This article focuses on the problems that truecaller poses for 'non-users". As a non-user of truecaller in India myself, I find myself in the minority. It seems I get none of the benefits (improved spam filtering, the chance to see who is calling me), and in the 'prisoners dilemma' sense, it appears I would loose nothing by installing it, because they already have my contact information.
However, this is only half the picture.
If you install truecaller on Android, you're handing over ALL your personal information to them. The list of permissions they ask for is ridiculous. They ask for access to your sms messages, call log, contacts, file system, location, microphone, camera, everything. They also show you advertisements wherever possible.
If you're a non-user and do not wish your information to appear on the app, you can unlist your number here - https://www.truecaller.com/unlisting
Though I do not agree with the method where as a non-user I need to manually opt-out of the service, it does seem to work. My number is no longer visible on the app.
I tried using the unlisting UI, but it says I need to install the app and deactivate my account before unlisting. When I install the app, it refuses to run unless I grant it all sorts of permissions. So it seems before unlisting, I need to give truecaller my data. This absolutely ridiculous.
Im not sure if this is something available only in the UK/EU but I was able to login on the website https://www.truecaller.com/ and deactivate the account in my settings there, then successfully unlist my number.
--edit. I should read slower. I see you aren't an existing user. That is indeed BS.
It said that for me too, and I've never had an account. I kept trying and it somehow worked on the fourth try. The format I used was "+1xxxxxxxxxx" for the number, not sure if that made any difference.
I had given a garbage name for my number as I knew for sure others who have my number in India have uploaded it to Truecaller (as in OP article). It displays the Garbage name for everyone for my number.
I was finally able to unlist successfully by installing truecaller on my iPad where it didn't ask for any permissions forcefully, deactivating my account, and then unlisting. Previously I was using my android phone.
Same here. Another dark pattern is they require the country code, they could have inferred it from my IP and auto populated it or had a list of countries via a dropdown instead they bury that the country code is required in a paragraph and disable the button if the phone number lacks it. At very least enable the button and pop up a error message if the country code is lacking. How many non technical users will give up with this form? I suspect many of them.
I don't think it's the case that your country code can be reliably inferred from your IP. When I lived in Europe, I had a German phone number but was frequently living/working in other countries.
Yes but atleast you're not visible to others edit: so in order to use this, you have to install the app - "deactivate it" and only then will it accept the unlisting. Fucking bs
BS but I imagine this is how they verify you own the number and prevent a rival app from executing a denial of services attack on them by unlisting everyone’s number.
They seem to have banned my IP (an Algo VPN instance on a pretty reputable web hosting provider which I just use for normal, reasonable web browsing). Not cool.
> If you install truecaller on Android, you're handing over ALL your personal information to them.
That's what I remember too but the article said Truecaller only gets non-user's information when a user tags them so. Maybe the app behavior varies with the country the user is in.
pardon me if I'm a bit out of the loop, but my understanding was that Google planned on revoking all app access to SMS messages and call logs on Android as of the beginning of this year -- does this not apply to TrueCaller?
Honestly I would happily give them some of my personal information in exchange for their service. The problem is that information in my address book, SMS, call log etc. is not just mine.
The good news is you can turn off most of those and truecaller still works. I just checked and I only allow it access to Contacts, SMS and Phone which, given the purpose of the app, seems appropriate.
> - They advertise the unlisting option more clearl
> - They send a SMS to any non-user whose number is entered to warn them someone is attempting to enter their number and ask them for consent. This would also be an opportunity to inform them about the unlisting option.
I doubt anything less than that is even really legal in the EU right now. Essentially, if my phone number is entered into that app, my personal data is being digitally processed and maid widely available without my knowledge or consent. Pretty sure that's very much illegal.
GDPR is 100% necessary and fundamentally a good idea. It has a lot of problems that just show how incompetent politicians can get on a bad day, but that doesn't invalidate the core idea.
You are living in a complex, mostly functioning nation state where the majority of conflicts is resolved in a civil manner. Not in a small tribal society where you might be murdered by someone physically stronger than you simply because he lusts after your partner. That simple fact proves how hyperbolic and naive your statement is.
Your statement is equally naive and hyperbolic. It's preposterous to think that humans haven't always had rules (well defined or not) to prevent petty BS from escalating. Of course the rules are different for a bunch of cavemen living in a group of <50 but rules and norms still existed.
I don't think that holds up to evidence. In tribes largely untouched by civilisation blood revenge is still fairly common. These are social norms, but without a neutral judge one party might execute revenge, the other party doesn't see their fault and instead retaliates, and you get an endless circle of bloodshed (which has killed entire tribes).
One of the major achievements making civilisation possible is a judge or court that can decide who is right and and who is wrong, preventing BS from spiraling in endless retaliation and counter-retatiation. In a small system that can work with just one universally respected person or person of authority, but once you scale it up to an entire country codified laws are incredibly useful for this. Codified laws means we need people making laws, which is exactly what the entire job of modern politicians is. Sure, we could have civilisation without politicians, but our countries would have to be a lot smaller than they are; a justice system without laws just doesn't scale.
> One of the major achievements making civilisation possible is a judge or court that can decide who is right and and who is wrong, preventing BS from spiraling in endless retaliation and counter-retatiation.
Well, no? Isn't that what is called "war"? You might argue that frequency of conflicts is lower, though I would be sceptical of that without further proof.
War happens, but places without a judicial system to solve conflicts between persons, families and regions don't seem to flourish, while many of the more prosperous regions and regions with the most wealth growth feature a judicial system that spans areas normally inhabitated by multiple countries (USA, China, EU, India).
Having a transnational judicial system in the EU (as the most recently formed example) allows coorperation and trade to a much greater extend. Sure, the EU might go to war at some point, but the circle of people and corperations you can trust to respect law and written contracts is very big, no matter if a war is going on or not.
While that's obviously a very good point, one could also argue that this is mostly due to law enforcement and culture. We live in a society where murdering someone gets you outcast pretty easily, and on top of that thrown in jail. Politicians ultimately only wrote down what is a large cultural consensus.
The problems start when politicians decide over smaller things that not everyone can agree on. I mean, damn, they'd be more than incompetent if they didn't get laws regarding murder right.
The latest screw-up of european politicians (the same who are responsible for GDPR) is the european copyright reform, which just shows a complete lack of both technical understanding and willingness to listen to experts who do understand the situation.
