In October 2021, I called a journalist based in Pakistan, who did not know me. Surprisingly, they greeted me by my name when they received the call. When asked how they identified me, they sent a screenshot of a notification received from the Truecaller app on their phone. The notification had my name, my former employer’s name, my designation at my former company, the state I was based in, and the name of my mobile operator. The journalist told me that they had recently installed the Truecaller app from the Google Play Store on an Android phone.
“Humne aapko pehchaan liya. Humein toh yeh bhi pata hai ki aapka yeh number WhatsApp par registered hai” — I recognized you. I even know that this number is registered on WhatsApp, the journalist from Lahore giggled. They sent me another screenshot of a notification sent by Truecaller, which stated that my number was registered on WhatsApp. I was stunned, as I had never used Truecaller on this number or downloaded the app on the device I was using. Neither Truecaller nor Google had ever sought my consent to use or display my private number.
Truecaller was developed by True Software Scandinavia, a Swedish company founded in 2009 by Nami Zarringhalam and Alan Mamedi. Mamedi is of Kurdish descent and was born in a refugee camp in northern Sweden, while Zarringhalam moved to Sweden from Tehran at the age of three; both are Swedish citizens now.
“The app began when our co-founders were just students who wanted to create a service that would easily identify incoming calls from unknown numbers,” Truecaller’s website says, adding that it is “the go-to app for caller ID and spam blocking.” On October 8, 2021, the company listed its initial public offering on Nasdaq Stockholm. According to Crunchbase, the firm raised a total of $98.6 million over eight rounds of funding, with Zenith Venture Capital, Atomico, and Sequoia Capital India being among the lead investors.
As of March 2021, the app has been downloaded over 581 million times, the website claims. India accounts for over a third of these downloads, and its database has a staggering 5.7 billion unique phone identities. The firm is headquartered in Stockholm, but the majority of its employees are Indian. This is no surprise: Out of more than 278 million monthly active users (MAUs) across 175 countries, over 205 million are from India alone, making the country its biggest market, according to the firm’s statistics.
While India is a huge and lucrative market for technological innovations, a weeks-long investigation by The Caravan shows that Truecaller’s apparent success in the country is based on rather dubious grounds. Interviews with a former senior employee who worked with the company for over half a decade, lawyers specializing in privacy laws, and experts at policy research think tanks revealed that the majority of Truecaller’s datasets are comprised of information that has been collected without a user’s consent — a feat made possible by the lack of a comprehensive legal framework surrounding data protection in India. The firm may also be building a complete financial profile of its registered users, The Caravan’s investigation shows.
In a series of written responses to The Caravan, Truecaller insisted that it offers a “privacy-focused service” that is “committed to being transparent and compliant with the laws of the countries we operate in.” But, as Prasanna S., a coder-turned-lawyer who specializes in privacy issues, told The Caravan, “They are correct to the extent that there may not be a statutory breach in doing so. However, breach of privacy is an actionable wrong, and their activity, to the extent that they reveal personally identifiable information to the callee without the consent of the caller, is certainly a breach of privacy.” He added that this “has been Truecaller’s business since quite a while. Truecaller is a case where your personal data is collected from a contact of yours, which [then] gets used without your consent.” Given that parliament still has yet to pass the Personal Data Protection Bill, first introduced in 2018, “the state of privacy protection is minimal, if any,” Prasanna said.
In the 2017 ruling for K.S. Puttaswamy vs. Union of India, the Supreme Court held that the right to privacy is a fundamental right under Articles 14, 19 and 21 of the Constitution. However, five years later, the government is still deliberating on the data protection bill, despite several iterations — each more controversial than the last. This legal lacuna has made Indian citizens vulnerable to monitoring, surveillance, and data mining by government agencies and private companies alike.
Truecaller’s database has been built by tapping four main sources: downloads of the app; white and yellow pages of foreign countries not restricted by privacy concerns; partnerships with social media platforms that publicly display numbers; and free authentication of application-programming interfaces (APIs) and software development kits (SDKs). According to the former employee interviewed by The Caravan, the number of users who have given consent for their phone numbers to be identified and added to the Truecaller database is negligible compared to those who have been added without their consent.
In a detailed report, TechCabal, a Nigeria-based tech publication, pointed out that once a user signs up for or downloads Truecaller, a give-and-take dynamic comes into play. If you want access to caller ID features and the app’s other functions, then you have to give up your contacts, so other users can access the same functions. Every single contact in your phone then becomes part of Truecaller’s database that includes users who did not register and did not give consent to having their numbers identified.
Since Truecaller already seeks approval from registered users to list contacts on their database, the company has never faced a legal complication. As a Truecaller spokesperson told The Caravan, the company provides the option for people to share their contacts voluntarily, and this helps improve their algorithmic accuracy.
