Spammed if you do, spammed if you don’t: is Truecaller putting your privacy at risk?
New report slams popular spam call-blocking’s privacy policy
When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.
Disclaimer: This article has been updated with additional notes from Hitesh Raj Bhagat, Global Head of Corporate Communications. You can find these at the bottom of the article.
You might take good care of your online privacy. You might use one of thebest VPNservices every time you go online. You also make sure to secure your important communications withencrypted messaging apps.
However, one day you may realize that your name and phone number are available for anyone to access them without you even knowing it.
Wildly collecting and exposing people’s phone details without their consent is one of the main allegations against the popular scam call-blocking software Truecaller.
The US-based Viceroy Research - which describes itself as an international investigative financial group - filed this and other violations in its last detailed report, which digs inside both the company’s business model and security infrastructure.
Despite Truecaller denying all accusations and Viceroy Research being sued for false claims in the past, many questions around the app’s privacy protections remain.
Truecaller’s true colours revealed?A report by @viceroyresearch alleges that @Truecaller (“TC”) isn’t as “privacy-focused” as it claims to be. It accuses TC of, among other things, collecting user data without obtaining their explicit consent. 1/8https://t.co/II6rFlz7H9October 10, 2022
What is Truecaller?
Truecaller is a mobile app available for Android and iOS devices that automatically filters and block untrustworthy calls to prevent spam.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Users will simply need to provide their phone number to start using the service. The app will then access their contacts to build up its phonebook and improve its spam database. It even blocks malicious messages before they can reach your device.
Is Android quietly undermining your VPN service?>How to protect your privacy on your Android phone>Our pick of the best Android VPN apps around right now
As the tech firm argues on itsofficial website: “Truecaller is proud to be a leader in caller ID and spam blocking software as well as research around call and SMS harassment.”
A Swedish-based company, Truecaller is particularly popular across the Sub-Saharan African region and India. The latter is actually its top market globally, boasting now more than 190 million daily active users according toThe Economic Times.
This is not surprising as India is among the countriesreceiving the most spam calls.
More remarkable, perhaps, is the fact that the company actually moved its operations and data servers in India in 2018. And, according to Viceroy, there are some shady reasons lurking behind this business turn.
The allegations: from security breaches to invasive data collection
In itsTruecaller’s True Colors report, Viceroy Research lays out quite a few claims against the benevolent nature of the popular call-blocking app.
When users install Truecaller on their smartphone, the incriminated app asks permission to access their list of contacts to feed its own phonebook. This means that people’s phone numbers will end up on its database just because they are saved on a device that uses such a tool, without them agreeing to it.
You might be wondering how such an invasive data collection practice could be allowed. Well, it isn’t really. This modus operandi is actually against bothGoogle’s Privacy policyand theEU/UK GDPR- the data protection law which seeks to minimize users' data collected online.
So, how is Truecaller able to conduct its operations in this way, then?
To bypass app stores' regulation, for example, the company has been reported to have made deals with Android phone manufacturers to pre-install its app on new devices. Plus, it doesn’t need to comply with these rules if people sign-in from their browser.
As mentioned before, in 2018 Truecaller moved all its data centers to India. And, guess what also happened that year? GDPR was introduced. However, according to Viceroy’s researchers: “Truecaller is still subject to GDPR regulations, and these regulations apply to all Truecaller users.”
Viceroy also accuses the Swedish company of evading taxes in India - a country where its salesgrew 133% between January and Junethis year. They also found Truecaller guilty of spamming their users with invasive ads andweb trackers. Researchers are especially worried about how the software indiscriminately collects such sensitive data about minors, too.
What’s worse is that Viceroy isn’t the first to investigate Truecaller’s alleged privacy abuses and security breaches. Below are just some examples.
In 2013, an investigation on how a group of Syrian hackers (the Syrian Electronic Army) was able toexploit the app databaseput under scrutiny its security model in place.
The Article 29 Working Party, at the time independent European advisory body on data protection, alreadyraised its concernsover TrueCaller’s compliance with data protection laws in 2017.
In 2019, there were then a few reports showing how the data of many Truecaller users - most Indians - had been exposed on the dark web. Privacy International pointed out thedangers of ending up on the Truecaller databasefor journalists and other users whose privacy is paramount.
At the time, the privacy advocates recommended the company take action to fix its privacy issues. However, “TrueCaller acknowledged our response but did not show an interest in following those steps.”
More recently, Indian investigative magazineThe Caravan looked athow Truecaller’s ‘Enhanced Search’ makes users automatically share all their contacts details like names, numbers and email addresses.
It also reported on an even more worrying dynamic. Former Truecaller employees told The Caravan that the app can access user SMS messages to build a financial profile of its users. As it’s common practice for Indian banks to communicate with their customers via SMS, “this ability…could allow the app to send loan offers to people when their bank balance goes down below a certain limit.”
Truecaller responds
Truecaller promptly replied to such allegations, denying that any privacy abuses occurred.
Specifically, the companyresponded to The Caravan’s investigationclaiming that: “Truecaller is not interested in building or collecting financial profiles of its users.”
It also argued that the Caravan’s ‘Enhanced Search’ accusation was factually incorrect. However, Viceroy Research found the feature auto-checking for new users in India until September 28.
At the same time, Truecaller alsoslammed Viceroy’s misconduct claimsas false. “The short seller made various false and unverified statements about us,” a spokesperson told TechRadar.
For instance, the provider said that the reason why it moved to India was actually getting closer to its bigger chunk of users to deliver faster performances. It also points out that it needs the permission to access the phonebook to properly function. However, the company assures that users' privacy is not violated.
At the same time, it is also worth noting that Viceroy Research has beenfined R50 million for falsely accusingSouth Africa’s Capitec Bank of acting as a “loanshark.”
So, from one side to the other, many doubts still remain.
What’s certain is that, with India’s new data protection law on its way, the Swedish company would soon need to align its data collection practices with new regulations if it doesn’t want to respond in court for failing to do so.
Chiara is a multimedia journalist committed to covering stories to help promote the rights and denounce the abuses of the digital side of life—wherever cybersecurity, markets and politics tangle up.She mainly writes news, interviews and analysis on data privacy, online censorship, digital rights, cybercrime, and security software, with a special focus on VPNs, for TechRadar Pro, TechRadar and Tom’s Guide. Got a story, tip-off or something tech-interesting to say? Reach out to chiara.castro@futurenet.com
A new form of macOS malware is being used by devious North Korean hackers
Scammers are using fake copyright infringement claims to hack businesses
Trying to get the AMD Ryzen 7 9800X3D CPU? It seems only scalpers have it and they’re jacking up the price