I'm not pretending the issues with politics and politicians do not exist, or that they are not enormous. However, a statement like "they have no good days" says more about one's own unwillingness to be politically active than anything else in my opinion.
wut? are we really comparing 21st century society with a tribal one?
by that measure we've solved pretty much everything.
when in reality the contrary is true: politicians are mostly career based opportunists and the inertial nature of our society pushes us to peace and prosperity.
..and how have politicians of the last, let's say 20 years, positively contributed to this? If the last good day was over two decades ago, I'm not sure how you're going to sell me this as a good thing.
Depending on where you live, politicians may have enacted any number of positive life improvements, like improved public transportation infrastructure, better regulations on working conditions, better pollution regulations, small business development programs, and on and on.
If you live in an area where absolutely nothing good has happened due to government in the last 20 years, your complaint about your local/regional government is entirely warranted.
Chalking it up to "politicians" as a whole is unhelpful; they aren't "all the same" (another thing I hear often), and if one thinks so, one is profoundly not paying attention.
It has a lot of problems that just show how incompetent politicians can get on a bad day
Mind elaborating on them?
The only potential issue, which I see, is some ambigiouty. However, I don't see how you could craft a legal frame work without some ambiguity, which needs to be resolved by the courts at one point.
Unless your business model is dreck, I really don't see any issues with the GDPR as such.
Maybe I'm just naively applying my programmers sense of beauty to legal stuff, but the main problem I have is complexity. I'm OK with google having to spend some money on lawyers to work out what they can and cannot get away with, but smaller busynesses seem to be pretty lost right now. This is partly because it's a new thing and we need to wait and see how judges ultimately interpret things, which will give people some more security.
A simpler, more elegant solution would have been better in my opinion.
Maybe I'm just naively applying my programmers sense of beauty to legal stuff
I see that happening a lot. Actually, it's more trying to apply tech skills to societal issues, often without really thinking through the consequences or the bigger societal impact. Sidewalk Labs Toronto experiments provides a nice illustration of such issues.[1], [2] & [3]
One of the buzzwords that really gets my blood boiling is "Government V2.0".
Life and society is usally quite messy and attempting to optimize it very often yields rather undesirable consequences, or just outsources the externalities to other parts of society.
A simpler, more elegant solution would have been better in my opinion.
Sure, that would be nice. But I think that's extremely hard to do with crafting legal frameworks.
If tech has tought me anything in the last 20 years is that you will have people, entities and corporations just abusing the sweet bejeezus out of any loophole, which they can identify and get away with.
A simpler and more elegant solution wouldn't screw over small businesses and individuals as much. An individual running a forum from their basement has to follow the same rules that Google spends tens of thousands on lawyers fees to figure out. Maybe exemptions or less strict rules for smaller companies should've been added. The EU isn't exactly a bastion of internet technology enterprises, so we probably shouldn't throw the few that try under the bus.
An individual running a forum from their basement has to follow the same rules that Google spends tens of thousands on lawyers fees to figure out.
It's very, very unlikely, though, that the individual running the forum in his basement has to navigate the same legal minefields as Google or Facebook.
Implying that he has the same legal expenses as companies, whoms whole business model relies on getting around the GDPR seems to me a bit of a strawman.
It has the same issue as many laws that assert extraterritorial jurisdiction on internet entities: it isn't too difficult to deal with as long as only the EU has it, but if a bunch of other countries also adopted very similar laws it could be prohibitively expensive for small entities to deal with.
The main reason for that is Article 27.
For an organization that does not have a presence in the EU but for which GDPR applies, it seems to cost a minimum of around $500/year to comply. That seems to be the low end for the services that provide Article 27 representation.
That might not be too bad...as long as only the EU implements such privacy legislation. But several countries have talked about similar privacy legislation. If they all have something like GDPR's Article 27, it could quickly get out of hand.
You don't need an Article 27 representative if all of the following apply to your processing of personal data:
• the processing is occasional,
• it does not include, on a large scale, processing of certain special categories of data or personal data related to criminal convictions and offenses, and
• it is unlikely to result in a risk to the rights and freedoms of natural persons.
There's a lot of fuzziness in that. Even if other countries have similar exceptions, each country might resolve the fuzziness a different way, which could make it a major pain to figure out for which countries you need a representative.
My own biggest problem with the GDPR — other than the regulatory burden, which disproportionately imposes costs on small challengers and effectively protects large pre-existing firms — is the so-called 'right to be forgotten,' which is really a privilege to force others to rewrite history. Among other things, it effectively mandates mutable logs, which is horribly insecure (logs should be in principle even if not in fact immutable), and at a higher level it grants malefactors the ability to legally compel others to refrain from true speech about them.
I can agree with the motivation, but the law is not particularly well written.
If the EU passes a law and it takes armies of lawyers over two years of negotiating with the EU to find a compromise of what is and isn't included in the law (with the EU changing its stance regularly), then it probably isn't a good law.
It took a year and a half of wrangling for the EU to decide that internet advertising was not a "legitimate business interest" or "necessary to perform tasks at the request of the data subject" (despite the advertising being a primary source of funding to pay for the requested task). Then the entire internet advertising industry had just 6 months to design/implement/deploy a system that can meet the requirements and migrate all their users to the new platform (keeping in mind that their users have a financial incentive not to switch, since the old system is more profitable).
There's also the weird catch-22 of how it only applies to users with EU citizenship, but you can't collect, use, or store the information on whether or not they are an EU citizen without their permission.
> Among other things, it effectively mandates mutable logs
It does not. The Right to Erasure is much more restricted than many people seem to realize. If you can articulate an Overriding Legitimate Interest, and find a way to balance that against privacy, then GDPR gives you a pass.
While I don't believe it's been tested in court, the general belief is that the Right to Erasure does not mandate deletion from back-ups. It's generally believed that an acceptable practice is to keep a ledger of "forgotten" accounts off to the side (or their hashes or something), and make sure that your restore-from-backup process deletes those from prod after restore. I know that logs aren't back-ups, but the same idea should apply.
The issue with compelled censorship may have merit, but I haven't seen a concrete example where I agree that happens. Like I said, the Right to Erasure is more restricted than many realize. But, Europe also ranks the importance of speech rights slightly lower than we do in the States, so it's possible that certain Overriding Legitimate Interest arguments wouldn't fly.
Yes, but the GDPR was definitely done on a "good day", relatively speaking. You don't want to know about the bad days. Stuff like the Copyright Directive seems to be the norm, not an unhappy accident.
