"Betrayed by an app she had never heard of" - How TrueCaller is endangering journalists

phone journalist security truecaller

Photo by Roger H. Goun

Chloe is an investigative journalist working for an international broadcast service; we will call the TV show she works for The Inquirer. She travels around the world to work with local journalists on uncovering stories that make the headlines: from human trafficking to drug cartels and government corruption. While her documentaries are watched by many and inspire change in the countries she works in, you would not know who Chloe is if we were to tell you her real name. That is because Chloe works hard to protect her anonymity.

Chloe does not appear on screen and has a very restricted use of social media. No one would know from searching her name that she works for The Inquirer. She values this anonymity, which allows her to approach sources without raising suspicions or concerns. When necessary, it also allows her to engage in undercover reporting.

In February 2019, Chloe travels to a country in West Africa. She expects to be there for a while and knows she will have to return many times over the course of the year. She needs to gain the trust of several sources who are in extremely vulnerable positions.

Upon arriving in the country, Chloe buys a local SIM card. She will be using this to communicate with her sources. She has carefully considered her threat model and she knows that, in this particular case, the people she is investigating are not state actors and have no tech resources. She is therefore reassured she does not need to worry about state surveillance of her communications.

Chloe starts working. She makes phone calls to her sources telling them clearly who she is, who she works for and what she is trying to achieve. One day, Chloe needs to meet with a source. She uses her local phone to order a cab from a cab company. Her number is shared with the driver, who calls her to confirm he has arrived. When she enters the cab, the driver greets her “So… you work for The Inquirer?”

The driver points at his phone. Her number is registered on the driver’s phone as “Chloe The Inquirer Journalist.” Chloe takes a picture of the phone, leaves the car and calls the information security team at The Inquirer to try and find out what has happened and how she has been exposed.

The infosec team immediately identifies the culprit.

Chloe’s story is not one of mass state surveillance or a targeted attack. Chloe’s story reveals the much more pernicious way the apps we cherish can endanger not only us but those around us who may be in vulnerable situations. In fact, Chloe was betrayed by an app she had never even heard of: TrueCaller.  

TrueCaller is an app particularly popular in India (the app’s biggest market and the company’s headquarters) and Sub-Saharan Africa. TrueCaller identifies the numbers calling you, so you can filter out undesirable phone calls and make sure you pick up a call you have been expecting, even if you have not previously registered the number. Every time a user makes or receives a phone call from a number not already in the TrueCaller database, TrueCaller offers the user the option to “tag” the number so it can be entered in the TrueCaller database, under the name entered by the user.

What happened to Chloe is that one of her sources was using TrueCaller. She called her source and after they hung up, TrueCaller offered the source the option to tag Chloe’s number, since the number was not in their database. The source did not see the potential for harm and tagged Chloe’s number as “Chloe The Inquirer Journalist.” Now every time Chloe makes a phone call using that phone number, her name appears to TrueCaller users, like the cab driver, as “Chloe The Inquirer Journalist.”

Thankfully for Chloe, she was not in a country actively hostile to journalists. She knows though that in a different country the consequences could have been much more serious if her affiliation had been known. She could have easily been flagged to the authorities. And it is not just her who would have been at risk, but her sources as well.

Chloe also says that even in countries thought to be safe for journalists there is a risk of retaliation from people upset about the work the Inquirer is doing, when a journalist, like her, is exposed.

While TrueCaller may have laudable intentions, the privacy implications for people who end up in their database raise concerns. When a number is tagged, the person who is tagged ends up having their name and phone number stored on the TrueCaller database, despite not having consented – or even being aware – that their data was collected. 

A look at TrueCaller’s website shows two privacy policies – one for their users based in the European Union (overseen by TrueCaller’s Swedish office) who are therefore protected by the EU General Data Protection Regulation and one for those who don’t and may live in countries with weaker or no data protection regulations. India, where TrueCaller is headquartered, is developing but still does not have a comprehensive data protection framework. But beyond the different standards applied to people within and outside of the European Union – a phenomenon that Privacy International has called out in other companies – the larger issue remains that people who are tagged are not protected since these privacy policies only explicitly protect TrueCaller users; little to no information is provided as to how they apply to non-users tagged by the app’s users.

Back in 2017, the Article 29 Working Party, an independent European advisory body on data protection and privacy (now replaced by the European Data Protection Board under the EU General Data Protection Regulation), had already questioned TrueCaller’s compliance with data protection laws precisely because they process non-users’ data without their consent.

We contacted TrueCaller to ask them about the current safeguard in place for people who are not TrueCaller users. In their reply they brought to our attention the option offered to non-users to “unlist” themselves. By unlisting oneself, a non-user prevents TrueCaller from adding their number into the database. While this would not have helped Chloe, or anyone whose number has already been entered without their knowledge, this is a valuable option that we wish would be more clearly advertise (read our tutorial on how to do this here).

We reply to TrueCaller to suggest that:

  • They advertise the unlisting option more clearly
  • They send a SMS to any non-user whose number is entered to warn them someone is attempting to enter their number and ask them for consent. This would also be an opportunity to inform them about the unlisting option.

TrueCaller acknowledged our response but did not show an interest in following those steps, which we believe would contribute greatly to protecting the privacy and making TrueCaller a safer app for all. You can read our exchange with TrueCaller below.

Chloe’s story shows the concrete risks that TrueCaller presents for people in vulnerable situations. We appreciate that an app like TrueCaller can have positives. However, it can also put people at risk, as this case study illustrates. We will carry on monitoring cases of harm caused by TrueCaller and other similar applications and campaign for better privacy protection.

If you have been affected by TrueCaller or a similar application, tell us your story by writing to eva@privacyinternational.org

ror truecaller
ror truecaller
ror truecaller
ror truecaller
ror truecaller