of privacy,” Posture told me. “There are no well-defined privacy laws in India and people are fine in giving access to hundreds of private contact numbers without even thinking that it may bombard their near and dear ones with business calls and even put them in danger by putting away their name and professional identities in public domain.”

It also remains to be seen if the data-protection bill can address the issues surrounding privacy and data pertinent to Truecaller. “For the upcoming DPB in India, we have been in regular touch with key stakeholders,” the company spokesperson told me. “Our CEO Alan Mamedi met key members of the Joint Parliamentary Committee in 2020 in person to convey our stance, explain how Truecaller works and to state that we are ready to comply with all facets of the final bill.”

Prasanna did not hold out much hope from the bill. Although it explicitly prohibits data collection without consent, he said, it only provides for compensation when the affected party can demonstrate harm other than loss of privacy. “This will likely make the DPB a toothless tiger—even if there are provisions for fines and penalties.”

This story is co-published as a part of a reporting fellowship with the Rest of World.