I find TrueCaller very usefull. I used to get sooo many sales and robo-calls a day that I seriously considered just getting rid of my phone. Now they get automatically blocked or I can just put them on a profile that they ring silently and hang up immediately.
I get that this can be dangerous for journalists, but shouldn't they maybe investigate alternative ways of contacting sources privately? Mobile numbers are not in any way secure or anonymous in most parts of the world anyways. Hell, here where I live you have to register with your government ID in order to get your sim card activated.
If Robocalls are the problem, Truecaller isn't the solution.
Regulations against unwanted harassment is.
Robocalls are not a force of nature where our only recourse is a technological solution. They are a result of a human choice, where the absolute majority of individual think it's a menace. So our recourse is legal.
band-aid solutions like Truecaller cause more problems. The Truecaller product is not a usual commodity where you choose it, and pay a known price.
The actual price you pay is totally unknown. Because they require total access to your device without genuine disclosure of their intended use for it.
In essence, this is the spam debate all over again, with some extra seasoning. (The permissions are incidental - other apps exist that are polite in this respect.) So, out comes the canned spam response:
approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea.)
(X) No one will be able to find the guy or collect the money
(X) Requires too much cooperation from spammers
(X) Requires immediate total cooperation from everybody at once
Specifically, your plan fails to account for
(X) Lack of centrally controlling authority for email
(X) Open relays in foreign countries
(X) Ease of searching tiny alphanumeric address space of all email addresses
(X) Asshats
(X) Jurisdictional problems
(X) Extreme profitability of spam
(X) Technically illiterate politicians
(X) Extreme stupidity on the part of people who do business with spammers
(X) Dishonesty on the part of spammers themselves
and the following philosophical objections may also apply:
(X) Ideas similar to yours are easy to come up with, yet none have ever
been shown practical
> Lack of centrally controlling authority for email
That's the key difference with phones - phone numbers and call are (quasi-)centrally controlled - by your network provider. A simple legislative solution is just "user gets $10 discount on their phone bill for each spam call" and watch the problem solve itself...
Users collect $10 from their network operator by filling a claim in an online form. Burden of proof on the network operator to prove it wasn't a spam call (e.g. originated from a known number, lasted more than some number of minutes, metadata indicates that it was a two-way conversation, etc.). Huge fines if users complain to the regulator that any of the above isn't true.
This would be difficult to write as a law and very difficult to enforce, though I like the idea of the burden of proof being on the operator.
In India we have a national DND (Do Not Disturb) registry that anyone can signup for and choose whether to receive marketing communications or not, and what categories therein. The regulator has made the operators enforce the reporting mechanism along with penalties (monetary and otherwise) on the marketers for violations. But still, there are cases where a marketer may claim that the person receiving the call/SMS opted for it and signed up or had some transactional relationship with the company.
Cue the beginning of a spam robo-call (or more accurately, robo-receive) industry purely for the purpose of collecting this $10 for every call received.
In which case, how in the world will anyone sane consent to "I didn't like this call - prove me wrong or give me $10"? (Yes, yes, make a law, I got that. Good luck getting that passed.)
Once the law is in effect, that is. First, it needs to be passed - and then, not shot down as unconstitutional. Moving the burden of proof to the operator (a third party! Not even one of the endpoints) sounds...very brave.
This is response is a total straw man argument.
I was talking about robo calls, your response is about difficulties with email spam.
The phone network is controlled centrally. Government can force handling spam by phone companies, the same way they can force them to give police call logs etc for the purpose of collecting
evidence.
Further more, Robocalls usually are of a more local nature (not international). Government may instruct Police to investigate origins of Robocalls and enforce sanctions.
A formal complaint process could be made , where any end user may file a complaint, Providing proof is trivial. Both for the act, and origin (Robocalls are advertising a specific product from a specific company.)
A law could be made which mandates a speedy process for filing relevant lawsuites with small claims court, if found guilty the offending party will be levied a large fine.
This is from the top of my head. It probably contains many flaws. But it certainly doesn't seem impossible to combat Robocalls.
As a German I've never received a robo-call in my life. Germany is the 4th largest economy in the world, so it's not like we are just under the radar either. I have no idea what we are doing right, but I am willing to bet it's a legislative solution.
At the end of the day, someone somewhere is granting robocallers access to the public telephone network. Hold those service providers legally responsible until they start taking action - it's not like there is no way to find out who they are.
International phone calls aren't free and unrestricted. It's quite feasible to arrange a regime where such inbound spam calls are economically unfeasible, and legally unfeasible within a regulatory regime e.g. apply large financial penalties to the originating phone company, of which there's a limited number, all are licensed, and can be prohibited from obtaining new licenses.
The non-spammy network operators that interconnect to the spammy network operators make money through that interconnection. If you want them to disconnect their spammy customers, you have to convince them that it's worth it to lose them. This is a manual process and takes time.
This is where infrastructure level legislation comes in. They should be required to provide the full originator information all the way to the people who receive the call, they should block known spammers, they should block other networks that do not do this, and they should be fined heavily if they do not. Otherwise the phone system will become a relic.
It also seems to be a problem unique to location. I have never in my life received a robo call in Australia but I did start to get sales calls until I put my number on the do not call list.
While I agree with your sentiment, in practice, relying on legislative options is not foolproof and is also a band-aid. You require a lot of human cooperation which, to be honest, is not trivial to achieve in 2019. Second, technology frequently outpaces legislative actions. You can relay a spam call/sms around the world and the receiver, her ISP or her government would still be completely unable to fix the issue.
Honestly, I want disposable phone numbers (which are still compatible with public networks) something akin to email aliases. So if one number gets a lot of spam calls, I can just route it to /dev/null.
We need a complete array of legislative + technological solutions.
Can somebody enlighten me why robo-calls are such a problem in the US? I'm completely ignorant of any relevant legislation or enforcement, but as a young German I can literally remember exactly two unsolicited survey calls in my whole life, both on a landline.
This suggests some fundamental difference compared to the US which maybe should be changed instead of a third party band-aid app with lots of problems, but again I don't know this difference and thus will refrain from judging...
Can confirm, being also a (not-that-young-anymore) German. Scam calls or phone marketing is very seldom here. I always assumed this is due to strict laws in Germany.
Another thing is also that most people I know no more publish their telephone number in a (public) phone book, as it used to be still common 30 years ago. That's something where you easily can grab tons of private information from. How common are phone books in the US?
Phone books are supposedly common in parts of the US but they do not publish cell phone numbers. It's also illegal to telemarket to a cell phone. Of course, nothing is done when phone providers knowingly forward said illegal phone calls to cell phones anyway.
