Near the end of the last century, over two and a half decades ago, privacy implications of Caller ID devices were in the midst of a heated debate.
The arguments in favor of the device included mainly reducing obscene calls and Bart Simpson style crank calls.
Arguments against the device claimed that people would be discouraged to place calls which are usually performed anonymously, such as reporting crimes to the police, calling crisis center hotlines, etc.
Looking back today, we know that everybody uses Caller ID with our advanced smartphones and people don't think twice about contacting anybody because of that.
Modern smartphones display the number of almost all incoming calls, yet without putting a name to that number it's meaningless to us and we usually don't make an effort to look it up.
We either take the call, or we don't.
The playing field is leveled: everybody knows which number the call is from unless it's a blocked number, in which case some choose to simply ignore the call.
Apps like Truecaller, Hiya, and CallApp are a solution to a problem similar to the one we had in the last century; only it's not obscene calls and crank calls we're trying to avoid but unsolicited telemarketing, phone spam, robocalls, and various scams like the infamous tech-support scam.
Some of these apps even allow you too see how other people named you in their contacts.
So what's the problem?
To understand that, let's take a look at how apps like Truecaller work.
Throughout this article, I demonstrate my points mainly using Truecaller as an example, but to my knowledge other caller ID apps aren't any more privacy-oriented than this one.
Caller ID apps appeal to the user because they use crowd-wisdom in order to warn its users about incoming spam calls.
When enough users report a number the app notifies users when an incoming call is spam.
But that's not all:
Your phone contains a lot of information about you and the people in your address book.
If you're a very organized person, you would have not only the name and phone number of your contacts, but their email, photo, address, additional phone numbers, and any contact information you'd like to keep for your contact.
When you install an app like Truecaller, you grant it permissions to access and read this information.
The caller ID app of your choice will use its permissions to get all the information it can from your address book and add it to their database, cross-referencing similar information taken from other users and other third-party sources.
So, if you have my number in your address book and you install an app like Truecaller, you share all my associated contact information from your device with that app without my knowledge.
The problem that arises is this:
You're not the person in control of your own privacy when your friends (or any of contacts) use apps like Truecaller.
You obviously can't control the apps your friends install so you lose control of the personal information you entrusted to your contacts.
As a matter of fact, the only way to regain control is to avoid giving out your contact information to anybody and change your phone number, and that's not realistic.
Facebook is far from being the bastion of online privacy, but it still allows you to receive a notification when a friend tags you in a photo and the option to remove it.
Why don't we receive a notification when our number is added to a database similar to Truecaller?
Because the Terms of Service state that:
This is absurd!
I can only hope that at some point there will be legislation pertaining to this matter, or at least a few juicy scandals that will encourage people to pay attention to the unprecedented invasion of privacy which occurs in the name of marginal convenience.
You're even more exposed when you actually install the app on your device.
As an example, let's take a look at Truecaller itself, which is by far the most popular Caller ID app with its 4.5 million downloads to-date.
You tell them everything about yourself, from your identity and location, to details about your device, IP address, and even whether you're on a call at any given moment!
When you install it on your device, you grant it all the permissions it demands, including access to the information about your contacts.
Here's the complete current list of permissions Truecaller for Android requires if you wish to install it.
Version 7.86 can access:
Wi-Fi connection information
Device ID & call information
That's a lot of permissions to avoid the task of hanging up on telemarketing calls.
The benefits of this type of apps are marginal relative to the depth of access you provide them.
I would trust a company whose business is security more than a company whose business is my data.
You might say you trust Truecaller not to do anything immoral.
You might say that Truecaller is a big company with a reputation to maintain.
But while Truecaller is the leading app, it's far from being the only one.
In fact, there are 244 apps like this in the Google Play Store, but most of them are not popular enough to be mentioned.
I'm certain that with a market that's so saturated with similar services, there are companies that take advantage of the user's innocence and engage in undesirable activities like selling data.
There's big money in data.
And because there's big money in data, there's always a security risk whenever customer data is involved.
You might remember the news of the biggest data breaches such as the 2013 Yahoo breach resulting in one billion stolen records which only came to light in 2016.
While this one made the news, many other breaches don't.
Truecaller learned the importance of closing vulnerable access points when its database was hacked by exploiting security vulnerabilities in its Wordpress-hosted blog.
The company claimed that only encrypted records were obtained by the hackers and the keys remained secure, and the entry about this matter was since removed from their blog.
Another security concern came to light when the CheetahMobile researches exposed a vulnerability in the Truecaller app in 2016.
This vulnerability could've been exploited in order to modify the settings of a user's device by knowing only the IMEI (unique identifier of a physical mobile device) of a device.
Mistakes happen, but this is also the result of requiring such deep permissions upon installation of the app.
Any settings the app could modify for one feature or another, a hacker could modify as well.
If you scroll back up to the list of permissions, you'll find that the app can control the accounts on your device, place calls, send text messages, and much more.
Imagine what could have happened if this vulnerability had been discovered by the wrong person.
Oct 2017 UPDATE: It seems that this article gained some traction and TrueCaller decided to change the opt-out page's URL. I updated the URL below to the correct one. - Dennis
Luckily, there's a simple solution, but you wouldn't know about it if you didn't search for it.
Truecaller allows you to remove your information from their database by simply typing in your phone number.
The fact that Truecaller uses the non-word "unlist" rather than "opt-out" or "remove" only demonstrates how much this company wants you to find their opt-out page.
To clarify - it doesn't.
Furthermore, it doesn't have an easily accessible link to this page from their site. You have to search for answers in their support section, and if you're perceptive enough you might find the answer that contains this link.
Similar apps make matters even worse. For example, Hiya forces you to sign up before you can submit a removal request.
This places another hurdle for users looking to control their private information.
In my mind, companies that make it difficult to opt out of any service are not companies worthy of our business, even if we're not paying them anything.
It doesn't matter which means they use to make it difficult, it's the intention that counts, and the only intention I see here is an attempt at being perceived as a transparent company while actually making it more difficult for users to "unlist".
In this article we learned that:
Unlike the Caller ID device which was debated in the early 90s, Truecaller and its alternatives collect personal contact details of people who didn't agree to share them.
It's as simple as that.
With big data comes great responsibility!
As I demonstrated above, the companies behind these apps don't take any responsibility nor do they demonstrate actual transparency in their practices.
Apps like Truecaller and other intrusive apps start off by demanding a lot of permissions and work on security later.
The security concerns along with the transparency and privacy concerns lead me to one recommendation:
Avoid intrusive apps and be careful about the permissions you grant.
Remember, your device contains information about your friends and family.
Sharing private information which other people entrusted you with is not something a friend should ever do.
We promise to only send really good deals and important updates. No spam.