This article is written by Aditi Bhushan from KIIT School of Law.
In a PIL against Truecaller International, the Bombay High Court issued notifications to the Union and Maharashtra governments, among others. The PIL submitted by one Shashank Posture, petitioner in person, was heard by a bench consisting of Chief Justice Dipankar Datta and Justice G S Kulkarni. According to the petitioner, the True Caller App gathers user data, distributes this information with certain of its partners without the users’ permission. Because the user has no option, Posture termed it a “manipulative set up”. In addition, the software registers users for a Unified Payments Interface service without their knowledge or due process. Posture stated that he has named the Union, the Maharashtra government, the state IT department, Truecaller International LLP, ICICI Bank, and the National Payment Corporation as defendants in the lawsuit. He charged government officials of authorising the App and allowed it to operate without necessary checks, in violation of information security standards guidelines. The PIL states that Truecaller shares data to certain third parties that would benefit them for financial usage, this is false information. Important to note, pursuant to a strategic business decision last year, Truecaller discontinued offering Unified Payments Interface (UPI) payment services and has not signed up any new users on UPI since August 2019.
“The case of the petitioner is that Truecaller through its mobile application has indulged in an absolute breach of data privacy of citizens. He submits that such breach is contrary to data protection laws,” said the court.
According to a Truecaller representative, “Truecaller is a privacy-focused service based on trust. We comply with data privacy regulations and are prepared to comply with additional data protection legislation across the world. Furthermore, Truecaller uses data minimisation, which means that we only collect the information needed for our service to function and nothing else. As a result, we want to reassure all Truecaller users that their data is secure. Truecaller does not sell or disclose any of its users’ information. We genuinely care about our users and their data, and we want to reassure them that we manage their data safely and in accordance with our privacy policies.”
“All users’ data is collected by the Truecaller app. It distributes such data with some of its partners without users’ agreement and shifts the risk to the user,” Posture said to the court, adding, “This is a deceptive structure because the consumer has no option. The software also registers users for a Unified Payments Interface service without their knowledge or consent.” When asked to specify the parties who benefited from these transactions, the petitioner named Google India, Bharti Airtel, and ICICI Bank and numerous other loan firms. Posture further claimed that government officials authorised the Truecaller software “without necessary procedures and in violation of the information laws security practise rules.
App for identifying phone calls Truecaller has denied that its systems were breached. A database containing the personal information of 4.75 crore Indians was recently up for sale on the dark web for $1,000. The data leak, discovered by the American cyber intelligence firm Cyble Inc, includes information such as the user’s name, gender, age, city, telecom service provider, Facebook account, email address, and mobile phone number. According to Truecaller, there has been no breach of the company’s database and all user information was secure. “We were informed about a similar sale of data in May 2019. What they have here is likely the same dataset as before,” a company spokesperson said in a statement.
Before moving further, let’s get to the basics. What exactly is Truecaller and what all stories are building up around it? Truecaller is a fantastic application/service that can give you the name and any other accessible information about a phone number even if it is not recorded in your contact list. But here’s the thing: have you ever wondered where Truecaller gets all of its information from?
They are gathering this information from all of you, Truecaller subscribers. By using the app, you are handing up your and everyone else’s information – which is saved on your smartphone – to the firm, which they will use to reveal names and addresses to anyone who searches for a phone number or a name. Truecaller obtains authorization to track your specific position so that individuals in your vicinity may search for and access your information much more simply.
What will happen if the information stored by Truecaller gets in anyone’s hand?
Truecaller has been previously actually hijacked by a group known as the Syrian Electronic Army. They were successful in stealing 7 databases including access tokens for millions of Facebook, Twitter, LinkedIn, and Gmail accounts. They might use this to post on user profiles and access the information they want without the people realising it. The databases they took were 564 GB in size.
Consider what might happen if someone had access to your profiles and phone number… I’m sure you don’t want that! You should be aware that anything on the internet is susceptible and never secure. iCloud, one of the most well-known cloud storage providers, was hacked, and private photos of celebrities were released.