True, but for edgecases with no alternative means of contact, there could be other simple solutions. In the articles instance, Chloe could in the future register that sim, and then immediately tag it as Chloe Sullivan on TrueCaller(or whatever app they use in the country in question). Problem solved. Ta-da.
There are solutions other than proposing regulations or limitations on apps that benefit waay more people than it might inconvenience.
So you're suggesting that it's a user's responsibility to proactively register their number with every single third party caller ID service that exists and ever will exist? And you consider that a "simple solution"?
It does not seem unreasonable for a service like TrueCaller to notify people that user-generated information about them is being irrevocably added to a globally public repository.
All I'm suggesting is that if a particular user is concerned about their safety, I would suggest they take steps to insure it.
But if one wants to push for regulation to prevent the emergence of apps like TrueCaller, then perhaps we can start regulating robo-calls and sales calls more effectively? Then no one would need to install apps like TrueCaller in the first place.
And I'm suggesting that your proposed solution isn't reasonable, or even discoverable for the majority of people. Clearly this person was concerned about their safety. And clearly they took steps to insure it.
Arguing that the real problem is robo-calls is besides the point. It's like saying if people just drove safer we wouldn't have to have seatbelts. Or if I had bajillions of dollars we wouldn't have to have this discussion, because I'd be off on a beach somewhere. It's marginally related at best.
But if that's the line you really want to take, TrueCaller could have a "That was spam" button, and if enough people click it then it could block the calls. The faux caller ID part doesn't need to be part of the service.
Google Voice offers a somewhat similar service, but it flips the onus around. When enabled the caller has to identify themselves before the call can get through, and then the recipient can screen based on that. This approach is wildly more discoverable for the caller (who the information is attached to), and similarly filters out robo-calls.
> It does not seem unreasonable for a service like TrueCaller to notify people that user-generated information about them is being irrevocably added to a globally public repository.
If they live in Europe, as far as I'm aware, they should actually also need the users consent if the information contains anything like a name (which it most likely does) and a way for users to have their personal data erased permanently.
Maybe there's some exception why they don't need to do this; can someone provide some more info on this?
Does every Wikipedia entry about a person in Europe need that person's permission before it can be published? Can I make Wikipedia delete my Wikipedia page permanently with no way for anyone to ever to recreate it? What about a blog post? If a write about a friend of mine doing something on my blog, do I need my friend's written permission before I can post?
Actually, articles on non-famous people require extra notibility as there are more protections for libel. Helpfully, most people with wikis are famous.
If there's a large enough public interest, then information about a person can be published.
And no, I can't just create a wikipedia page for my neighbor and post their phone number there, that'd be illegal and would get me into serious trouble.
That sounds crazy. You mean if I know some guy named Dave and he lives in Europe, to tell somebody about that I need Dave's permission? Moreover, I should give Dave a way to make me forget his name? I'm pretty sure even in Europe things aren't as bad as this. Though who knows...
uh... you do realize there's a legal difference between telling something to a friend and publishing it to the web, right? They're two completely different things.
> I'm pretty sure even in Europe things aren't as bad as this.
I get your point, but from my (European) perspective, it's the rest of the world where things are bad. I personally do quite enjoy the fact that, in theory at least, everyone is not allowed to simply publish my personal information as they see fit.
> there's a legal difference between telling something to a friend and publishing it to the web, right?
Actually no. Most of things I tell my friends I do by publishing it on the Web (e.g. Facebook, or other social forums).
> I personally do quite enjoy the fact that, in theory at least, everyone is not allowed to simply publish my personal information
You realize what you are aiming at is control over the speech of other people? I.e. you say "since other people call me Dave Whatshisname, now every time anybody utters the sequence of letters 'Dave Whatshisname', I want them to ask permission from me beforehand". This "personal information", taken at this form, is an insane construct - in fact, you are asking to control what other people think and speak in private (if the computer records are extension of memory, which effectively they are) about you. I can't imagine larger violation of privacy than that, and yet it is done in the name of privacy. Doesn't it feel weird?
As a user of a different app, I see how many "user reviews" are there for the caller, by the rating (good/neutral/bad). For actual robocallers, the "bad" number is overwhelming, usually with a single "good" review - the spammers would need to flood the review system.
Not sure how their system works, but I set my name on TrueCaller and that's how it displays to others. I suppose of all my friends changed my name on their apps to Bozo, it would default to Bozo then. Who knows.
I use "Should I Answer?" for this purpose. I don't have to give them my data in order to know who's calling me most of the time. It could block calls, but I don't use that feature.
It's also worth noting that - as with almost any privacy-violating technology - journalists apparently sometimes use TrueCaller for research themselves.
This is one of my concerns ever since the first app asked for my contacts.
You could be a mountain man and value your privacy.... but if you just know someone who uses tech you are exposed in any number of ways.
In the US things like third-party doctrine have not aged well in the information age as just communicating with people can expose you in ways you can't ever control.
This is why I don't use WhatsApp despite the fact I know many people who use it. To use the app, you have to give access to your entire contacts list. Even if I'm okay with them having my information, I don't feel comfortable consenting for those in my contacts list who don't use WhatsApp.
> This is why I don't use WhatsApp despite the fact I know many people who use it. To use the app, you have to give access to your entire contacts list. Even if I'm okay with them having my information, I don't feel comfortable consenting for those in my contacts list who don't use WhatsApp.
Fun fact, that has technically been illegal for a while here in Germany. There's quite a few videos / articles on how "Using whatsapp is TECHNICALLY illegal". Of course, nobody really complains, so no legal action was ever taken against any user, but it's still a good excuse for me to say "I'm not installing that. It's illegal."
You don't have to give the app access to your contacts... at least on iOS.
That's what I do. It would be impossible to communicate with friends and family otherwise. I just have to put a little more effort into figuring out who's texting or calling me. The app also still shows me people's (self assigned) nicknames in group-chats.
My only gripe is that I still have to give the app access to my photos. I wish there was a way I could give it sandboxed access to only the photos that it adds to the collection.
Would be nice if mobile OSs had a permission that let apps save photos but to read photos it has to make an api request which opens the system photo picker and when you select a photo the app gets given access to only the photo you selected.
I think Android does/ can do just that? There's a native photo picking intent, and the app just gets back a photo. Whether it was from the camera, the gallery, etc, who cares?
