Indian users of the Truecaller service were taken aback this week after media reports came out showing that the app had sent out SMS messages from the phones of unsuspecting users to create UPI IDs with ICICI Bank without their consent.
A payments feature had been added to the app two years ago in partnership with ICICI Bank. The feature is called Truecaller Pay. After facing criticism on social media, National Payments Corporation of India (NPCI)
and Truecaller have issued statements.
Truecaller has since issued an app update to stop this automated process that violates user consent.
In February 2019, Truecaller stated that they have more than 100 million daily active users in the country. The figure for monthly active users could be higher. While Truecaller said yesterday that all affected users would be deregistered, it is still unclear how many people were affected and what information was shared.
Information regarding their existing bank accounts was revealed in the process, and their phone numbers and other information may have been shared with ICICI Bank. Exact details are scant at the moment. The curious and strange part is that it is unclear how Truecaller discovered the identity of bank(s) with which the user had an account.
Annexure IV of NPCI’s Unified Payments Interface – Procedural Guidelines states that a payment service provider (PSP) application has to send an SMS from the mobile device to fetch the mobile number and bind it to the device, but the name of the bank has to be selected manually by the user. After that step, the app can use the mobile number to generate a request with the bank.
The bank would then send “the account details including Account Number & IFSC registered for that mobile Number in a masked format to UPI. UPI sends this to the PSP which in turn passes this information to the PSP App”.
It is worth noting that Truecaller is not a PSP as per the list of members on NPCI’s website. The PSP for Truecaller is ICICI Bank.
NPCI has an FAQ on UPI which reads:
How are you getting all my bank A/C information?
This is a feature of the UPI payment platform (built by NPCI – an RBI regulated entity). The UPI platform retrieves the accounts details linked with your mobile number in a masked manner i.e. UPI app can’t see all the details. This exchange is done over secure banking networks and we don’t store or ever use it.
“Truecaller may use the personal information collected to provide, maintain, improve, analyze and personalize the Services to its Users, partners and third party providers. More specifically, Truecaller may use such information to:
f. enable You to use and share Your information in connection with Your registration, login or other use of third party services e.g. payment service providers, online services, social networking sites and other third party API’s; and”
With the current laws in the country, a user hardly gets any protection from such misuse of data. Vague promises to correct one’s actions and to do better in future are insufficient and come with minimal accountability. This issue further highlights the need for a dedicated data protection law in the country.
In 2017, a nine-judge bench of the Supreme Court of India recognised that the right to privacy is a fundamental right. Since then, the draft Personal Data Protection Bill, 2018 was published for which public comments were invited.
The bill is expected to be tabled soon in parliament.
“If any persons do not wish to have their names and phone numbers made available through the Enhanced Search or Name Search functionalities, they can exclude themselves from further queries by notifying Truecaller via its website at www.truecaller.com or as set forth in the contact details below.”
This does not stop them from storing and processing your information or from transferring your information to third parties for other purposes, it only results in delisting your information so that it doesn’t show up in public results anymore.
Two years ago, UIDAI had suspended Airtel and Airtel Payments Bank’s eKYC license for automatically creating Airtel Payments Bank accounts for people without their consent or knowledge when they performed eKYC for Airtel’s telecom arm. This resulted in loss for Rs 190 crore of subsidies for millions of people. Airtel later offered to return this money, but the harm to affected parties could be irreversible considering that these subsidies are meant for people that would not be able to afford the products without them.
What should we take away from Truecaller’s controversy? First, one should really grant only essential permissions for apps to function as intended. Think before you grant any permission. If a flashlight app, for example, asks for your contact information, do not grant that permission to it. If the app refuses to function without that permission, uninstall that app and do not use it any further. Both Android and iOS allow you to go into your phone’s settings and revoke any permission that you had previously granted to an app, or to grant a permission that you had previously refused.
In the absence of a data protection law, our privacy and data are being treated as a free-for-all. We must take charge of protecting our own privacy, especially so until we have a data protection law. Even when such a law is finally passed, it will not be a magic bullet that would fix all issues. We would have to remain vigilant to protect ourselves, but it would at least create a deterrence and would empower us to act against errants.
Prasanth Sugathan is Legal Director at SFLC.in