I spoke to about a hundred Indian users of Truecaller over a span of three months and found that the majority of them had indiscriminately clicked “I Agree” to sharing contacts with the company when they signed up, due to the sheer complexity and length of the agreement text. This is a well-documented phenomenon known as consent fatigue. Most users were not even aware that every phone number in their contact list had become a “registered phone identity” in Truecaller’s database.
According to the former employee, the Enhanced Search feature is nothing but automatic consent by the end-user to upload the contacts synced to their email account. “The login page clearly states that, by checking the enhanced search option, you will be sharing your contacts with Truecaller,” they told The Caravan. “As soon as someone logs into the website using his email, his contacts get uploaded into the Truecaller servers.”
Since everyone saves a phone number based on convenience, the Truecaller algorithm uploads the contact details as they are saved by the individual user. For instance, if someone has saved a spam phone number as “chor ka phone mat uthaiyo” — don’t pick up when this thief calls — it will be listed exactly like that in Truecaller’s database for global identification.
“Truecaller is bound by the Google and Apple store guidelines, and cannot download the phonebook from their users, but they do not follow such a rule in [the] case of pre-installed apps and shared APKs [Android packages],” the former employee, who also worked with Truecaller’s data quality department, told The Caravan. “So, if you are listed in any of the phonebooks of a registered user of Truecaller, your privacy has already been compromised without your consent, and your phone number — possibly with your professional identity — is ready to be viewed by the whole world.”
According to the company’s red herring prospectus and statements to The Caravan, Truecaller also provides app developers free authentication of APIs and SDKs. The SDK and authentication services are offered to app developers for free, ostensibly “in the interest of Truecaller’s users. It allows app developers to quickly and easily onboard new users, provided they are also users of Truecaller. It reduces the time and friction of the typical onboarding process, which traditionally relies on missed calls or OTPs.” The SDK enables user verification of unregistered customers by making a dropped call—triggered by the user number in the background to complete the verification flow. It should be noted here that, due to the lack of stringent privacy laws, this option is currently available only in India. “It is due to this fact only that sometimes people get weird caller names like ‘Delhi-waale chacha’ or ‘Pinky parlor waali,’” the former employee said. “These contacts are of people who are not aware that their name and professional identities were [collected] by Truecaller without their consent.”
|Founders:||Alan Mamedi & Nami Zarringhalam|
|Key investors:||Sequoia Capital, Atomico, Zenith Group|
|Monthly Active Users:||278 million|
A Truecaller spokesperson confirmed that the company is sharing names and verified phone numbers with app developers, but stated that it is not in violation of Google guidelines. “Apart from name and Truecaller-verified number, no additional data is shared with the app developer,” the spokesperson said. “This is not a violation of Google guidelines. Google offers a similar service to app developers themselves.” The firm also claims that, “As of the date of the prospectus, logins have been requested more than 1.2 billion times and over 745 million logins have been made using Truecaller. Approximately 23 percent of Truecaller for Business customers are leads from existing API SDK partners.”
Surprisingly, the company has not taken any measures to seek consent from the billions of phone numbers, and is silently building up its enormous database through third-party APIs.
As per Truecaller’s own data, it has a total of 5.7 billion phone identities; and for every downloaded and registered user since 2014, approximately one in two is still a monthly active user. This means that the company, which currently has over 278 million MAUs, has about half a billion identities of users who never gave consent. Even considering the other three sources of data, it seems unlikely that more than one-third of Truecaller’s total database is comprised of users who agreed to be identified and added to the company’s database.
The massive size of Truecaller’s database begs the question of what the firm is doing with this database. The Caravan‘s investigation revealed one possibility: The firm may be building a complete financial profile of its registered users.
In June 2020, an assistant manager with a national bank, who did not want to be named because they did not want to jeopardize their safety, moved to Bangladesh to join a partner employed with India’s diplomatic mission. Once they reached Bangladesh, the regular SMS feature on their device stopped working due to the service provider’s rules, the bank employee told The Caravan. However, the bank employee was still receiving SMS notifications, including one-time passwords for every online transaction, through the Truecaller app installed on their phone. They shared screenshots of some of these messages with The Caravan, featuring the logo of the national bank, their bank balance, and the last four digits of the account number on every message. This leads to the question of whether Truecaller has access to SMS content and is able to witness every “secret handshake” — OTP-based financial transactions — with a bank.
“Apart from tracking your calls, their duration, and your most and least favorite contacts, the Truecaller software can build your detailed financial profile, as it has access to your SMS [messages],” the former employee said. They confirmed that the company’s algorithm can read the content of text messages. “With a special feature called ‘SMS categorizer,’ the Truecaller software is able to recognize personal, high-priority [bank OTPs and transactions], and also spam messages of its registered user.” This ability, they added, could allow the app to send loan offers to people when their bank balance goes below a certain number. Truecaller already has a short-term loan offer up to 5 lakh rupees (around $6,600) for registered users without much paperwork. The company also has a financial partnership with firms such as WhizDM Innovations, which offers personal loans.
