True (caller) or False (caller)? We ask NPCI to answer this question.

Truecaller users faced automatic registration of their UPI based IDs without their knowledge and consent. We write to the NPCI suggesting a few measures to consider in addressing these issues.

02 August, 2019
2 min read

Highlights

  • In brief: On July 30th, 2019, Truecaller users faced automatic registration of their unified payments interface (UPI) based IDs without their knowledge and consent. Truecaller representatives have attributed the issue to the result of a "software bug".
  • We write to the NPCI:  The magnitude of such a security breach has brought to the forefront the continued lack of data protection and security measures available to the users of the online sphere. We write to the NPCI suggesting a few measures to consider in addressing these issues.

We would like to thank Srikanth Lakshmanan (@logic), Anand Venkatanarayanan (@iam_anandv), Srinivas Kodali (@digitaldutta) and Abhay Rana (@captn3m0) for their technical inputs and analysis, without which IFF would not have been able to address the issue.

The Breach

On 30.07.2019, media reports and various user complaints brought to light an issue that caused the automatic registration of unified payments interface (UPI) based IDs of Truecaller users without their knowledge and consent. Users reported an indecipherable SMS sent out with a response later received through their banks alerting them to a UPI based registration. Both the official twitter handle for TrueCaller and representatives of Truecaller have indicated the issue to be the result of a “software bug”.

Time to be accountable

Truecaller has become a widely used service that does not only identify incoming calls from unknown numbers but also offers payments services through the use of UPI. This payment method is governed by the National Payments Corporation of India set up with the support of the RBI. In light of this, we write to the NPCI on the systemic deficiencies that need recognition and suggest steps in addressing security and data protection issues:

Immediate steps:

  1. Technical assessment: The NPCI should investigate this security breach and provide information on the bug but also on its impact to each user.  Further steps include an audit of other payment platforms that utilise UPI.

Intermediary steps:

  1. Complaint and redressal mechanism: A complaint addressing mechanism with a structurally designated office and channels for redressal focused on data/privacy/technology issues, available to the users should be put into place by NPCI. In line with this, there is need for structure;  
  2. Establish a working group for oversight: If not already in existence, in order to review security and data management practices through UPI, an independent working group should be created to conduct investigations, provide best practices for UPI and periodically review the platform, ecosystem partners.
  3. Architecture documentation:  Public facing technologies need documentation of all aspects of the technology to create trust and establish norms on correct use. The working group should strive to put all architecture documentation in the public domain to help researchers determine if any such vulnerability exists.

While the concerns for such breaches of user consent, security and data continue to loom, all hope is certainly not lost! With the support of such enthusiastic rights oriented individuals, civil society organisations and even cooperative companies, user rights and protections will triumph.

IFF as always, will continue to ensure your digital rights bloom in this gloom. We are committed in our fidelity to advancing fundamental rights for all technology users in India.

Links to important documents

  • Representation to the National Payments Corporation of India dated 1.08.2019  (link)

Support us in our quest for the protection of digital rights! Become a IFF member today.

Subscribe to our newsletter, and don't miss out on our latest updates.

Similar Posts

1
What we do in the shadows: IFF seeks transparency in how Indian ‘smart governments’ are using AI

Noting a glaring lack of transparency and publicly available information on how union and state governments are deploying AI in the public sector, we write to the National Institute of Smart Government urging proactive disclosures and publication of government-led AI projects.

5 min read

2
Big Relief! Supreme Court Stays Notification Constituting Fact-Check Unit!

In a small win for press freedom, Supreme Court has stayed the notification of Union Government operationalising the Fact-Check Unit under Information Technology Rules, 2021, till the constitutionality of the same is finally decided by Bombay HC.

5 min read

3
A DM from the PM (and the storm it stirred)

Last week, millions of WhatsApp users received a message from the Ministry of Electronics & IT, undersigned by the Prime Minister, asking for feedback on schemes introduced by the incumbent government. We unravel what this means for your privacy and the electoral process.

7 min read

Donate to IFF

Help IFF scale up by making a donation for digital rights. Really, when it comes to free speech online, digital privacy, net neutrality and innovation — we got your back!