Spammed if you do, spammed if you don't: is Truecaller putting your privacy at risk?

Three screengrabs of the Truecaller app
(Image credit: Truecaller)

Disclaimer: This article has been updated with additional notes from Hitesh Raj Bhagat, Global Head of Corporate Communications. You can find these at the bottom of the article.

You might take good care of your online privacy. You might use one of the best VPN services every time you go online. You also make sure to secure your important communications with encrypted messaging apps

However, one day you may realize that your name and phone number are available for anyone to access them without you even knowing it. 

Wildly collecting and exposing people's phone details without their consent is one of the main allegations against the popular scam call-blocking software Truecaller.

The US-based Viceroy Research - which describes itself as an international investigative financial group - filed this and other violations in its last detailed report, which digs inside both the company's business model and security infrastructure. 

Despite Truecaller denying all accusations and Viceroy Research being sued for false claims in the past, many questions around the app's privacy protections remain. 

What is Truecaller?

Truecaller is a mobile app available for Android and iOS devices that automatically filters and block untrustworthy calls to prevent spam.

Users will simply need to provide their phone number to start using the service. The app will then access their contacts to build up its phonebook and improve its spam database. It even blocks malicious messages before they can reach your device.

As the tech firm argues on its official website: "Truecaller is proud to be a leader in caller ID and spam blocking software as well as research around call and SMS harassment."

A Swedish-based company, Truecaller is particularly popular across the Sub-Saharan African region and India. The latter is actually its top market globally, boasting now more than 190 million daily active users according to The Economic Times

This is not surprising as India is among the countries receiving the most spam calls

More remarkable, perhaps, is the fact that the company actually moved its operations and data servers in India in 2018. And, according to Viceroy, there are some shady reasons lurking behind this business turn. 

The allegations: from security breaches to invasive data collection

In its Truecaller’s True Colors report, Viceroy Research lays out quite a few claims against the benevolent nature of the popular call-blocking app.  

When users install Truecaller on their smartphone, the incriminated app asks permission to access their list of contacts to feed its own phonebook. This means that people's phone numbers will end up on its database just because they are saved on a device that uses such a tool, without them agreeing to it. 

You might be wondering how such an invasive data collection practice could be allowed. Well, it isn't really. This modus operandi is actually against both Google's Privacy policy and the EU/UK GDPR - the data protection law which seeks to minimize users' data collected online.

So, how is Truecaller able to conduct its operations in this way, then?

To bypass app stores' regulation, for example, the company has been reported to have made deals with Android phone manufacturers to pre-install its app on new devices. Plus, it doesn't need to comply with these rules if people sign-in from their browser. 

As mentioned before, in 2018 Truecaller moved all its data centers to India. And, guess what also happened that year? GDPR was introduced. However, according to Viceroy's researchers: "Truecaller is still subject to GDPR regulations, and these regulations apply to all Truecaller users." 

Viceroy also accuses the Swedish company of evading taxes in India - a country where its sales grew 133% between January and June this year. They also found Truecaller guilty of spamming their users with invasive ads and web trackers. Researchers are especially worried about how the software indiscriminately collects such sensitive data about minors, too. 

Call From an Unknown Number

(Image credit: Ronstik / Shutterstock)

What's worse is that Viceroy isn't the first to investigate Truecaller's alleged privacy abuses and security breaches. Below are just some examples.

In 2013, an investigation on how a group of Syrian hackers (the Syrian Electronic Army) was able to exploit the app database put under scrutiny its security model in place. 

The Article 29 Working Party, at the time independent European advisory body on data protection, already raised its concerns over TrueCaller’s compliance with data protection laws in 2017. 

In 2019, there were then a few reports showing how the data of many Truecaller users - most Indians - had been exposed on the dark web. Privacy International pointed out the dangers of ending up on the Truecaller database for journalists and other users whose privacy is paramount. 

At the time, the privacy advocates recommended the company take action to fix its privacy issues. However, "TrueCaller acknowledged our response but did not show an interest in following those steps."    

More recently, Indian investigative magazine The Caravan looked at how Truecaller's ‘Enhanced Search’ makes users automatically share all their contacts details like names, numbers and email addresses. 

It also reported on an even more worrying dynamic. Former Truecaller employees told The Caravan that the app can access user SMS messages to build a financial profile of its users. As it's common practice for Indian banks to communicate with their customers via SMS, "this ability...could allow the app to send loan offers to people when their bank balance goes down below a certain limit."  

Data Breach

(Image credit: Shutterstock)

Truecaller responds

Truecaller promptly replied to such allegations, denying that any privacy abuses occurred. 

Specifically, the company responded to The Caravan's investigation claiming that: "Truecaller is not interested in building or collecting financial profiles of its users." 

It also argued that the Caravan's ‘Enhanced Search’ accusation was factually incorrect. However, Viceroy Research found the feature auto-checking for new users in India until September 28.   

At the same time, Truecaller also slammed Viceroy's misconduct claims as false. "The short seller made various false and unverified statements about us," a spokesperson told TechRadar. 

For instance, the provider said that the reason why it moved to India was actually getting closer to its bigger chunk of users to deliver faster performances. It also points out that it needs the permission to access the phonebook to properly function. However, the company assures that users' privacy is not violated. 

At the same time, it is also worth noting that Viceroy Research has been fined R50 million for falsely accusing South Africa's Capitec Bank of acting as a "loan shark."

So, from one side to the other, many doubts still remain. 

What's certain is that, with India's new data protection law on its way, the Swedish company would soon need to align its data collection practices with new regulations if it doesn't want to respond in court for failing to do so.  

Chiara Castro
Senior Staff Writer

Chiara is a multimedia journalist committed to covering stories to help promote the rights and denounce the abuses of the digital side of life—wherever cybersecurity, markets and politics tangle up. She mainly writes news, interviews and analysis on data privacy, online censorship, digital rights, cybercrime, and security software, with a special focus on VPNs, for TechRadar Pro, TechRadar and Tom’s Guide. Got a story, tip-off or something tech-interesting to say? Reach out to chiara.castro@futurenet.com