
Betrayed by an app she had never heard of - Brajeshwar
https://www.privacyinternational.org/case-study/2997/betrayed-app-she-had-never-heard-how-truecaller-endangering-journalists
======
Alterlife
This article focuses on the problems that truecaller poses for 'non-users". As
a non-user of truecaller in India myself, I find myself in the minority. It
seems I get none of the benefits (improved spam filtering, the chance to see
who is calling me), and in the 'prisoners dilemma' sense, it appears I would
loose nothing by installing it, because they already have _my_ contact
information.

However, this is only half the picture.

If you install truecaller on Android, you're handing over ALL your personal
information to them. The list of permissions they ask for is ridiculous. They
ask for access to your sms messages, call log, contacts, file system,
location, microphone, camera, everything. They also show you advertisements
wherever possible.

~~~
abtom
If you're a non-user and do not wish your information to appear on the app,
you can unlist your number here -
[https://www.truecaller.com/unlisting](https://www.truecaller.com/unlisting)

Though I do not agree with the method where as a non-user I need to manually
opt-out of the service, it does seem to work. My number is no longer visible
on the app.

~~~
enitihas
I tried using the unlisting UI, but it says I need to install the app and
deactivate my account before unlisting. When I install the app, it refuses to
run unless I grant it all sorts of permissions. So it seems before unlisting,
I need to give truecaller my data. This absolutely ridiculous.

~~~
antisemiotic
Outside of some legal recourse if that's possible where you live, have you
tried installing it on an emulator and just giving it some garbage data?

~~~
Abishek_Muthian
I had given a garbage name for my number as I knew for sure others who have my
number in India have uploaded it to Truecaller (as in OP article). It displays
the Garbage name for everyone for my number.

------
DarkWiiPlayer
> We reply to TrueCaller to suggest that:

> \- They advertise the unlisting option more clearl

> \- They send a SMS to any non-user whose number is entered to warn them
> someone is attempting to enter their number and ask them for consent. This
> would also be an opportunity to inform them about the unlisting option.

I doubt anything less than that is even really legal in the EU right now.
Essentially, if my phone number is entered into that app, my _personal data_
is being digitally processed and maid widely available without my knowledge or
consent. Pretty sure that's very much illegal.

~~~
Mirioron
I'm often critical of GDPR, but stuff like this is why I think it's probably
necessary to have.

~~~
DarkWiiPlayer
GDPR is 100% necessary and fundamentally a good idea. It has a lot of problems
that just show how incompetent politicians can get on a bad day, but that
doesn't invalidate the core idea.

~~~
CaptainZapp
_It has a lot of problems that just show how incompetent politicians can get
on a bad day_

Mind elaborating on them?

The only potential issue, which I see, is some ambigiouty. However, I don't
see how you could craft a legal frame work without some ambiguity, which needs
to be resolved by the courts at one point.

Unless your business model is dreck, I really don't see any issues with the
GDPR as such.

~~~
zeveb
> Mind elaborating on them?

My own biggest problem with the GDPR — other than the regulatory burden, which
disproportionately imposes costs on small challengers and effectively protects
large pre-existing firms — is the so-called 'right to be forgotten,' which is
really a privilege to force others to rewrite history. Among other things, it
effectively mandates mutable logs, which is horribly insecure (logs should be
in principle even if not in fact immutable), and at a higher level it grants
malefactors the ability to legally compel others to refrain from true speech
about them.

Other than that, most of the GDPR is pretty good.

~~~
IX-103
I can agree with the motivation, but the law is not particularly well written.

If the EU passes a law and it takes armies of lawyers over two years of
negotiating with the EU to find a compromise of what is and isn't included in
the law (with the EU changing its stance regularly), then it probably isn't a
good law.

It took a year and a half of wrangling for the EU to decide that internet
advertising was not a "legitimate business interest" or "necessary to perform
tasks at the request of the data subject" (despite the advertising being a
primary source of funding to pay for the requested task). Then the entire
internet advertising industry had just 6 months to design/implement/deploy a
system that can meet the requirements and migrate all their users to the new
platform (keeping in mind that their users have a financial incentive not to
switch, since the old system is more profitable).

There's also the weird catch-22 of how it only applies to users with EU
citizenship, but you can't collect, use, or store the information on whether
or not they are an EU citizen without their permission.

------
RikNieu
I find TrueCaller very usefull. I used to get sooo many sales and robo-calls a
day that I seriously considered just getting rid of my phone. Now they get
automatically blocked or I can just put them on a profile that they ring
silently and hang up immediately.

I get that this can be dangerous for journalists, but shouldn't they maybe
investigate alternative ways of contacting sources privately? Mobile numbers
are not in any way secure or anonymous in most parts of the world anyways.
Hell, here where I live you have to register with your government ID in order
to get your sim card activated.

