A 'hundred million' Truecaller users vulnerable to privacy bug, security bod says Caller ID app "Truecaller" has been called out for using IMEI and nothing else to identify users in its systems. The flaw, described by Cheetah Mobile's security researchers here, has been fixed – but only if users realise they need to download a new version of the app's Android incarnation. Cheetah Mobile reckons the app has …
and can categorically state True Caller CAN NOT 'search and identify any phone number', or, at least, not identify it. Unless someone has identified it for them first. I don't know what being able to 'search any phone number' actually means.
What it does do most excellently (and this is why I use it) is block calls from callers that hide their phone number.
I had an uneasy feeling about Truecaller when CyanogenOS first mentioned they were including it. I still wonder about the legality of sending details of all entries in a user's contacts database upstream without those contacts' permission. Regardless of how much data is slurped, surely this is the underlying disease and the IMEI thing is merely a symptom?
Sometimes I notice apps like Twitter, Telegram etc etc will send me a notification telling me 'one of my contacts' has joined. And it freaks me the fuck out.
I have numbers saved including 'Who', 'Avoid', 'Who the fuck', 'Randomer', and 'Whos this'. I don't want those people in my fucking life.
Hi,
It has come to my attention that when someone puts Truecaller on their mobile phone, they are supplying Truecaller with ALL the phone number and name data in their phones database.
Truecaller then uses that information to tell other users who it thinks any particular phone number belongs to.
My point being that this is a breach of personal privacy, and Truecaller seems to be Swedish.
"Copyright © 2009-2016 True Software Scandinavia AB. All rights reserved. Truecaller™ is a registred trademark.
Responsible publisher: Alan Mamedi appointed by True Software Scandinavia AB. Database name: Truecaller.com "
Example - John uses Truecaller.
John has a friend called Mike, who does NOT use Truecaller.
John's Truecaller uploads Mike's number to the Truecaller system.
Then, when Mike calls another Truecaller user, Truecaller tells that user "Mike" is calling.
At no point has Mike granted permission for his number to be used by Truecaller.
1) Is this legal under Swedish law?
Data Subjects - Mike - are NOT being provided with any information.
12. What information should be provided to data subjects at the point of collection of the personal data?
The general rule is that a data controller must voluntarily provide information to a data subject at the point of collecting personal data. This information includes:
The name, address, telephone number, company registration number and e-mail address (to the extent applicable) of the data controller.
Information concerning the purpose of the processing.
Any other information necessary for the data subject to be able to exercise his rights in connection with the processing.
This means that the information provided by the data controller must include information about the recipients of the information, and that the data subject is entitled to request information from the data controller concerning the processing and that the data controller is obliged to rectify any information about the data subject that has been erroneously processed.
There are exceptions to a data subject's right to receive information. Information does not need to be provided in relation to matters of which the data subject is already aware. Where the personal data is collected from a third party and not from the data subject himself, it is not necessary to provide information to the data subject if:
It is impossible.
It would involve a disproportionate effort.
SO... I think TC are in breach, because they do not notify the people whose numbers they collect and tag with names. John is aware, but Mike is not, and Mike has not given permission.
Perhaps they suggest that to do is impossible or would require disproportionate effort. So what, they don't have permission, and if they are not willing to seek it (e.g. by sending an SMS saying "your number has been put forward for adding to the Truecaller DB under the name "Girlfriend 3". If you agree, text back YES. If you do not want your number recorded, do nothing. If you want the number listed but under a different name, use our website".
What TC should do (if not willing to get proper consent) is ONLY retain the numbers of TC users. They should scrub the DB of all other names and numbers and stop collecting them in the future.
Do I need to make a formal compliant or does this email suffice to raise the issue?
Regards
I suspect they have already looked into it and it's probably covered by the same rules governing other phone directories, ie you are in it unless you opt out to go "ex-directory" or "unlisted" or whatever it's called in various countries. Eventually tying the number to name and then onto a physical address is no more than any real world paper phone book does.
It's a little creepy, and there may be privacy issues in that it's world searchable as opposed to having to phone directory enquiries or gain access to the relevant paper phone book, but it's been going on long enough without real issues that I doubt anyone would get far in contesting it.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