In practice, most apps would rather have their own in-app photo grid. Nothing to do with wanting to violate your privacy, I'm sure :)
The problem is that they don't even give you the option to add the names yourself. You can use it, very crippled, without giving them your entire contact list, but it's almost unusable.
I use WhatsApp without giving it access to my contacts list to chat with one friend who refuses to use anything else. On Android you just have to deny the contacts permission and everything else works fine.
Blackberry android phones have a feature where it notifies you when any app accessed some resource that requires OS level permissions, such as contacts, gps, etc.
Whatsapp and other facebook apps, access my contact list every 3 minutes.
Quite an unfortunate situation for those who would like public pressure on apps to minimize the permissions they ask for. Atleast in whatsapp's case it would be hard to convince most people to stop allowing contact access to the app as being able to send messages to all your phone contacts without any setup on your part is probably one of the major reasons that whatsapp became so popular.
Whatsapp needs to know when you add a phone contact so it can lookup the corresponding whatsapp contact.
Even the 3 minute delay is annoying - it's common I meet someone, add them to my phone, and then want to send them a Whatsapp message and they don't appear in the list. I have to awkwardly hang around for a minute or so before being able to send them the message I wanted to send.
(for context, in most of Europe, Whatsapp is used pretty much like iMessage or SMS is used in the USA - wouldn't it be annoying not to be able to SMS a new phone number without waiting 3 minutes?)
Just install 'Open in WhatsApp' from F-droid and you can immediately start a conversation with an arbitrary number. And without polluting your Contacts with numbers you'll maybe never use again.
WhatsApp used to function like that, too; you just added a new number in the UI. That was until FB decided that syphoning Contact info was lucrative. On my phones WhatsApp is still denied Contacts permissions and it works fine.
>In the US things like third-party doctrine have not aged well in the information age as just communicating with people can expose you in ways you can't ever control.
agreed. it's by design and i don't think anyone will be allowed to escape it
TrueCaller is Facebook's face recognition for phone numbers. They are building shadow profiles using some user-valuable bait feature. For TrueCaller, most of its value is in fighting spam. So, unlike Facebook, it's not only users who compromise privacy of others, it's spammers who steal our privacy. We should examine spam fighting solutions for email, IM and others, they might be involved in the same business model.
If we solve the spam problem, we can regain some privacy back.
> TrueCaller is Facebook's face recognition for phone numbers
This is very good analogy - in fact I think that it's even more dangerous because when it comes to Facebook people are slightly more aware about privacy-related issues.
I'm pretty sure that TrueCaller extensively profiles users, links all possible connections, gathers data - Facebook might not know that one visited certain doctor or that one has some medical conditions, TrueCaller? Who knows. It is possible to gather a lot of data and build detailed profile just by linking who calls who.
Additionally according to HN comments [0] one doesn't just simply "opt out", truly terrifying
This reminds me once again that the weakest link in the privacy chain today is the mobile phone number, especially since governments in many countries have forced people to link their number to a real ID. It's essentially become a ID number by proxy. However, in the case of the article, the reporter should know to inform her sources not to enter _any_ information linking to her real-world identity into their electronic devices.
I got a free loaner phone once a few years back ("Samsung Ultimate Test Drive") which came with pre-activated mobile phone service and was very clearly re-using a phone number that someone else had quite recently actively been using.
While it was weird to get SMSes about SoCal drug deals, the strangest thing of all with that phone was opening the Lyft app and being automatically signed in to someone else's Lyft account on the basis of my auto-confirmed phone number. Their active credit card was linked to the account and I could take free rides!
(I didn't... but it was very hard to sign into a different Lyft account when the phone # was actively linked to another, live account.)
Is this because Samsung simply sent you a phone that hadn't been wiped and was still signed into all these accounts, or was it really just auto-signed in due to phone number? I did the Samsung Ultimate Test Drive as well and don't recall being auto-signed into anything (though I also got many SMSes and calls intended for the previous owner).
Well, when I got the device, the Lyft app was not installed. I visited the Play store, installed the Lyft app and ran it, and then: the Lyft app immediately signed me in, told me that my full name was Britney G-------, showed me "my" full e-mail address, and offered to let me book rides on her behalf, paying with her linked Visa card. It wasn't even clear how to switch accounts; it was like they were using the phone # as a primary key.
I sent Samsung some feedback about this but don't think the issue was on their side per se.
The biggest threat to privacy, is how little (most, nearly all) other users do NOT value someone else's privacy.
Re Spam: Pre-screening, and people that actually say something useful to the (automated) screening service. Actual spammers should get fed to a blacklist (filtered for multiple confirmations), and organizations that prosecute spammers should be able to read THAT list. Everyone else has to use a more public API that's rate limited.
In the case of this article, the reporter should keep separate "digital identities" for people whom she want's to know her affiliation and those who don't. The main mistake there was that she used her "burner number" for ordering a taxi, when it should have been used just for these contacts.
> However, in the case of the article, the reporter should know to inform her sources not to enter _any_ information linking to her real-world identity into their electronic devices.
Yeah, that had me kinda puzzled as well. Sure, the app seems like a terrible idea, but ultimately it was one of her contacts who put that information into it.
Reporters talk to lots of people, who practice very poor tradecraft.
Which suggests: everything this story describes also applies to intelligence and law enforcement services. Imagine you're conducting espionage, or are tracking money laundering or drugs smuggling.
Yeah this is why I keep my old number in Google voice after getting a new one. Not the best option but I can't quite figure out all the ways I could have accounts compromised if some random person with malintent got my old number allocated.
> What happened to Chloe is that one of her sources was using TrueCaller.
Online communication is hard. The burden of security falls on every parties.
The real hard problem for an investigative journalist here is "Considering the ubiquitous nature of communication tech How do I handle my sources so they don't blunder before I even meet them ?"
A smartphone, or any device really, only has information that you feed it. Compartmentize. Different devices for different things combined with pseudo-anonymity. It is very hard to do this and a razor-thin no-mistake margin is always there.
The problem here is that once you give out a number then it's public in some sense. The person you give it to can pass it on, even inadvertently.
The smart thing to do is to have a public number and a private number. It makes no sense to call cabs with the same number you use to contact sources or whatever.
This is easily done with dual sim phones and can be taken much further with Google Voice or other dial-in phone number vendors. It's not very complicated and if your life depended on it you could easily assign a number per person.
Or just divide your calls into confidentiality classes. Whoever added the journalists number to the app clearly didn't consider it much of an issue; so that probably was neither a very trustworthy nor particularly vulnerable contact.