~~~
mola
If Robocalls are the problem, Truecaller isn't the solution. Regulations
against unwanted harassment is. Robocalls are not a force of nature where our
only recourse is a technological solution. They are a result of a human
choice, where the absolute majority of individual think it's a menace. So our
recourse is legal. band-aid solutions like Truecaller cause more problems. The
Truecaller product is not a usual commodity where you choose it, and pay a
_known_ price. The actual price you pay is totally unknown. Because they
require total access to your device without genuine disclosure of their
intended use for it.

~~~
Piskvorrr
In essence, this is the spam debate all over again, with some extra seasoning.
(The permissions are incidental - other apps exist that are polite in this
respect.) So, out comes the canned spam response:

Your post advocates a

( ) technical (X) legislative ( ) market-based ( ) vigilante

approach to fighting spam. Your idea will not work. Here is why it won't work.
(One or more of the following may apply to your particular idea.)

(X) No one will be able to find the guy or collect the money (X) Requires too
much cooperation from spammers (X) Requires immediate total cooperation from
everybody at once

Specifically, your plan fails to account for

(X) Lack of centrally controlling authority for email (X) Open relays in
foreign countries (X) Ease of searching tiny alphanumeric address space of all
email addresses (X) Asshats (X) Jurisdictional problems (X) Extreme
profitability of spam (X) Technically illiterate politicians (X) Extreme
stupidity on the part of people who do business with spammers (X) Dishonesty
on the part of spammers themselves

and the following philosophical objections may also apply:

(X) Ideas similar to yours are easy to come up with, yet none have ever been
shown practical

Furthermore, this is what I think about you:

(X) Sorry dude, but I don't think it would work.

~~~
tomp
> Lack of centrally controlling authority for email

 _That 's_ the key difference with phones - phone numbers and call _are_
(quasi-)centrally controlled - by your network provider. A simple legislative
solution is just "user gets $10 discount on their phone bill for each spam
call" and watch the problem solve itself...

~~~
Piskvorrr
(X) No one will be able to find the guy or collect the money

Where does the $10 come from? (Who pays it? Who collects it?) Also, you just
invoked a Cobra Effect.
[https://en.wikipedia.org/wiki/Cobra_effect](https://en.wikipedia.org/wiki/Cobra_effect)

~~~
tomp
Users collect $10 from their network operator by filling a claim in an online
form. Burden of proof on the network operator to prove it wasn't a spam call
(e.g. originated from a known number, lasted more than some number of minutes,
metadata indicates that it was a two-way conversation, etc.). Huge fines if
users complain to the regulator that any of the above isn't true.

~~~
wtmt
This would be difficult to write as a law and very difficult to enforce,
though I like the idea of the burden of proof being on the operator.

In India we have a national DND (Do Not Disturb) registry that anyone can
signup for and choose whether to receive marketing communications or not, and
what categories therein. The regulator has made the operators enforce the
reporting mechanism along with penalties (monetary and otherwise) on the
marketers for violations. But still, there are cases where a marketer may
claim that the person receiving the call/SMS opted for it and signed up or had
some transactional relationship with the company.

------
duxup
This is one of my concerns ever since the first app asked for my contacts.

You could be a mountain man and value your privacy.... but if you just know
someone who uses tech you are exposed in any number of ways.

In the US things like third-party doctrine have not aged well in the
information age as just communicating with people can expose you in ways you
can't ever control.

~~~
zucker42
This is why I don't use WhatsApp despite the fact I know many people who use
it. To use the app, you have to give access to your entire contacts list. Even
if I'm okay with them having my information, I don't feel comfortable
consenting for those in my contacts list who don't use WhatsApp.

~~~
mwambua
You don't have to give the app access to your contacts... at least on iOS.

That's what I do. It would be impossible to communicate with friends and
family otherwise. I just have to put a little more effort into figuring out
who's texting or calling me. The app also still shows me people's (self
assigned) nicknames in group-chats.

My only gripe is that I still have to give the app access to my photos. I wish
there was a way I could give it sandboxed access to __only __the photos that
it adds to the collection.