The former employee also pointed out that access to text messages presents a security risk, as the entire data can get compromised if the Truecaller system is infected or develops a bug. “SMS messages mostly deal with bank transactions, and anyone can try and extract the financial information of millions of Truecaller users and can steal it,” they said. In 2019, they noted, “a so-called bug” automatically created unified-payment interface accounts with ICICI Bank, “triggering panic and hacking fears amongst the Truecaller users.” Alan Mamedi later apologized through a blog post that said, “We understand the frustration this news and numerous rumors may have caused to people, and we honestly apologize to them. We all at Truecaller feel awful that this even happened in the first place.”
Truecaller has denied that it has the ability to read SMS content and said that it only analyzes messages locally on a phone to identify senders and determine if it is spam. However, the company has simultaneously claimed that, by making Truecaller a default SMS app, one can keep the inbox clean by categorizing messages such as OTPs, appointments, spam messages, unsaved numbers, and more.
Moreover, the way Truecaller has adapted to evolving legislation in parts of the world also raises some serious questions about its practices in India. The company has formulated stringent privacy regulations in Nigeria, another major market, and has rebuilt its app for European users after the European Union adopted the General Data Protection Regulation in 2016. However, a similar level of rigor has not been applied to the Indian market.
For instance, EU users of the app have multi-layer protection based on six legal checkpoints: consent, performance of a contract, a legitimate interest, a vital interest, a legal requirement, and a public interest. Accordingly, EU users of the app have been provided additional access and control features in the app’s privacy center, which allow them to access, rectify, erase, restrict processing, and transfer their data. No such options are available for Indian users. After the implementation of the GDPR, the Working Party, an independent European advisory body on data protection and privacy, wrote a letter to Mamedi in June 2017, expressing concerns about how personal data was collected by True Software. The letter, a copy of which is with The Caravan, read:
True Software appears to be sourcing personal data both from Truecaller users’ contact lists and, in some circumstances, their social media pages (including name, telephone number, email address and, where available, demographic information and additional contact information). This information is then made publicly available via reverse search on the Truecaller website and mobile app … There is no indication that True Software is making non-users aware that their data are being processed in the Truecaller app or website search, unless those individuals actively engage with the website or download the app. It is entirely possible that individuals do not have any knowledge of this use of their data at all. This means that they are being denied their rights under Directive and that their privacy is being infringed.
Soon after, the company moved its data centers to India in 2018. According to Pranesh Prakash, a founding member of the Bengaluru-based nonprofit Centre for Internet and Society, Truecaller operates by omission in India. “Truecaller is lying when they say, ‘The rights and interests of our users are a priority to us, and hence we provide largely identical rights to all our users across geographies,'” he said. “In India, Truecaller stores personal information of contacts from your address book, and provides reverse number lookup of contacts. This is not an instance of ‘largely identical rights’ across geographies. Users in the EU clearly have their privacy rights respected by Truecaller in a manner that Truecaller doesn’t respect Indians’ privacy rights,” Prakash said.
As the Indian government drags its feet on the data-protection bill, concerned citizens have stepped in to fill in the gap. In July 2021, the Bombay High Court issued notices to the government of India, the state government of Maharastra, and the National Payments Corporation of India to respond to public interest litigation that claimed the Truecaller app was sharing user data in breach of rules. Shashank Posture, a lawyer-in-training who filed the petition, has claimed that Truecaller shares data with some of its partners without its users’ consent and then dumps the liability on the users.
“A major advantage to data-driven companies like Truecaller is the fact that people in India [have] yet to understand the value and need [for] privacy,” Posture told The Caravan. “There are no well-defined privacy laws in India and people are fine giving access to hundreds of private contact numbers, without even thinking that it may bombard their near and dear ones with business calls — and even put them in danger by putting their name and professional identities in [the] public domain.”
It also remains to be seen if the data protection bill can address the issues surrounding privacy and data pertinent to Truecaller. “For the upcoming DPB in India, we have been in regular touch with key stakeholders,” the company spokesperson told The Caravan. “Our CEO Alan Mamedi met key members of the joint parliamentary committee in 2020 in person to convey our stance, explain how Truecaller works, and to state that we are ready to comply with all facets of the final bill.”
Prasanna did not hold out much hope from the bill. Although it explicitly prohibits data collection without consent, he said, it only provides for compensation when the affected party can demonstrate harm other than loss of privacy. “This will likely make the DPB a toothless tiger — even if there are provisions for fines and penalties.”