Truecaller under fire after app signs up for UPI without consent
In a statement, the developers of Truecaller — known for its crowd-sourced caller identification feature — said the fault was in “the latest update of Truecaller that affected the payments feature, which automatically triggered a registration”.Updated: Jul 30, 2019 23:57 IST
Popular mobile application developer Truecaller was caught in a privacy controversy on Tuesday after several users in India reported being signed up to use the company’s UPI-based mobile payments service without opting for it – an occurrence that the company said was due to a bug.
Some of these users believed they were target of a fraud and took to social media platforms such as Twitter to post screenshots of text messages their phones automatically sent out, prompting privacy experts to criticise the company for what they saw as breach of trust.
“I woke up and checked my Android phone, which auto-updated a few apps, including Truecaller. It automatically, immediately sent an encrypted SMS from my phone to an unknown number, following which ICICI Bank sent me a text message saying my UPI app registration has started,” said Bengaluru-based software developer Dheeraj Kumar, who was among the first to report it on Twitter.
In a statement, the developers of Truecaller — known for its crowd-sourced caller identification feature — said the fault was in “the latest update of Truecaller that affected the payments feature, which automatically triggered a registration”.
The company did not give a number on how many were affected, but said that a majority of its 100 million users were on the Android platform. “This issue has affected only a small fraction of Android users and not iOS users,” said Manan Shah, the marketing director for Truecaller’s India operations. “We are extremely sorry for the inconvenience caused to our users. This was not our intent,” he added.
UPI, or United Payments Interface, is a realtime payments service that underpins a growing number of mobile applications that people can use to send money across banks or use for purchases on websites. Concerns over its potential for misuse are not new, since there have been instances where people were targeted by fraudulent “collect” requests and fooled into making payments by callers pretending to be bank officials.
An official of the National Payments Corporation of India (NPCI) said action will be taken if needed. “There was an issue in the app observed today… We understand that it has been fixed and till then, user on-boarding has been stopped in this app,” said Dilip Asbe, MD and CEO of NPCI.
Privacy experts said the controversy raises larger questions. “What Truecaller essentially did was a breach of user expectation that their privacy will be safeguarded. They used personal details to sign up for a service users did not choose. This raises worrying questions, because if a service provider can carry out sign-ups, it can also potentially carry out financial transactions,” said Apar Gupta, founder of Internet Freedom Foundation, a privacy and online liberties advocacy group.
“Truecaller gave no details of the error or the impact, which just points to a larger problem in the context of data protection and privacy. As a policy, we have no mechanism to hold service providers accountable in such a scenario,” he added, saying the problem was not confined to companies like Truecaller alone and that the government must expedite the rollout of a stringent data protection policy.
According to Truecaller executive Shah, the users who were automatically signed up for UPI were being de-registered. “The new update was rolled out yesterday [Monday] evening and we started noticing user complaints today afternoon. The update rollout was immediately stopped,” he said.
(With inputs from Rajeev Jayaswal)
First Published: Jul 30, 2019 23:57 IST