Also didn't she tell the contact that maybe it'd be better if they didn't tell anyone she's a journalist? Sure, it's a pretty obvious thing, but I feel like in her situation, you'd make sure that they know, just in case, that it's a huge dickmove to make that sort of information public.
Try anveo.com, they have numbers globally which start at less than $1 per month but with a setup fee of a couple of dollars and a per-minute fee of around 1 cent per minute. You can also pay more per month charges for no per minute charges.
You'll also need a SIP client. Some Android phones have these built in but you can also use things like Grandstream Wave. I have no idea about iOS, MAc aor Win but there should be several options for those.
I have our work VOIP account set up on my Android phone. It's integrated into the dialer and works for incoming and outgoing calls. On outgoing calls I have to select whether I want to use the SIM or the VOIP account.
It's a geographic (local) number to our office and costs £7.99 per month. Seems like it would be easy enough to add one for personal use as well.
This is kind of the same problem as people who have no FB account, keep all of their personal life off FB, then they go to a work or social group gathering and some blithely ignorant/clueless person tags their photo.\
One of the biggest sources of spam I have is non-technically-oriented persons who I know either professionally or personally, that have my name and email address in their address book, who click "yes" to everything on their ios and android devices. Some of these particularly less sophisticated individuals have probably had two dozen unique apps from random developers copy the entire contents of their address book.
It seems absurd to me to consider data about a person to belong to that person. If I learn that Chloe is a reporter for The Inquirer, what law restricts me from telling somebody else? And if there is one, what else can I not say about her? Can I mention she is a brunette? Can I tell the story about going out for coffee, or am I violating her privacy by leaking the fact that she prefers coffee to tea? To get really ridiculous for a moment (brace yourself) does she have a property right on the region of my brain which holds any of this information about her? Clearly there is a fundamental incongruity with other basic social notions.
As a society we have most definitely moved in the direction that data about a person is somehow under their right to control: the right to privacy, the right to be forgotten, etc. We've subsequently run into numerous difficulties with this notion, such as the inability to warn our friends about bad actors, leading to different rules for "public people" versus "private people," arbitrary dividing lines, different rules for minors, different rules for individuals vs companies vs really really big companies, and a number of other abstruse rules about when or where you might be violating somebody's privacy, which seem to change significantly over the years and from jurisdiction to jurisdiction with no hope of ever settling down (because IMHO there is no rational obvious place for this to settle into).
Even if the laws were clear, universal and watertight, privacy is still fundamentally your problem. Laws will not control everybody else, and depending on everybody else to behave doesn't seem like a sane strategy for anybody. So you'd best keep your secrets to yourself and those you trust.
New technology has opened up new possibilities far beyond what your word of mouth example has. Megacorps are sucking up data on a mass scale and using it for evil such as manipulating elections, tricking you in to buying stuff and reporting your every action to the government.
For this reason we need to think beyond the old ways of dealing with data.
Yes, the reality has changed. We have to either adapt our notions of privacy etc. to the new reality or pretend that nothing really changed. The latter seems to work, but one day you go to Africa (or India, or China, or just have to deal with someone who can ignore/circumvent the regulation), and - surprise! - the reality is still there.
Privacy laws IMO have multiple purposes, only one of which is protecting the citizen’ right to their own data.
Another big one is balance of power. If a entity — be it a state, company, individual or a group of indivdiuals — knows everything about you, they thereby create a asymmetry of powers they can leverage for their own interest. In addition to protecting the individual, privacy laws are also meant to reduce or limit that kind of asymmetry to avoid the social consequences that might be linked to it.
Not without a reason it is Germany which has one of the strongest privacy movements in the world, because many of them know first hand, what data in the hand of fascist and communist governments can do to the life of individuals.
When the Nazis marched into the Netherlands, the having the religious orientation in a central database was was made the difference to many lifes. And that is, what makes data different than somebody’s knowledge in their heads: if the Nazis march into your nation you could take the decision whether to tell on your jewish neighbour or not, while in the case of real data you can’t.
Wow, is it just me or is this a mountain-out-of-a-molehill situation? This is not fundamentally any different than “report spam” for email, or a user posting “is 800-xxx-xxxx a legit number?” online, or sending a contact card to a few million of your closest friends.
I appreciate the situation that the journalist found herself in, but if she wants her number to be a secret, she needs to make sure the people she calls know that, too.
I will file the information in this article as “good to know,” not “omg disaster”.
> is it just me or is this a mountain-out-of-a-molehill situation?
It's just you.
The example of the journalist is a very good example of exactly why this is such an extreme issue, but it really starts with the small things. What if you want to call someone, and not tell them your name? well, f#$£ you then, the app already told them. Don't want everyone knowing where you work? well f$%& you again, maybe somebody added that with your name in the app (just as the example of the journalist).
So now you call, say, your beloved grandma and your number shows up as "Henry the drug dealer". Maybe you don't even deal drugs, but someone a) thought it'd be funny or b) wants to hurt your reputation.
Or even worse, imagine you call a company regarding an application for a job. It's already a big enough problem that someone else posting a picture of you doing something stupid while drunk can ruin your chances of getting a job; now we're talking about attaching random, possibly personal, possibly untrue information to your phone number for everyone to see without even informing you.
Let's go back to the world where there is no internet. Imagine someone spreads a rumor about you. Or a praise. People might have heard this, before they even met you. It can be illegal, harmful, or beneficial, but it's under the control of the people you interact with.
If you meet someone for the first time, and the person heard from someone that you're dealing drugs, and you tell her you don't, and ask them where they heard that, they might trust you over the rumor, and you'll try to eradicate the rumor.
There are differences, mainly in that the call receiver has greater power to reject the call based on the information they have.
I think the real story is in the interaction and how the app behaves, for the receiver. Were they aware that they were putting Chloe into the database? The article doesn't say. Without this, it's hard to judge whether the same thing couldn't have happened in a world without internet (imagine a small village). It doesn't seem to be entirely black and white.
Sure, the mechanism is the same, but the scale and effectiveness are not.
In your scenario, if someone wants to spread rumors about you in bad faith, they have to spend a lot of time and resources to make sure everybody you might interact with knows about the rumors.
A service like TrueCaller makes this much easier, which I personally think is very problematic. And as others have noted, another issue is that people even might not do this in bad faith. Just as a little prank, without realizing the potential consequences.
Truecaller is one of those "it just works" apps. It is completely transparent to the user. You can use it as a dialer to make and receive calls.
