Save over 40% when you secure your tickets today to TNW Conference 💥 Prices will increase on November 22 →

This article was published on November 9, 2017

Truecaller has a disturbing privacy flaw that exposes your friends’ numbers


Truecaller has a disturbing privacy flaw that exposes your friends’ numbers

Truecaller, the caller ID and call-blocking app, has gained popularity worldwide since its initial release during 2009. The Swedish owned company behind the service, True Software Scandinavia AB, reports that it now has over three billion telephone numbers in its database and over 100 million Google Play Store downloads for its Android app alone.

Having raised over $100 million in funding to date, the company recently announced that it is currently scouting for new offices across Afrika given that it has over 50 million users on the continent.

“The tremendous growth we’ve had across Africa the past two years has truly been amazing and yet we feel it is still only the starting point of what is about to come,” said Ted Nelson, Chief Commercial Officer at Truecaller.

According to Truecaller, South Africa, Nigeria, Kenya and Egypt rank among the top 20 countries globally which are being “plagued” by unwanted spam calls.

Top 20 Countries Affected by Spam Calls Truecaller 
The top 20 countries affected by spam calls in 2017. | Truecaller

There is no denying what value Truecaller adds to those who use the app, but have you ever wondered how your telephone number is available on Truecaller despite you not having ever installed the app?

Permission based crowdsourcing

The concept behind Truecaller is easy to understand. It is essentially a global telephone directory which allows its users to have caller ID service despite not having the caller’s telephone number in their phone’s address book. Added to the caller ID feature, another popular feature on the Truecaller app is the call blocking one. This allows a user to block calls from specific telephone numbers you don’t want to receive or ones that have been labelled as spam by other users of the service.

However, there is something quite interesting about the Truecaller app which you typically observe when you call someone who doesn’t have your number on their address book but they have the Truecaller app. Despite you not having ever used the app, as soon as you call a Truecaller user, your telephone number appears on their screen along with your name.

This is possible because one of the ways Truecaller collects data to populate their database is through what they call “permission based” crowdsourcing. This is a process where, anyone who installs their app also has an option that gives the Truecaller app the option to upload their entire address book to the Truecaller database.

“There are several different ways that Truecaller gets its data. On a daily basis, there are over 350,000 new registered users that comes [sic] onboard on Truecaller that creates [sic] a profile. We have a very large user base that helps with contributing information by tagging and suggesting name to numbers, but also spam reporting. We have created a service that is built by a vibrant community that contributes and adds information so the rest of the community can benefit from it,” explained Ted Nelson, Chief Commercial Officer at Truecaller, to iAfrikan.

As part of the Truecaller app’s Terms of Service and Privacy Policy, you as a user have to give it access to your entire address book, which is in turn added to their global database of people’s contact details. Crowdsourcing is not the only method by which Truecaller collects people’s and organisations’ contact details as Nelson further explained to iAfrikan.

“We also gather, and organizes [sic] phone numbers from different sources including white and yellow pages across the world, and social media channels. Once the information is gathered, Truecaller runs it through different layers of verification (our proprietary algorithms) to make sure that the contact information we organize is accurate.”

That’s correct, through various methods Truecaller is able to integrate to various social media platforms and refine the data it already has uploaded on its contacts database. This can include things such as matching a name to a telephone number, uploading a profile photo, specifying a location, etc.

This is partially covered under section 1.1 of their Privacy Policy which states:

Truecaller may supplement the information provided by you with information from third parties and add it to the information provided by you e.g. demographic information and additional contact information that is publicly available.

The details of this data refinement process are not publicly available. Once you have uploaded your address book to Truecaller and it has been refined, those details are now available on their database. Throughout this process, you will note, that you (as a non-Truecaller user) are not notified that your personal contact details have been uploaded without your permission.

It gets even more interesting when you read section 1.2 of Truecaller’s Privacy Policy, which further emphasizes that Truecaller will have “access to device address book”:

When you install and use the Services, Truecaller will collect personal information from you and any devices you may use in your interaction with our Services.

This information may include e.g.: geo-location; your IP address; device ID or unique identifier; device manufacturer and type; device and hardware settings; SIM card usage; applications installed on your device; ID for advertising; ad data, operating system; web browser; operator; IMSI; connection information; screen resolution; usage statistics; default communication applications; access to device address book; device log and event information; logs, keywords and meta data of incoming and outgoing calls and messages; version of the Services you use and other information based on your interaction with our Services such as how the Services are being accessed (via another service, web site or a search engine); the pages you visit and features you use on the Services; the services and websites you engage with from the Services; content viewed by you, content you have commented on or sent to us and information about the ads you see and/or engage with; the search terms you use; order information and other usage activity and data logged by Truecaller’s servers from time to time.

Truecaller may collect some of this information automatically through use of cookies and you can learn more about our use of cookies in our Cookie Policy.

This means that, even if just one person has your contact details on their device address book, without your permission, as soon as they install the Truecaller app your contact details are now part of the global Truecaller database.

Truecaller doesn’t immediately make your contact details, as a non-user, available (but users can search based on your name) but as soon as you call any Truecaller user, the app’s caller ID function will query the database and identify you, thus indirectly “unlocking” your identity.

Upgrade for more details

Truecaller also allows anyone to search for your contact details by name, and if they don’t have you on their device address book, a Truecaller user can upgrade to the premium version of the app to be able to “ask” you for the app to display your telephone number.

Ask for more details Truecaller

That’s how Truecaller partly monetizes your contact details, whether you have the app installed or not. The other publicly visible monetization method they use is through serving ads on the app.

Although they don’t make the uploaded data immediately available publicly, the idea that one’s personal data (especially through someone else’s address book, and not publicly available) is being monetized without permission is a cause for concern apart from the privacy concerns.

“Truecaller features are permission based and are disabled by default, and the users can choose whether to participate in this community or not. We know that in today’s world, privacy is a top concern. That is why we make sure we have clear principles we follow, and allow our users to decide how their information is shown or shared,” said Nelson.

Nelson further added that to learn more about permissions required by Truecaller, you can visit their website here.

Concerned

The privacy concerns cannot be overemphasized in a time where even parents give their children (minors), smartphones to be able to keep in touch with them. Given Truecaller’s Terms of Service and Privacy Policy, this means that if a parent has the Truecaller app installed, their children’s contact details will be uploaded to the Truecaller database. Added to this, depending on how Truecaller enhances the data and which sources it uses, it could even identify more details on the children like their geo-location as mentioned in their Privacy Policy.

The other concern is that at no point in their processes does Truecaller ask those whose details are uploaded to their database whether they agree to this or not. Nelson however points out that, if concerned, “we make it very easy for people to unlist their number from Truecaller through our website.”

Even though there are benefits to having the Truecaller app installed, think a little longer (if you haven’t already installed app) on those whose privacy you could be putting at risk by installing the app.

Note: To unlist your telephone number from Truecaller, go here (If you are already a Truecaller user, you’ll need to deactivate your account before unlisting).

Update: Truecaller voiced concerns that the original title of the article “Truecaller has a disturbing privacy flaw that leaks your friends’ numbers” might be misleading. That’s why we’ve changed the word ‘leaks’ to ‘exposes’. However, Truecaller didn’t not explicitly point out any factual inaccuracies in the article.

This post was originally published by iAfrikan. Check out their excellent coverage and follow them down here:

Get the TNW newsletter

Get the most important tech news in your inbox each week.

Also tagged with