바카라You have my number, but you don바카라t have my consent.바카라
That was the line, with the hashtag #ItsNotOK, used in a series of recent front-page ads in major Indian dailies by Truecaller, a caller id and spam blocking app infamous for it's history of data breaches and intrusion of privacy.
In May 2019, Privacy International (PI), a UK-registered charity that promotes the right to privacy at an international level, published a story 바카라concerning a journalist who was placed at risk due to the use of Truecaller by one of her sources바카라.
Chloe (name changed by PI) is an investigative journalist working for an international broadcast service.
바카라She travels around the world to work with local journalists on uncovering stories that make the headlines: from human trafficking to drug cartels and government corruption. While her documentaries are watched by many and inspire change in the countries she works in, you would not know who Chloe is if we were to tell you her real name. That is because Chloe works hard to protect her anonymity바카라. She values this anonymity, which allows her to approach sources without raising suspicions or concerns. When necessary, it also allows her to engage in undercover reporting,바카라 reported PI.
In February 2019, Chloe travelled to a country in West Africa for an undercover reporting assignment. She was expecting to be there for a while and might have had to return many times over the course of the year. As a part of her job, she had to 바카라gain the trust of several sources who are in extremely vulnerable positions바카라.
She bought a local SIM card to communicate with her sources. Since the people she was investigating were not state actors and had no tech resources, she was reassured that she 바카라does not need to worry about state surveillance of her communications바카라.
As a part of the investigation, Chloe told her sources who she is, who she works for and what she was trying to achieve. One day, Chloe books a cab to go and meet her source. When she entered the cab, the driver greeted her 바카라So바카라 you work for The Inquirer (name changed by PI)?바카라
The driver pointed at his phone. Her number was registered as 바카라Chloe The Inquirer Journalist.바카라
Shocked, Chloe called her office to try and find out how her identity had been breached. On probing, it was found that one of her sources was using Truecaller. 바카라She called her source and after they hung up, Truecaller offered the source the option to tag Chloe바카라s number, since the number was not in their database. The source did not see the potential for harm and tagged Chloe바카라s number as 바카라Chloe The Inquirer Journalist.바카라 Now every time Chloe makes a phone call using that phone number, her name appears to Truecaller users, like the cab driver, as 바카라Chloe The Inquirer Journalist바카라.바카라, PI reported.
Chloe바카라s case is not a classic case of state surveillance. 바카라Chloe was betrayed by an app she had never even heard of: TrueCaller바카라. It was a systematic breach by Truecaller, an app which claims to enable you to 바카라block unwanted calls & SMS바카라. It says, 바카라Truecaller stands against women바카라s harassment and strives to make communication more safe and efficient.바카라 And hence the campaign #ItsNotOk.
Other than the systematic breaches by the app, there are several cases which raise questions about the integrity of the app.
Through the tagging option on Truecaller, the person who is tagged ends up having his/her name and phone number stored on the Truecaller database. All of this is done without consent or even the awareness about the process. In 2017, the Article 29 Working Party, an independent European advisory body on data protection and privacy, called Truecaller out for collecting and tagging non-users바카라 data without their consent.
Like many other applications, Truecaller바카라s holds two sets of privacy policy-- one for Europe and another, for the rest of the world. Needless to mention that India, which accounts is Truecaller바카라s largest userbase holding around 75% of its daily active users, has no Data Protection Law.
After Chloe바카라s case, Privacy International contacted Truecaller to enquire how they could check the safety of non-users of the app. 바카라 In their reply, they brought to our attention the option offered to non-users to 바카라unlist바카라 themselves. By unlisting oneself, a non-user prevents Truecaller from adding their number into the database,바카라 PI revealed. During the exchange with Truecaller, they also suggested that Truecaller (a) 바카라advertise the unlisting option more clearly바카라 (b) 바카라send an SMS to any non-user whose number is entered to warn them someone is attempting to enter their number and ask them for consent. This would also be an opportunity to inform them about the unlisting option.바카라
In the exchanged published on the website of PI, it is evident that the company didn바카라t pay much heed to the suggestion. The reply was, 바카라Thanks for sharing your response. We truly appreciate the professionalism you바카라ve shown throughout this process, and we appreciate the feedback you바카라ve shared.바카라
Truecaller, however, claims that 바카라the Privacy International article failed to address some of the key points, and points out that 바카라There are privacy safeguards in place for people who are not Truecaller users but have their names tagged by a Truecaller user.
According to them, 바카라One cannot just search for a name on our application and get a number of any user or non-user. By default, non-public numbers are shown as 바카라private바카라 and hence hidden. A contact request must be sent to the number owner for any exchange of information to take place. This means that the number owner has full control of who can receive their number details.