~~~
baroffoos
Would be nice if mobile OSs had a permission that let apps save photos but to
read photos it has to make an api request which opens the system photo picker
and when you select a photo the app gets given access to only the photo you
selected.

~~~
sk0g
I think Android does/ can do just that? There's a native photo picking intent,
and the app just gets back a photo. Whether it was from the camera, the
gallery, etc, who cares?

In practice, most apps would rather have their own in-app photo grid. Nothing
to do with wanting to violate your privacy, I'm sure :)

~~~
londons_explore
The photo picking intent leads to a confusing UI - it's common for phones to
have many photo picking intents, so a typical flow would be:

* User clicks "attach photo"

* Phone asks, do you want to use "Photos", "Gallery", "Google Photos", "Camera".

* User wants to share a screenshot - so they don't know which to pick. They choose "Gallery".

* The built in gallery app doesn't show images apart from those taken with the camera. User goes back.

* User picks "Google Photos"

* Google photos only shows screenshots under a confusingly named "device folders" link in a hidden-by-default side menu. User doesn't find that.

* User tries "Photos".

* That turns out to be an alias of Google Photos put there by the phone manufacturer.

* User tries "Camera". That lets them take a picture, or to scroll through another list of past camera photos.

* User gives up.

And we wonder why apps don't use that feature of the platform...

------
ComodoHacker
TrueCaller is Facebook's face recognition for phone numbers. They are building
shadow profiles using some user-valuable bait feature. For TrueCaller, most of
its value is in fighting spam. So, unlike Facebook, it's not only users who
compromise privacy of others, it's spammers who steal our privacy. We should
examine spam fighting solutions for email, IM and others, they might be
involved in the same business model.

If we solve the spam problem, we can regain some privacy back.

~~~
pxtail
> TrueCaller is Facebook's face recognition for phone numbers

This is very good analogy - in fact I think that it's even more dangerous
because when it comes to Facebook people are slightly more aware about
privacy-related issues. I'm pretty sure that TrueCaller extensively profiles
users, links all possible connections, gathers data - Facebook might not know
that one visited certain doctor or that one has some medical conditions,
TrueCaller? Who knows. It is possible to gather a lot of data and build
detailed profile just by linking who calls who.

Additionally according to HN comments [0] one doesn't just simply "opt out",
truly terrifying

[0]
[https://news.ycombinator.com/item?id=20058218](https://news.ycombinator.com/item?id=20058218)

------
1f60c
Seems like the website is having some problems, here’s a mirror:
[https://web.archive.org/web/20190531023057/https://www.priva...](https://web.archive.org/web/20190531023057/https://www.privacyinternational.org/case-
study/2997/betrayed-app-she-had-never-heard-how-truecaller-endangering-
journalists)

------
iliketosleep
This reminds me once again that the weakest link in the privacy chain today is
the mobile phone number, especially since governments in many countries have
forced people to link their number to a real ID. It's essentially become a ID
number by proxy. However, in the case of the article, the reporter should know
to inform her sources not to enter _any_ information linking to her real-world
identity into their electronic devices.

~~~
mherdeg
I got a free loaner phone once a few years back ("Samsung Ultimate Test
Drive") which came with pre-activated mobile phone service and was very
clearly re-using a phone number that someone else had quite recently actively
been using.

While it was weird to get SMSes about SoCal drug deals, the strangest thing of
all with that phone was opening the Lyft app and being automatically signed in
to someone else's Lyft account on the basis of my auto-confirmed phone number.
Their active credit card was linked to the account and I could take free
rides!

(I didn't... but it was very hard to sign into a different Lyft account when
the phone # was actively linked to another, live account.)

~~~
wycy
Is this because Samsung simply sent you a phone that hadn't been wiped and was
still signed into all these accounts, or was it really just auto-signed in due
to phone number? I did the Samsung Ultimate Test Drive as well and don't
recall being auto-signed into anything (though I also got many SMSes and calls
intended for the previous owner).