Such breach of privacy also hinders basic rights granted to us by the Indian constitution. Moreover in the absence of data protection legislation, courts have adopted opposing opinions on the breadth of fundamental aspects of privacy, such as the right to be forgotten. The lack of data protection legislation makes it hard to determine what rights we have, rendering the basic right virtually useless. The lack of a consistent basis for entitlements exacerbates inconsistency among courts and in our collective perception of such a right.
Secondly, a data protection legislation has the potential to enable effective legal remedy, to provide teeth to the basic right, and to create disincentives for data fiduciaries to unlawfully acquire personal data. Currently, the Indian constitution prohibits writ remedies against wholly private entities since they do not form a “state” within the meaning of Article 12. This means that, in every case where a purely private body violates a citizen’s right to privacy, there is currently very limited recourse available under Indian law, such as section 43A of the Information Technology Act, 2000 (IT Act) read with the Information Technology (Reasonable security practises and procedures and sensitive personal data or information) Rules, 2011 (Pr).
Section 43A allows individuals to seek restitution from ‘body corporates’ (defined as corporate entities engaged in commercial and professional activities encompassing tech businesses in general) that, among other things, fails to implement reasonable security practises as a result of wrongful loss to an individual. However, the more serious duties imposed by the Privacy Rules long as necessary, sharing only with prior consent, disclosing recipients to the user, and providing a grievance redress mechanism) only apply to ‘sensitive personal data,’ which includes only specific defined categories of information (for example, passwords, health data, financial data, or biometrics), and not personal data in general. Further, in the absence of actual demonstrable financial loss, it is also difficult to make a claim where there has been breach of privacy per se but no related financial loss as such as injury to privacy without any actual damage. Every day that we go without data protection legislation, the government fails to meet its positive duty to provide a framework that allows us to properly exercise our basic right to privacy.
What am I supposed to do?
The best approach to be secure online and keep your information private is to avoid disclosing too much personal information to any online site. Consider the information you publish on the internet to be public, because it will be exposed to the public sooner or later. In my opinion, the internet lacks a private sector. These days, a mobile phone number is the most private piece of information. And don’t share it with the world.
Enactment of Personal Data Protection (PDP) Bill: Indeed, the government’s excessive delay in presenting the PDP Bill, as well as its potential to further postpone the PDP Bill’s implementation by notifying different parts individually and indefinitely, breaches our right to privacy. Enough has been said about the relationship between due process and delay, and how justice delayed is justice denied. The struggle for the right to privacy has been gradual and steady, and one might argue that we have gone a long way from M.P Sharma and Ors. v. Satish Chandra to Puttaswamy & Ors. v. Union of India and Anr. However, one is left wondering if, in the four years after recognising privacy as a basic right, we could have enacted legislation that aids in its successful implementation.
- Narsi Benwal, Bombay High Court orders Union govt to respond to PIL alleging Truecaller of sharing user data with third parties, The Free Press Journal, ( July 7, 2021, 11:05 PM ), https://www.freepressjournal.in/mumbai/mumbai-bombay-high-court-orders-union-govt-to-respond-to-pil-alleging-truecaller-of-sharing-user-data-with-third-parties.
- Debangana Ghosh, Truecaller denies data-breach allegations, The Hindu Business Line, (July 08, 2021), https://www.thehindubusinessline.com/companies/truecaller-denies-data-breach-allegations/article35217358.ece
- Bombay High Court Issues Notice On PIL Alleging Privacy Breach By True Caller App, in (8 July 2021 8:32 AM), https://www.livelaw.in/news-updates/true-caller-app-breaches-data-privacy-pil-in-bombay-high-court-177049
- Prasid Banerjee, Truecaller denies breach after data of 4.75 crore Indians appear on dark web, LiveMint, (27 May 2020, 12:38 PM), https://www.livemint.com/technology/tech-news/truecaller-denies-breach-after-data-of-4-75-crore-indians-appear-on-dark-web-11590562442362.html
- Gautam S Mengle, Truecaller data for sale on dark web is from 2019 leak, The Hindu (MAY 27, 2020 22:17 IST), https://www.thehindu.com/sci-tech/technology/internet/truecaller-data-for-sale-on-dark-web-is-from-2019-leak/article31689456.ece
- Siddharth Sonkar, Privacy Delayed Is Privacy Denied, The Wire (MAY 24,2021), https://thewire.in/tech/data-protection-law-india-right-to-privacy