The statement added, 바카라We would point out that the investigative reporter would have been able to withhold her identity by changing her phone settings by choosing not to "Show My Caller ID" in the settings on the operating system of her phone.바카라
But this begs the question: If I download Truecaller, do I have to be tech-savvy enough to understand the risks I might invite? Would I also have to ensure that all the people in my contact list are equally sound and competent when it comes to technology?
In May 2019, Economic Times reported that the data of over 300 million Truecaller users in India were being sold for about Rs 1.5 lakh on the dark web. Truecaller, however, claimed that the 바카라majority바카라 of data that was being allegedly sold on the dark web did not match their database.
On this issue, Truecaller told Outlook, 바카라We had long conversations with them and confirmed that there was no sensitive user information that was accessed or extracted, especially financial or payment information. This incident was not an attack on our database, as data stored on our servers is highly secured. This is something that we have communicated to Cyble as well.바카라
In Nov 2019, Zak Doffman from Forbes reported that 바카라India-based researcher Ehraz Ahmed discovered the flaw, disclosing it to local media and the company and waiting for a fix before going public.바카라 Doffman adds, 바카라He explained to me that 바카라the flaw allows an attacker to inject his malicious link as the profile URL. The user viewing the attacker바카라s profile by search or through a popup gets exploited.바카라 Ahmed presented a proof of concept to demonstrate that he was able 바카라to fetch a user's information like IP address, User-Agent, and time. The user visiting the profile would not notice this as it all happens in the background, and for the user, it would look like any other profile.바카라
In a statement to Outlook, Truecaller said, 바카라As for the Ehraz Ahmed case, we have been very diligent and responsive in all communication with him. We clarified all his concerns and at the end, the error was 바카라not reproducible바카라.바카라
In September 2019, the National Information Technology Development Agency (NITDA) opened an investigation into Truecaller over its privacy policy. NITDA released a statement for alerting the public on possible infringement of data. It cited Article 1.1 of the privacy policy of the app, 바카라Truecaller may supplement the information provided by You with information from third parties and add it to the information provided by you.바카라 Quoting Article 3, 바카라Truecaller may also share personal information with third-party advertisers, agencies and networks,바카라 NITDA observed that Truecaller collects too much data, far beyond what is necessary for the app to perform its basic function.
However, Hitesh Raj Bhagat, Truecaller바카라s Director of Corporate Communications, India, told Outlook that 바카라the data protection investigation is now closed with a 바카라favourable outcome바카라.
In July 2019, Internet Freedom Foundation flagged the automatic registration of unified payments interface (UPI) based IDs of Truecaller users without their knowledge and consent. As a result, the National Payments Corporation of India (NPCI) stopped onboarding new Truecaller users on the UPI Platform.
바카라It바카라s true that in 2019 there was a bug in the app that led to the digital payment authorities to impose restrictions while onboarding new payment users. However, the issue was quickly fixed, no data was compromised and the overall app was not affected,바카라 says Bhagat.
In May 2020, an American cyber intelligence firm Cyble Inc revealed a data leak of the names, gender, age, city, telecom service provider, Facebook account, email id and mobile number of 4.75 crore Indians from the Truecaller database. The personal data was put up on sale for $1,000 on the dark web. In an email statement, Truecaller, however, denied any breach of its database and claimed that all user information is saved securely.
Emmanuel Paul from techpoint. Africa sought help from a developer who goes by the name Angry Wizard and dug deep into Truecaller바카라s algorithms and found two major loopholes.
(1)The developer hinted that all the information collected from the users is uploaded to 바카라a third-party domain belonging to a company called CleverTap, a mobile marketing company located in Mountain View, California which enables marketers to identify, engage, and retain user info in an automated process.바카라
(2) 바카라According to Angry Wizard, the information of over 30,000 contacts and names of spammers reported by Truecaller users are made public, requiring no authentication for anyone to access바카라, techpoint. Africa reported. On December 3, 2019, they reached out to Truecaller바카라s Director of Communications, Kim Fai Kok, and demanded clarification. Mr Kok refuted all the allegations.
, Paul, however, mentions, 바카라To double-check these claims, on December 5, we sent two mobile numbers to the Wizard: one of a Truecaller user, and the other belonging to a non-Truecaller user and surprisingly, he sent back URLs containing information of both numbers. A day or two after, the links stopped working, so we briefly thought Truecaller had fixed the issue. But last week Friday, we received another link containing the same information from both numbers.바카라
If the tech companies spent half the money, time and energy to mend their algorithms and uphold the digital rights and privacy of their users, then such paint-me-in-good-light campaigns like #ItsNotOK would not be required.
This long list of allegations and data breaches by Truecaller, which according to the company were committed by "some bad actors" who would "compile databases from different sources and label them as Truecaller data", is in stark contrast to its recent campaign. But given the conflicting positions, perhaps one needs to knock on the doors of Truecaller and ask, 바카라Was That Ok?바카라