~~~
mherdeg
Well, when I got the device, the Lyft app was not installed. I visited the
Play store, installed the Lyft app and ran it, and then: the Lyft app
immediately signed me in, told me that my full name was Britney G-------,
showed me "my" full e-mail address, and offered to let me book rides on her
behalf, paying with her linked Visa card. It wasn't even clear how to switch
accounts; it was like they were using the phone # as a primary key.

I sent Samsung some feedback about this but don't think the issue was on their
side per se.

------
johnchristopher
> What happened to Chloe is that one of her sources was using TrueCaller.

Online communication is hard. The burden of security falls on every parties.

The real hard problem for an investigative journalist here is "Considering the
ubiquitous nature of communication tech How do I handle my sources so they
don't blunder before I even meet them ?"

~~~
qrbLPHiKpiux
A smartphone, or any device really, only has information that you feed it.
Compartmentize. Different devices for different things combined with pseudo-
anonymity. It is very hard to do this and a razor-thin no-mistake margin is
always there.

------
nutjob2
The problem here is that once you give out a number then it's public in some
sense. The person you give it to can pass it on, even inadvertently.

The smart thing to do is to have a public number and a private number. It
makes no sense to call cabs with the same number you use to contact sources or
whatever.

This is easily done with dual sim phones and can be taken much further with
Google Voice or other dial-in phone number vendors. It's not very complicated
and if your life depended on it you could easily assign a number per person.

~~~
yesforwhat
> The smart thing to do is to have a public number and a private number.

What's the easiest way to do this?

~~~
mdani
Use Twilio Proxy [https://www.twilio.com/proxy](https://www.twilio.com/proxy)

~~~
LeoPanthera
That's only "easy" for the HN crowd.

Most people use second-line apps like Hushed, or the traditional method of
getting a second line from your carrier.

~~~
kkarakk
The journalist in question here has access to an "opsec" team, seems like it
would be their job to handle things like this and they dropped the ball

------
walrus01
This is kind of the same problem as people who have no FB account, keep all of
their personal life off FB, then they go to a work or social group gathering
and some blithely ignorant/clueless person tags their photo.\

One of the biggest sources of spam I have is non-technically-oriented persons
who I know either professionally or personally, that have my name and email
address in their address book, who click "yes" to everything on their ios and
android devices. Some of these particularly less sophisticated individuals
have probably had two dozen unique apps from random developers copy the entire
contents of their address book.

~~~
QualityReboot
Yeah, it's super annoying that fb knows everything about me even though I
don't use their service. There's nothing I can do about it.

------
mikedilger
It seems absurd to me to consider data about a person to belong to that
person. If I learn that Chloe is a reporter for The Inquirer, what law
restricts me from telling somebody else? And if there is one, what else can I
not say about her? Can I mention she is a brunette? Can I tell the story about
going out for coffee, or am I violating her privacy by leaking the fact that
she prefers coffee to tea? To get really ridiculous for a moment (brace
yourself) does she have a property right on the region of my brain which holds
any of this information about her? Clearly there is a fundamental incongruity
with other basic social notions.

As a society we have most definitely moved in the direction that data about a
person is somehow under their right to control: the right to privacy, the
right to be forgotten, etc. We've subsequently run into numerous difficulties
with this notion, such as the inability to warn our friends about bad actors,
leading to different rules for "public people" versus "private people,"
arbitrary dividing lines, different rules for minors, different rules for
individuals vs companies vs really really big companies, and a number of other
abstruse rules about when or where you might be violating somebody's privacy,
which seem to change significantly over the years and from jurisdiction to
jurisdiction with no hope of ever settling down (because IMHO there is no
rational obvious place for this to settle into).

Even if the laws were clear, universal and watertight, privacy is still
fundamentally _your_ problem. Laws will not control everybody else, and
depending on _everybody_ else to behave doesn't seem like a sane strategy for
anybody. So you'd best keep your secrets to yourself and those you trust.

~~~
tty2300
New technology has opened up new possibilities far beyond what your word of
mouth example has. Megacorps are sucking up data on a mass scale and using it
for evil such as manipulating elections, tricking you in to buying stuff and
reporting your every action to the government.

For this reason we need to think beyond the old ways of dealing with data.