A lot of people don't understand that it's silently uploading their contact lists, personal information and call behavior off to the internet.
The customer service agent in the article from truecaller is correct about the usefulness of the app. A friend of mine was able to track down the owner of a fraudulent dishwasher service center in Bangalore because of truecaller. The photo and name of the owner in the app attached to the business mobile number.
> A lot of people don't understand that it's silently uploading their contact lists, personal information and call behavior off to the internet.
At least in the case of the tags, is that true? How do they think it works then when they get a call from a new number and it has the person's name / other information?
uh... I'm pretty sure if I went around telling everyone my friends telephone number, and what they work as, I'd get in trouble with the police rather quickly.
Each of your examples exhibit a broken model of what a phone-number is. You are arguing that people should be able to use a single unique id (their telephone number) anonymously. This is not how the world works and it is terrible opsec.
It’s quite different. A report spam function wouldn’t include (or shouldn’t include!) the identity of a person. If it does then it’s going over and above a spam filtering service.
Reporting a number as spam should then just result in future recipients seeing a “Probably Spam” or “Spam” etc based on reported levels on Spam vs Non-Spam reports for the number.
But I do agree that the journalist should have practiced better opsec and advised her sources that they probably don’t want her name to show up on their phone if she calls them at an inopportune time such as when around the very people she is investigating.
Also, disabling outbound caller ID would have helped.
But I do agree that the journalist should have practiced better opsec and advised her sources that they probably don’t want her name to show up on their phone if she calls them at an inopportune time such as when around the very people she is investigating.
How do you secure against something that you're not even aware exists?
Maybe outsourcing operational security? But how can a journalist aford that?
You quoted my example about the journalist calling the source while the source is around the people she is investigating. That’s a situation the journalist should be well aware of.
I would expect journalists to have some opsec training by their newspaper/publisher given maintaining confidentiality is a given in this line of work. Even if they didn’t have such formal training, I’d expect them to pick up a few things like this with experience.
I would expect journalists to have some opsec training by their newspaper/publisher given maintaining confidentiality is a given in this line of work.
I agree. But I still think it's a tall order to expect a journalist to know every service and every app, which may violate their privacy and protect against such entities.
And then there are things, which you just can't control, even being aware of them.
As a for example: How do you, as a journalist, prevent that your pictures are tagged by others on Facebook?
Yes, this does seem like a bit of an edge case and I think it's probably served to highlight that people who need to protect their privacy need to take extra steps to preserve their anonymity... in this case telling sources to obfuscate her identity in their phones.
The reality is that phone databases like this are an invaluable tool in the war on robo & spam callers. I think that there should be an option in these databases to be able to tag numbers as spammers without the need to have their identity preserved. I don't use TrueCaller (I'm a YouMail user) but see numbers flagged all the time as "Real estate scam" or "Probably a Canadian Pharmacy" come up without revealing a name or affiliated company.
Don't forget the recent 'supposed' data dump from Truecaller![1]
Truecaller, even without breach is a privacy nightmare. Even if one doesn't use Truecaller for privacy reasons, if any of their contacts use it; then their phone number + other details are already in Truecaller's database.
Before android 6.0, contact permissions weren't existent in consumer android devices and India basically being an android country lead to Truecaller's data trove.
If one wish to use Truecaller without uploading their contacts then they can use their web version, which is a progressive web app; it can be saved to phone & used like a native app. Just don't select 'Enhanced Search', it will upload the contacts from email which is used to sign in(better to use a Truecaller only email id for it).
TrueCaller is a privacy nightmare. Note that to search for a number on their site, you need to sign in with a Google/Microsoft account... and "Enhanced Search" is enabled by default which auto-uploads all your contacts.
There's been at least one similar app around in the US for probably seven or eight years. Mr. Number is its name, although I believe it originally had a different one.
Edit: July 2010 release, 10M+ downloads, nearly 200k reviews. From long ago memory seeing names that have been submitted may be a paid subscription option.
once I unlist my number from truecaller website (never installed / used their mobile app),
would it stop new people from adding my number to their database?
ie, I unlist in May2019. i give my number to a new contact of mine in Aug2019. and they use truecaller. would that re-add my name to trucaller database, or would my number stay unlisted forever no matter how many new contacts save my number in their phones with truecaller ?
That’s not how it works. Or maybe you encountered a bug. Unlisting is permanent unless you install the app and activate your number to be listed again.
What are the limits to what one is entitled to learn or ask about a caller? I get a call from 555-1234. Is it ok for me to ask a friend, hey, recognize this number? Is it ok for me to ask twitter, hey, I got a call from this number, should I call them back?
This didn't work for me the first three times I tried. It said I had to log into the app and deactivate my account (which of course I can't do because I don't have an account). It eventually claims to have worked on the fourth try, but I have no way of checking because it doesn't let you look up numbers without being logged in.
You can login to the website using a throwaway or junk Gmail account, give the website access to your Gmail contacts (which is zero), and then lookup any number.
> They send a SMS to any non-user whose number is entered to warn them someone is attempting to enter their number and ask them for consent. This would also be an opportunity to inform them about the unlisting option
For this to be effective in cases like the one in the story, the SMS would have to be sent almost as soon as the attempt is made to add the number.
In many cases, that would allow the person whose number is being added to infer who tried to add it. If the caller is involved in some criminal activity, that could be dangerous for the person who tried to tag them in some parts of the world.
The story is really about a conflict of interests, the misuse of the phone system and legitimate users finding themselves endangered. I.e., if spammers and robo-calls are stressing the system and users to a point, where subscribers can't help but to resign to defensive measures, other interests, like the anonymity of sources, by this the accessibility of crucial information to society, and, eventually, democracy are at risk – and highly so.
Moral of the story: spam callers and countermeasures are a risk to democracy. And we'll have to decide, eventually.
You don’t need to know the “contact name” of a spam caller, algorithms when reporting spam should work just on the number and so when it calls you, it should just show a Probably Spam flag, nothing about the identity unless of course the caller has given their consent to provide that info.
"Betrayed" sounds exaggerated - after all, the only thing that was revealed is the fact about where she works at, and if somebody "betrayed" her it was her source who entered her identity into a public database, not the database.
I personally rely on TrueCaller daily, and do not pick up any call that doesn't have identification I recognize. Otherwise I'd have to listen to bots telling me my Social Security number has been arrested, screaming at me in Chinese and people trying to get me to give them money for a myriad of reasons that I really don't have time to listen to. I get several such calls daily. Before, I was seriously thinking about just never picking up the phone at all. Now that I found TrueCaller, at least I can get calls from normal people or businesses that aren't shady and want to talk to me.
