Yesterday, Sweden-based global phone directory service TrueCaller‘s database was hacked by Syrian Electronic Army hackers compromising on millions of phone book records available in their database.
I can understand the need for something like TrueCaller: it makes it easy for me to identify who is calling, and this is useful if you get a lot of cold-calls. I also recently lost a large number of contacts in a phone-change-mishap, and it is embarrassing if someone I know well calls and I don’t know who it is: at an interpersonal level, not having an acquaintances number on your phone is as awkward as turning down a friend request on Facebook: it’s half an insult, and maybe this is a situation that Indian’s are very conscious of, because Truecaller’s largest user base was Indian. As on June 2012, 1.6 million of around 3.2 million of its users in June 2012 were Indian, and now that it has around 20 million users, one can imagine that a substantive number of Indians would be using the service, and tens of millions of users are a part of its database. What is also quite worrying is that Truecaller had access codes to Facebook, Twitter, Gmail, and LinkedIn accounts of its users, data that was pulled via the mobile.
Truecaller’s hacking raises some questions about the apps ecosystem and user behavior:
What Apps Access: While it appears that only access codes for social networks were stored within Truecaller, it does make me conscious about the kind of information we are often forced to allow apps access to when we are downloading them. Typically, at least on the Android ecosystem, an app takes permissions for access to all kinds of information about users: the state of the phone, contacts, call logs, positioning, phone ID, among other things. As an example, I see no reason why the GMail application should have access to my call records, but it does, and you can be sure that Google collects that data.
This is what I like about the MIUI ROM: it’s an android deployment which allows me freedom to deny apps, including Path, Hangouts, Evernote etc, the access to this information.
This exists because Android hasn’t adequately addressed these privacy issues, and both the stock android deployment and those from its OEM partners like Samsung, don’t give users enough power. I think it’s time it did that, before regulation takes over. I quite like the MIUI approach, but even this can be simplified:
– The rights that I give another user: If I’m not a Truecaller user, how is my number still with the service? It’s there because users who signed up gave TrueCaller access to their phone book while signing up, and I could have been on it. We’re not in an era where the only phone in the house was listed in a public phone directory: a phone is a personal device, and if I give my number to someone, I may be giving them the right to share that with other people they know, but I’m certainly not giving them the right to make that information public.
To it’s credit, TrueCaller allows users to de-list their number from their directory, but this is still a grey area, albeit not in India because India doesn’t have a privacy law.
– The rights that I give a private company: While we are all worried about the access to information that the government has through its CMS, and the US Government through PRISM, I think it’s important for us to note the kind of information that we give private companies access to. While we’re quite conscious about the information that Google is collecting – if you’re not, then try Google Now for a first hand experience of a tool that can both be incredibly useful and creepy at the same time – also look at what Facebook does when you install its mobile app: it asks for access to your contact book, in order to help you find your friends. Not just that, it repeatedly asks for access to the contact book. Beyond the phone book, Google has algorithms that read your mail to serve you contextual advertising, and Facebook serves you updates from friends that it thinks are more relevant to you, on the basis of your behavior on its platform. At one level, it is making things easy for you, but for their algorithms to be able to serve you better contextual information (and connect millions of data points to try and read your mind), it is collecting those millions of data points.
We often trust private companies more than we trust the government because the worst that a private company can do is try and make more money off you, and not brand you a terrorist because of a few politically incorrect email exchanges, or defame you because you download music, accessed porn or searched the name of a terrorist because you wanted to know who that person is.
We still need to be aware that all this information that private companies collect about us are ultimately accessible to the government.
In the people versus state environment we live in, where laws won’t protect us because lawmakers will not, the least we should expect is that private companies dumb down their data collection, or give us enough, simple tools to prevent them from collecting this information.
Unfortunately, it’s not in their interest to do that.