~~~
oytis
Yes, the reality has changed. We have to either adapt our notions of privacy
etc. to the new reality or pretend that nothing really changed. The latter
seems to work, but one day you go to Africa (or India, or China, or just have
to deal with someone who can ignore/circumvent the regulation), and -
surprise! - the reality is still there.

~~~
tty2300
Could say the same about anything. Should we ignore the reality that people
like to steal things and make it illegal even though some still will?

------
alanh
Wow, is it just me or is this a mountain-out-of-a-molehill situation? This is
not fundamentally any different than “report spam” for email, or a user
posting “is 800-xxx-xxxx a legit number?” online, or sending a contact card to
a few million of your closest friends.

I appreciate the situation that the journalist found herself in, but if she
wants her number to be a secret, she needs to make sure the people she calls
know that, too.

I will file the information in this article as “good to know,” not “omg
disaster”.

~~~
DarkWiiPlayer
> is it just me or is this a mountain-out-of-a-molehill situation?

It's just you.

The example of the journalist is a very good example of exactly why this is
such an extreme issue, but it really starts with the small things. What if you
want to call someone, and not tell them your name? well, f#$£ you then, the
app already told them. Don't want everyone knowing where you work? well f$%&
you again, maybe somebody added that with your name in the app (just as the
example of the journalist).

So now you call, say, your beloved grandma and your number shows up as "Henry
the drug dealer". Maybe you don't even deal drugs, but someone a) thought it'd
be funny or b) wants to hurt your reputation.

Or even worse, imagine you call a company regarding an application for a job.
It's already a big enough problem that someone else posting a picture of you
doing something stupid while drunk can ruin your chances of getting a job; now
we're talking about attaching random, possibly personal, possibly untrue
information to your phone number for everyone to see without even informing
you.

This isn't a molehill. It's borderline criminal.

~~~
xixixao
Let's go back to the world where there is no internet. Imagine someone spreads
a rumor about you. Or a praise. People might have heard this, before they even
met you. It can be illegal, harmful, or beneficial, but it's under the control
of the people you interact with.

If you meet someone for the first time, and the person heard from someone that
you're dealing drugs, and you tell her you don't, and ask them where they
heard that, they might trust you over the rumor, and you'll try to eradicate
the rumor.

There are differences, mainly in that the call receiver has greater power to
reject the call based on the information they have.

I think the real story is in the interaction and how the app behaves, for the
receiver. Were they aware that they were putting Chloe into the database? The
article doesn't say. Without this, it's hard to judge whether the same thing
couldn't have happened in a world without internet (imagine a small village).
It doesn't seem to be entirely black and white.

~~~
pjc50
You cannot run a global civilization on the norms of a small village.

~~~
lapnitnelav
It doesn't scale.

------
Abishek_Muthian
Don't forget the recent 'supposed' data dump from Truecaller![1]

Truecaller, even without breach is a privacy nightmare. Even if one doesn't
use Truecaller for privacy reasons, if any of their contacts use it; then
their phone number + other details are already in Truecaller's database.

Before android 6.0, contact permissions weren't existent in consumer android
devices and India basically being an android country lead to Truecaller's data
trove.

If one wish to use Truecaller without uploading their contacts then they can
use their web version, which is a progressive web app; it can be saved to
phone & used like a native app. Just don't select 'Enhanced Search', it will
upload the contacts from email which is used to sign in(better to use a
Truecaller only email id for it).

[1]:[https://economictimes.indiatimes.com/tech/internet/real-
thre...](https://economictimes.indiatimes.com/tech/internet/real-threat-
truecaller-data-available-for-sale/articleshow/69437379.cms)

------
parliament32
TrueCaller is a privacy nightmare. Note that to search for a number on their
site, you need to sign in with a Google/Microsoft account... and "Enhanced
Search" is enabled by default which auto-uploads all your contacts.

As a non-user you can unlist here:
[https://www.truecaller.com/unlisting](https://www.truecaller.com/unlisting)

------
fencepost
There's been at least one similar app around in the US for probably seven or
eight years. Mr. Number is its name, although I believe it originally had a
different one.

Edit: July 2010 release, 10M+ downloads, nearly 200k reviews. From long ago
memory seeing names that have been submitted may be a paid subscription
option.

------
tsjq
once I unlist my number from truecaller website (never installed / used their
mobile app),

would it stop new people from adding my number to their database?

ie, I unlist in May2019. i give my number to a new contact of mine in Aug2019.
and they use truecaller. would that re-add my name to trucaller database, or
would my number stay unlisted forever no matter how many new contacts save my
number in their phones with truecaller ?

