On 30.07.2019, media reports and various user complaints brought to light an issue that caused the automatic registration of unified payments interface (UPI) based IDs of Truecaller users without their knowledge and consent. We wrote to NPCI indicating concern and suggesting immediate and intermediate action (read more).
NPCI wrote back to us in less than 48 hours agreeing with the contents of our representation. It also indicated two specific steps. First it had stopped on boarding new Truecaller users on the UPI Platform. Second the matter is under investigation and we will be informed after diligence is completed in all matters. We will keep urging for public disclosure that will have multiple benefits. It will help inform impacted users, improve processes in technology companies and further greater trust in the UPI ecosystem.
But also, let us step back for a moment. This is not only about Truecaller. It is about user consent more widely. The privacy, safety and security of users of the UPI interface. While for a complete remedy we need a data protection law (which India does not have yet) that is user centric (like the Indian Privacy Code); we appreciate and commend the actions being taken by NPCI within its mandate and urge it do more.
Limited to the UPI ecosystem, in our representation we made three specific suggestions on the basis of inputs and tweets from Srikanth Lakshmanan (@logic), Anand Venkatanarayanan (@iam_anandv), Srinivas Kodali (@digitaldutta) and Abhay Rana (@captn3m0). We continue to urge the NPCI to walk towards them and are hopeful that our wide community of supporters encourage them to do so as well.
Links to important documents
- Response by NPCI dated August 6, 2019 (link).
- True (caller) or False (caller)? We ask NPCI to answer this question (link).
- Representation to the NPCI dated 1.08.2019 (link)