Three billion phone numbers and identities have been collected by the likes of Truecaller, Sync.ME and CM Security, according to a report by FactWire that was published in the Hong Kong Free Press earlier this week.
FactWire discovered that the names and numbers of senior politicians, celebrities and members of the public are being stored in databases that are publicly available. Hong Kong’s Chief Executive Leung Chun-ying and Chief Secretary for Administration Lam Cheng Yuet-ngor are among the records found. In the UK, the numbers of former Prime Minister David Cameron and Labour party leader Jeremy Corbyn are made available by the services.
The apps provide caller ID functionality for smartphones. In recent years they’ve experienced a surge in popularity as users seek to avoid scam calls and phishing attacks. The services match incoming call numbers against their databases to display the identity of the caller, allowing unwanted communication to be rejected without picking up the phone.
Truecaller, Sync.ME and CM Security also provide a “reverse look-up” system that can reveal the identity of an unknown number. This could be used to trace individuals by cross-referencing data across multiple services. CM Security has reportedly suspended its reverse look-up system in the wake of FactWire’s report but the sites operated by the other apps remain online.
To operate reliably, the services need access to a vast pool of phone numbers to compare callers against. All three providers ask users to upload their phone’s contact lists after installation. All the numbers found in the list are added to the database, along with their assigned names. This means people who have never used the services may still be searchable online.
The apps do state that the user must have permission from all their contacts before uploading their address book. In practice, this doesn’t afford any protection to people who don’t want to be included. The warning is often buried inside the terms and conditions clauses of the apps. It’s likely to be overlooked or ignored by many users.
The services say that anyone can opt-out if they do not want their number to be stored. However, the companies behind the apps have attracted criticism for storing data without consent in the first place. Security researcher Rik Ferguson of Trend Micro told the BBC the practice is “highly deceptive” and potentially in contravention of data protection laws.
“Data can only be collected for specific, explicitly stated and legitimate purposes, may not be kept for a longer period than is necessary and crucially only with the explicit and informed consent of the data subject,” said Ferguson.
The companies have denied the claims, stating their products adhere to data protection laws in the markets they operate in. Truecaller told the International Business Times that it stores all data securely and does not allow users to obtain phone numbers unless the owner gives permission. Cheetah Mobile, the creator of CM Security, acknowledged its database has been “misused.”
“The Caller ID database was contributed to by our global partners, from users’ feedback and directories uploaded with users’ approval,” said Cheetah Mobile. “The feature was designed for users to proactively report phone fraud and phone scams, and at the same time avoid unwanted calls. While our intention is to maximise call identification function, it’s unfortunate that this was misused.”
Since FactWire published its report, information protection bodies in multiple regions have announced they’re looking into possible malpractice by the apps. Hong Kong’s Privacy Commissioner for Personal Data (PCPD) said it could begin a formal investigation if evidence suggests the services violate personal data privacy rules.
The UK’s Information Commissioner has also confirmed it’s looking into the apps, making specific mention to Sweden-based Truecaller. “UK data protection law says businesses are required to process data fairly and lawfully,” the Commissioner said to the BBC. “We’re asking questions on behalf of UK citizens and are following up with the Swedish authorities.”