~~~
sriram_malhar
no. it does not remember you delisted, so you will be added again :(

~~~
vorticalbox
That's a badly thought out feature, it should be blocked unless you own the
number wish to add it yourself.

~~~
D-Coder
I'm sure they consider that a feature, not a bug.

------
tedunangst
What are the limits to what one is entitled to learn or ask about a caller? I
get a call from 555-1234. Is it ok for me to ask a friend, hey, recognize this
number? Is it ok for me to ask twitter, hey, I got a call from this number,
should I call them back?

~~~
jwilk
It's okay to ask.

If the answer contains personal information, it's not okay to expose it to
everybody in the world.

------
johnchristopher
This is great. I logged into the website to check if my number was collected.

It is.

So I click on "suggest a better name" in a naive attempt to erase myself from
the grid.

I can't because they "don't collect personal information about private
individuals in the EU".

~~~
skizo
you can unlist your number here -
[https://www.truecaller.com/unlisting](https://www.truecaller.com/unlisting)

~~~
bscphil
This didn't work for me the first three times I tried. It said I had to log
into the app and deactivate my account (which of course I can't do because I
don't have an account). It eventually claims to have worked on the fourth try,
but I have no way of checking because it doesn't let you look up numbers
without being logged in.

~~~
wtmt
You can login to the website using a throwaway or junk Gmail account, give the
website access to your Gmail contacts (which is zero), and then lookup any
number.

------
darknoon
I found my real name and (former) carrier on Truecaller. Shit.

Had to make a fake Microsoft account via Sneakemail to even search it, though.

I tried to unlist my number but it said "Deactivation required", ie bait for
me to create a real account?

------
tzs
> We reply to TrueCaller to suggest that:

...

> They send a SMS to any non-user whose number is entered to warn them someone
> is attempting to enter their number and ask them for consent. This would
> also be an opportunity to inform them about the unlisting option

For this to be effective in cases like the one in the story, the SMS would
have to be sent almost as soon as the attempt is made to add the number.

In many cases, that would allow the person whose number is being added to
infer who tried to add it. If the caller is involved in some criminal
activity, that could be dangerous for the person who tried to tag them in some
parts of the world.

~~~
amykhar
It also defeats the whole point of the app, which allows people to filter out
spammers. Of course spammers are going to not want their number listed.

------
masswerk
The story is really about a conflict of interests, the misuse of the phone
system and legitimate users finding themselves endangered. I.e., if spammers
and robo-calls are stressing the system and users to a point, where
subscribers can't help but to resign to defensive measures, other interests,
like the anonymity of sources, by this the accessibility of crucial
information to society, and, eventually, democracy are at risk – and highly
so.

Moral of the story: spam callers and countermeasures are a risk to democracy.
And we'll have to decide, eventually.

------
ddffre
They are one of the most dangerous companies today, the EU parliament should
take a look into them.

------
diebeforei485
I have mixed feelings this. Spam calls are very much a real problem in the US
as well - I get around ten per day and it's a constant annoyance.

