Right after the news of a recent bug in the Truecaller’s app, a software developer going by the name ‘Nemo’ on twitter, has discovered another privacy concern in the Sweden-based caller-id and payments app.
According to Nemo, Truecaller uses third-party Software Development Kits (SDKs) to parse through its users’ phone messages to do an offline credit scoring for each user. Specific words or phrases that these SDKs look for in user’s messages include 356 terms like salary, credit, debit, bounced, cheque, premium, insurance, along with retailer names such as reliance fresh, metro cash and carry, grofers, uber, irctc, Indigo, Airbnb among others.
Further, it also tracks specific phrases such as ‘You are eligible for an EMI card with a limit of Rs.’, ‘Total loan amt on your Bajaj EMI Card is upgraded to’, Your EMI card number (\\S*) has been delivered.’, ‘Dear Customer, First EMI due on’, ‘Thank you for your payment’, ‘Your premium of Rs.’ and much more, but you get the drift.
(In picture: Screenshots of some phrases searched by Truecaller in user messages, shared by Nemo)
Nemo told Inc42, “Truecaller FAQs clearly state that for checking one’s eligibility, a user has to simply look under the banking tab of Truecaller app and in order to determine someone’s credit eligibility, Truecaller have to be scoring all its users.”
However, in response to our query, Truecaller said, “For loans, we explicitly ask users who wish to apply for a loan, to give us permission to analyse their transaction messages (only). The process is completely consent based and is separate from the general SMS permission that is required at the time of login to provide spam detection in SMS Inbox.”
The two entities providing these SDKs to Truecaller include customer profiling SaaS tool, MessAI and CapitalFloat-owned wealth management app Walnut. Commenting on this, Amit Bhor, founder of wealth management app Walnut and CPO of CapitalFloat said that, “Walnut SDK is used independently by Truecaller app based on its own privacy policies and controls. Walnut does not get access to this data unless the customer consents to the data being shared.”
“We were only involved as a technology service provider in this agreement and have currently discontinued the SDK model and no other apps use this SDK.” he added.
The Curious Case of MessAI
Behind Truecaller’s snooping seems to be a company called MessAI, which claims to have been acquired by Truecaller in April 2019. Interestingly, Nemo claimed that this update on the MessAI website was put up only today, following his tweetstorm of July 31.
Truecaller has confirmed to Inc42 that MessAI is an in-house technology to Truecaller after it acquired the startup in April 2019, which included the acquisition of both its team and technology.
“The MessAI team is working towards providing enhanced features like Smart Notifications and seamless communication experience to our app users,” the Swedish company added.
Registered as TwelfthMile Creations, Bengaluru-based MessAI is a SaaS tool that enabled the providers of mobile applications and websites to profile their end users who download, access and interact with App Providers’ services.
The companies privacy policies agrees to collect users’ information related to their transactions including the identity of the service or product they are paying for and the amount of money paid by them. Further, it also records users’ mobile numbers, names, partial payment card data, subscription renewals, and order confirmation messages.
Interestingly, the app also agreed to share its aggregated information and non-identifying information with third parties for industry analysis, demographic profiling and other similar purposes. But claims to not sell any personal information of the users to third parties.
India Is Truecaller’s Biggest Market
In an official blog post published on February 20 recently, the company announced to have 100 Mn daily active users in India. It also said that every tenth active user in India has linked their bank account to Truecaller Pay.
“We will continue to expand in the Indian market and integrate more services to create a robust unified communication platform, and simplify the lives of our users,” Alan Mamedi, CEO and cofounder of Truecaller had noted.
Founded in 2009 by Alan Mamedi and Nami Zarringhalam, Truecaller has launched its UPI-based Truecaller Pay in 2017 in partnership with ICICI Bank. The app allows users to instantly create a UPI ID and transfer money to any UPI ID or a mobile number registered with the BHIM app. It also enables users to recharge their mobile number from within the Truecaller app itself.
Later in 2018, the company has also acquired a Indian payments company Chillr to strengthen its payments business in the country. Following this in March, the company announced plans to also enter the lending sector in India.
According to Truecaller, the loan amount offered by the company range between INR 1 lakh to INR 5 lakh. The actual amount you’re eligible for will be displayed in the app. Initially, the loan services is made available across 22 cities in India and is currently in the pilot stage according to Truecaller.
“In order to comply with user authentication rules, the company will initially rely on physical processes of authentication as there is still confusion over electronic KYC process and its alternatives,” the company had said earlier.
Data Privacy Concerns
As India’s fintech sector does emerge as a promising trillion dollar opportunity, the concerns around data privacy have also become a harsh reality of today’s times. Following the recent bug in Truecaller app update, two more fintech startups – Chqbook and Credit Fair were reported to have experienced a data breach, earlier this week.
This breach was said to have put millions of user’s data under the risk of being used in various harmful and illegal ways including account takeover, identity fraud, phishing, blackmail and even extortion.
India has been reported as the second most cyber attacks affected country between 2016 to 2018. The average cost for a data breach in India has risen 7.9% since 2017, with the average cost per breached record mounting to INR 4,552 ($64).