If this is a solution to robocalls and spam, that's just plain f*ing stupid. The worst case scenario of getting a spam call is you get annoyed and hang up. Compare that to handing over your contacts, call logs, text messages to a third party app just so that you can avoid picking up a call. Jesus Christ.
If you hate spam calls that much, it's very easy to not pick up a call from an unknown caller. I can come up with a dozen ideas just off hand that could potentially solve this spam issue far more elegantly. It's baffling that even this is up for debate and that there are people who would defend an app like this. This is not a philosophical or technical problem, this is not like spam emails, this is simply not a difficult problem to solve.
Robocalls need a binding regulatory or legal prevention. But, could technology fix spoofing numbers?
Would some variation of private/public key or authentication work? For example, if each number and the device/SIM or IP it is registered to have a unique key that must authenticate or handshake with the service provider to connect, then a spoof call with that number but lacking the key would fail, potentially be logged and reported to the FCC/authorities.
If no handshake can happen, call fails. If the number and hardware dialing out authenticates via key with the service provider or central store, call goes through.
Privacy was declared by the Indian Supreme Court as a fundamental right found within some articles of the constitution. However, till date, there is no data privacy law proposed and passed in the parliament. The draft proposal that was prepared more than a year ago was criticized by many. There will likely be a half baked data privacy law that will be passed in the coming months (since the elections are done and the new government has taken office).
Taking action on such violations today can only be done within the scope of existing laws on fraud, security, etc. That won’t work very well for these cases. The Indian Supreme Court also doesn’t understand technology and doesn’t rely on experts. It seems to go by whoever talks the loudest (based on the hearings in the case against the biometric based unique ID, called Aadhaar).
For me, the benefits of Truecaller outweigh the negatives. It was a step towards my phone being useable again for the purpose of making and receiving calls (at times I seem to get flurries of spam calls so it is great being able to simple ignore).
For the last 18 months my phone is on silent, no vibration, so I am completely oblivious to whether someone is contacting me. When I check my phone I catch up with any missed activity. It is hard to explain just how much better it is to operate this way.
This isn’t a new app - the database is several years old, and is used by many millions. Not sure how you’d get enough numbers and junk entries in there to accomplish what you’re suggesting.
Journalists could have two sims, one with which they call people when they need to say who they are and one elf r when they don't need to say who they are.
But that sim would only last until the person they call tags them using the service.
That being said, I'm not sure why this is changes anything for reporters. People can already put a phone number online or share it with the government. The same precautions they would need to take without this service would still be valid.
Viber, a popular app where I live, does exactly the same thing TrueCaller does. It drives me crazy.
The only solution I can think of is that everyone start using one-time numbers.
You still have a main number and a number "domain service". When you call someone you get a new number, the call receiver can get your name out of the "domain service" only if you have that number in your address book.
This the same threat model Facebook poses. Don't want Facebook to know your phone number? You just won't tell them, right? Well Facebook scanned someone else's phone number list and got your number that way for their shadow profile. Too bad, your full name, phone numbers, and addresses were harvested by Facebook due to someone or someones else.
I am in one of the regions where Truecaller is growing rapidly.
And I've found out that the best defence is a good offence: registering my number myself but with totally false information seems to supersede what other register about me. And that's what I did. Not with Truecaller, but with another app (CallApp) that seems less greedy with permissions.
I regularly get calls on my iphone now that say (maybe: Jane Doe) under the name, and they are usually correct. Often they are recruiters, or lawyers, or people that I imagine have their phone number publicized on the web. But I'm not sure I've read where apple is getting this info (or perhaps it is a carrier thing?)
It gets the information from other (Apple-only?) apps. From Apple Support[1]:
> iPhone automatically suggests new contacts from messages you receive in Mail and invitations in Calendar, and from other apps. To turn this feature off, go to Settings > Contacts > Siri & Search, then turn off Find Contacts in Other Apps.
Rather than disabling the Caller ID, what if the journalist spoofed her Caller ID each time she called. In that way, it prevents 'Private Number' showing up on the receiving end which is the thing preventing those on the receiving end picking up her calls.
[suggest that] They send a SMS to any non-user whose number is entered to warn them someone is attempting to enter their number and ask them for consent. This would also be an opportunity to inform them about the unlisting option.
What about the obligation to not put people at risk of death through ignorance? If the app itself is used as a suppression too that was not previously available and one can accidentally expose someone to literal death, then yes the app has an obligation to not do that as human beings. Pretty sure not exposing people to harm is an implicit agreement with their users. Maybe I'm wrong and Indians (where the software is made) don't think like most of the rest of human society, but I'm pretty sure they do and don't want people they converse with being put on government watch lists for simply being entered into a database without their consent or knowledge.
There is no user agreement, let alone a contract, between Facebook and me.
I use none of their services and properties.
So are you arguing that it's right that they spy on me regardless? Like they do on any other human being who is not in a business relationship, whatsoever, with this company?
That's the problem with security through regulation. Just leave your happy regulated place and go elsewhere - and you are helpless. Without it you would probably spend more time planning your security life, especially if you are a journalist.
If she's truly after "opsec" then why would she keep using a phone number she's handing out to randos?
Pretty laughable - buy a new sim every week, it's not even hard to do in india/south africa. You can buy a new sim almost instantly from the corner store equivalent. You might get called by the local police if you buy more than 5 a month though - happened to me when i was testing out different carrier's data/sim services and bought 6 sim cards at once in india. They just took down my details and never bothered me again
That's not a privacy violation. Her data wasn't collected, a series of numbers was tagged. The person tagging the number could be entering the tag as anything they want.
According to your logic, If I create a website that maps Hacker News usernames to metadata, and because I know you in real life, I enter your information (name, occupation) on your behalf, and now the connection between your username and that other information is public, your privacy has not been violated, because this is not information about you, it is simply a series of letters connected to another series of letters.
I think what you mean to say is that it is not the app that committed the betrayal, it was the source who was enabled by an app that otherwise had a non-nefarious purpose. Which, fair point, but I don't think the article would disagree.
However, this is only half the picture.
If you install truecaller on Android, you're handing over ALL your personal information to them. The list of permissions they ask for is ridiculous. They ask for access to your sms messages, call log, contacts, file system, location, microphone, camera, everything. They also show you advertisements wherever possible.