~~~
yardstick
You don’t need to know the “contact name” of a spam caller, algorithms when
reporting spam should work just on the number and so when it calls you, it
should just show a Probably Spam flag, nothing about the identity unless of
course the caller has given their consent to provide that info.

~~~
SmellyGeekBoy
This seems to be how it works in the most recent version of Android and it
serves me very well.

If it's suspected spam it will tell me (I can also report spam calls). If it's
a business listed with Google Places it will show the business name.

------
smsm42
"Betrayed" sounds exaggerated - after all, the only thing that was revealed is
the fact about where she works at, and if somebody "betrayed" her it was her
source who entered her identity into a public database, not the database.

I personally rely on TrueCaller daily, and do not pick up any call that
doesn't have identification I recognize. Otherwise I'd have to listen to bots
telling me my Social Security number has been arrested, screaming at me in
Chinese and people trying to get me to give them money for a myriad of reasons
that I really don't have time to listen to. I get several such calls daily.
Before, I was seriously thinking about just never picking up the phone at all.
Now that I found TrueCaller, at least I can get calls from normal people or
businesses that aren't shady and want to talk to me.

------
smadurange
If this is a solution to robocalls and spam, that's just plain f*ing stupid.
The worst case scenario of getting a spam call is you get annoyed and hang up.
Compare that to handing over your contacts, call logs, text messages to a
third party app just so that you can avoid picking up a call. Jesus Christ.

If you hate spam calls that much, it's very easy to not pick up a call from an
unknown caller. I can come up with a dozen ideas just off hand that could
potentially solve this spam issue far more elegantly. It's baffling that even
this is up for debate and that there are people who would defend an app like
this. This is not a philosophical or technical problem, this is not like spam
emails, this is simply not a difficult problem to solve.

------
jjwhitaker
Robocalls need a binding regulatory or legal prevention. But, could technology
fix spoofing numbers?

Would some variation of private/public key or authentication work? For
example, if each number and the device/SIM or IP it is registered to have a
unique key that must authenticate or handshake with the service provider to
connect, then a spoof call with that number but lacking the key would fail,
potentially be logged and reported to the FCC/authorities.

If no handshake can happen, call fails. If the number and hardware dialing out
authenticates via key with the service provider or central store, call goes
through.

------
mesaframe
Regarding India, They now have privacy as a right. Shouldn't they enforce it?

~~~
wtmt
Privacy was declared by the Indian Supreme Court as a fundamental right found
within some articles of the constitution. However, till date, there is no data
privacy law proposed and passed in the parliament. The draft proposal that was
prepared more than a year ago was criticized by many. There will likely be a
half baked data privacy law that will be passed in the coming months (since
the elections are done and the new government has taken office).

Taking action on such violations today can only be done within the scope of
existing laws on fraud, security, etc. That won’t work very well for these
cases. The Indian Supreme Court also doesn’t understand technology and doesn’t
rely on experts. It seems to go by whoever talks the loudest (based on the
hearings in the case against the biometric based unique ID, called Aadhaar).

------
scraft
For me, the benefits of Truecaller outweigh the negatives. It was a step
towards my phone being useable again for the purpose of making and receiving
calls (at times I seem to get flurries of spam calls so it is great being able
to simple ignore).

For the last 18 months my phone is on silent, no vibration, so I am completely
oblivious to whether someone is contacting me. When I check my phone I catch
up with any missed activity. It is hard to explain just how much better it is
to operate this way.

------
i_feel_great
Spam it by labeling phone numbers with shit data and make it useless.

~~~
bdcravens
This isn’t a new app - the database is several years old, and is used by many
millions. Not sure how you’d get enough numbers and junk entries in there to
accomplish what you’re suggesting.

~~~
DarkWiiPlayer
Enough people with enough bots could probably do it. Is it realistic? no. But
possible? certainly yes.

------
guelo
Journalists could have two sims, one with which they call people when they
need to say who they are and one elf r when they don't need to say who they
are.

~~~
jonshariat
But that sim would only last until the person they call tags them using the
service.

That being said, I'm not sure why this is changes anything for reporters.
People can already put a phone number online or share it with the government.
The same precautions they would need to take without this service would still
be valid.

------
daodedickinson
I just feel spied upon and completely vulnerable everywhere now by this false
pervert voyeur god. Can't even get away from it in national forests.

------
EastSmith
Viber, a popular app where I live, does exactly the same thing TrueCaller
does. It drives me crazy.

The only solution I can think of is that everyone start using one-time
numbers.

You still have a main number and a number "domain service". When you call
someone you get a new number, the call receiver can get your name out of the
"domain service" only if you have that number in your address book.

------
kevin_b_er
This the same threat model Facebook poses. Don't want Facebook to know your
phone number? You just won't tell them, right? Well Facebook scanned someone
else's phone number list and got your number that way for their shadow
profile. Too bad, your full name, phone numbers, and addresses were harvested
by Facebook due to someone or someones else.

------
digital_voodoo
I am in one of the regions where Truecaller is growing rapidly.

And I've found out that the best defence is a good offence: registering my
number myself but with totally false information seems to supersede what other
register about me. And that's what I did. Not with Truecaller, but with
another app (CallApp) that seems less greedy with permissions.

------
qrbLPHiKpiux
Okay. So the weak link again is the endpoint. The human. There is really
nothing to see here. My God. This will never stop.

------
llamataboot
I regularly get calls on my iphone now that say (maybe: Jane Doe) under the
name, and they are usually correct. Often they are recruiters, or lawyers, or
people that I imagine have their phone number publicized on the web. But I'm
not sure I've read where apple is getting this info (or perhaps it is a
carrier thing?)

