Reports came out on Tuesday that the Truecaller app had sent SMS messages from phones of unsuspecting users to create UPI IDs with ICICI Bank. A payments feature had been added to the app two years ago in partnership with ICICI Bank. The feature is called Truecaller Pay. After facing criticism on social media, NPCI and Truecaller have issued statements . Truecaller has since issued an app update to stop this automated process.
In February this year, Truecaller stated that they have more than 100 million daily active users in the country. The figure for monthly active users could be higher. While Truecaller said yesterday that all affected users would be deregistered, it is still unclear how many people were affected and what information was shared. Information regarding their existing bank accounts was revealed in the process, and their phone numbers and other information may have been shared with ICICI Bank. Exact details are scant at the moment. It is unclear how Truecaller discovered the identity of Bank(s) with which the user had an account. Annexure IV of NPCI’s Unified Payments Interface – Procedural Guidelines states that a PSP (Payment Service Provider) application has to send an SMS from the mobile device to fetch the mobile number and bind it to the device, but the name of the bank has to be selected manually by the user. After that step, the app can use the mobile number to generate a request with the bank. The bank would then send “ the account details including Account Number & IFSC registered for that mobile Number in a masked format to UPI. UPI sends this to the PSP which in turn passes this information to the PSP App.” It is worth noting that Truecaller is not a PSP as per the list of members on NPCI’s website. The PSP for Truecaller is ICICI Bank.
NPCI has an FAQ on UPI which reads:
How are you getting all my bank A/C information?
This is a feature of the UPI payment platform (built by NPCI - an RBI regulated entity). The UPI platform retrieves the accounts details linked with your mobile number in a masked manner i.e. UPI app can't see all the details. This exchange is done over secure banking networks and we don't store or ever use it.
“Truecaller may use the personal information collected to provide, maintain, improve, analyze and personalize the Services to its Users, partners and third party providers. More specifically, Truecaller may use such information to:
f. enable You to use and share Your information in connection with Your registration, login or other use of third party services e.g. payment service providers, online services, social networking sites and other third party API’s; and”
With the current laws in the country, a user hardly gets any protection from such misuse of data. Vague promises to correct one’s actions and to do better in future are insufficient and come with minimal accountability. This issue further highlights the need for a dedicated data protection law in the country. In 2017, a nine-judge bench of the Supreme Court of India recognized that the right to privacy is a fundamental right. Since then, the draft Personal Data Protection Bill, 2018 was published for which public comments were invited. SFLC.in submitted its comments and suggestions on this bill. The bill is expected to be tabled soon in the parliament.
Two years ago, UIDAI had suspended Airtel and Airtel Payments Bank’s eKYC license for automatically creating Airtel Payments Bank accounts for people without their consent or knowledge when they performed eKYC for Airtel’s telecom arm. This resulted in loss for INR 190 crore of subsidies for millions of people. Airtel later offered to return this money, but the harm to affected parties could be irreversible considering that these subsidies are meant for people that would not be able to afford the products without them.
We strongly suggest that you grant only the essential permissions for apps to function as intended. Think before you grant any permission. If a flashlight app, for example, asks for your contact information, do not grant that permission to it. If the app refuses to function without that permission, uninstall that app and do not use it any further. Both Android and iOS allow you to go into your phone’s settings and revoke any permission that you had previously granted to an app, or to grant a permission that you had previously refused. SFLC.in regularly conducts digital security trainings for people of all backgrounds to better educate users on safe usage of communication devices.
In the absence of a data protection law, our privacy and data are being treated as a free-for-all. We must take charge of protecting our own privacy, especially so until we have a data protection law. Yet, a data protection law would not be a magic bullet that would fix all issues. We would have to remain vigilant to protect ourselves, but it would at least create a deterrence and would empower us to act against errants.