~~~
jmiserez
Settings -> Phone -> Call blocking and Identification -> "Allow these apps to
block calls and provide caller id"

You can add phone book apps there. Seems to be an iOS 12 feature, it wasn't
there before.

Otherwise it will just use your contacts.

~~~
jannes
Is this a regional feature? I don't see it on my phone with iOS 12.3. I am
located in Europe.

~~~
jmiserez
I'm in Switzerland, so Europe as well. iOS 12.2. Maybe you need a phone book
app installed for it to show up.

------
SmellyGeekBoy
I've never had an account with them so I tried to search my number to see what
data they had on me. Says I need to sign in.

For that reason I've unlisted:
[https://www.truecaller.com/unlisting](https://www.truecaller.com/unlisting)

------
kembrek
Rather than disabling the Caller ID, what if the journalist spoofed her Caller
ID each time she called. In that way, it prevents 'Private Number' showing up
on the receiving end which is the thing preventing those on the receiving end
picking up her calls.

------
SlowRobotAhead
_[suggest that] They send a SMS to any non-user whose number is entered to
warn them someone is attempting to enter their number and ask them for
consent. This would also be an opportunity to inform them about the unlisting
option._

Yea, good luck with that.

------
ktpsns
> The website encountered an unexpected error. Please try again later.

Has somebody a copy?

~~~
gosseyn
Here is the one I found

[https://ifex.org/serious-privacy-concerns-raised-about-
the-a...](https://ifex.org/serious-privacy-concerns-raised-about-the-app-
truecaller/)

------
mongol
Hmmm... I think Chloe, and anyone in her situation, could use a prefix when
they call to not show the number at recipients phone. I think it is #31#

Will improve the situation somewhat

~~~
loriverkutya
And how would anybody call Chloe, if she cannot tell her number to anyone?

~~~
mongol
The point is that this puts her more in control and she can choose who she
gives the number to.

------
Abimelex
Well this is e.g. an secenario where GDPR would protect you from. A company
would not be allowed to store you phone number without your consent.

------
visarga
The title is wrong. There was no contract or agreement between the app and the
journalist so there could be no betrayal.

~~~
duxup
I don't think you need a contract to fit the usage of "betrayal" here.

~~~
visarga
Well, before betrayal can take place there must be an implicit or explicit
obligation or loyalty.

~~~
cannonedhamster
What about the obligation to not put people at risk of death through
ignorance? If the app itself is used as a suppression too that was not
previously available and one can accidentally expose someone to literal death,
then yes the app has an obligation to not do that as human beings. Pretty sure
not exposing people to harm is an implicit agreement with their users. Maybe
I'm wrong and Indians (where the software is made) don't think like most of
the rest of human society, but I'm pretty sure they do and don't want people
they converse with being put on government watch lists for simply being
entered into a database without their consent or knowledge.

------
oytis
That's the problem with security through regulation. Just leave your happy
regulated place and go elsewhere - and you are helpless. Without it you would
probably spend more time planning your security life, especially if you are a
journalist.

------
kkarakk
If she's truly after "opsec" then why would she keep using a phone number
she's handing out to randos?

Pretty laughable - buy a new sim every week, it's not even hard to do in
india/south africa. You can buy a new sim almost instantly from the corner
store equivalent. You might get called by the local police if you buy more
than 5 a month though - happened to me when i was testing out different
carrier's data/sim services and bought 6 sim cards at once in india. They just
took down my details and never bothered me again

------
powerslacker
That's not a privacy violation. Her data wasn't collected, a series of numbers
was tagged. The person tagging the number could be entering the tag as
anything they want.

~~~
notafraudster
According to your logic, If I create a website that maps Hacker News usernames
to metadata, and because I know you in real life, I enter your information
(name, occupation) on your behalf, and now the connection between your
username and that other information is public, your privacy has not been
violated, because this is not information about you, it is simply a series of
letters connected to another series of letters.

I think what you mean to say is that it is not the app that committed the
betrayal, it was the source who was enabled by an app that otherwise had a
non-nefarious purpose. Which, fair point, but I don't think the article would
disagree.

