Cyngn to Leech User Contacts to Truecaller

Update - Steve Kondik of Cyngn made a reply on Google+ following this article. Unfortunately he fails to in any way address the fact the service he has chosen to integrate uploads other people's data, instead choosing to focus on the consent request process. Their user opt-in process is immaterial, since people whose data is uploaded won't get to see that consent message - the app uploads other people's data without their consent.

Truecaller, a company many may not have heard of, has just announced a deal to partner with Cyngn, the commercial arm of CyanogenMod. At first glance, a nice tie-up to integrate Truecaller features into the Cyngn OS dialer.

Unfortunately, however, Truecaller is a somewhat interesting company, with somewhat interesting ways of doing business. Their business model is certainly questionable at best (and potentially a lot worse) - when you use Truecaller's "enhanced search" feature (which is pretty much the raison d'être of the product), you're agreeing that Truecaller is allowed to collect and share contact information from your phone with other users of the service.

"Well that's just plain wrong", I hear you astute readers saying. "Surely they can't just share people's contact information with others?" Well... you'd conventionally be right - legally speaking, within Europe at least, this would be illegal. The Data Protection Directive is a rather lengthy piece of legislation, which covers such matters, and we'll return to take a look at it later, for the benefit of our European users.

The "get-out" which Truecaller use is hidden away within their Terms of Service, where they magically try to worm their way out of this:

By allowing Contact Information to be collected, You give Truecaller a right to use that Contact Information as a part of the Service and you guarantee that you have any and all permissions required to share such Contact Information with us. You may opt-out to prevent the sharing of Contact Information at any time.

Yeah, that's right... You heard that correctly. You, the end user, have to agree that all your contacts have given you consent to upload their data to Truecaller. They claim to have 1.6 billion people's phone numbers searchable, allowing you to search for their number. Here's a question - how many people that submitted their contacts' details to this service obtained permission to do this? Sure, you can opt out of sending them data, but that's not much use, since it's impossible to really opt out of someone else sharing your data. Indeed, while Truecaller offer an opportunity to have yourself de-listed, this requires you to know they are holding your data in the first place.

To return to the EU Data Privacy Directive, here are a few interesting statements that are relevant here:

(a) 'personal data' shall mean any information relating to an identified or identifiable natural person ('data subject'); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity;"

Since your name is information relating to you, as an identifiable person, any data relating to you is "personal data".

'the data subject's consent' shall mean any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed."

This defines the meaning of consent within the context of the law, requiring that people give an informed indication that their data can be processed (processing covers any form of manual or automatic operation on the data, including storage!)

The most important part of the legislation, though, is Article 7, which covers the circumstances under which personal data may be processed. Let's take a look at these.

Member States shall provide that personal data may be processed only if:

(a) the data subject has unambiguously given his consent; or

You're the data subject; not the person uploading it. You have therefore not given your consent.

(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; or

Since you aren't aware if someone decides to send your data to Truecaller, you're clearly not entering into a contract. You would have to be aware of that, and elect to become a party to such a contract.

(c) processing is necessary for compliance with a legal obligation to which the controller is subject; or

There is no legal obligation on Truecaller to provide this service, or to gather data.

(d) processing is necessary in order to protect the vital interests of the data subject; or

Your vital interests are not being protected by Truecaller allowing anyone to find out your name from your phone number. Indeed, your vital interest in privacy (a human right) is more likely being infringed by this.

(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or in a third party to whom the data are disclosed; or

This doesn't approach being in the public interest, nor is there official authority to carry out the processing.

(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed, except where such interests are overridden by the interests for fundamental rights and freedoms of the data subject which require protection under Article 1 (1).

Article 1 requires that "the fundamental rights and freedoms of natural persons, and in particular their right to privacy with respect to the processing of personal data" are protected. This clause isn't going to help them out.

As such, I suggest Truecaller has no legal permission to process any personal data from non-users of its service. Data it collects from others is not their data - it is clearly and manifestly the personal data of other data subjects. These people have (in my view) a valid legal claim against Truecaller. Since Truecaller is based in Sweden, which is a member-state of the European Union, the Data Protection Directive applies to them.

To see this kind of feature integrated into something which originated as a custom firmware, meant to offer choice and freedom for its users, is bordering on unfathomable. With Cyngn trying to be the "anti Google", perhaps they ought to take a look before integrating the latest #bigthing to their product?

Perhaps it's time for the European victims of Truecaller to get together and bring about a test case on the matter? It looks fairly clear-cut to me. Truecaller has no consent from those whose data they process. If action were successful against Truecaller, companies like Facebook could be next, given their habits of "liberating" your contact data to their servers (without the consent of those involved), to build shadow profiles of non-Facebook users. Given we already know Facebook has been gathering, collating, and bringing together as much contact data as it can about non-service users (who have not consented to Facebook processing their data), perhaps their presence within Ireland should print off a copy of the data protection directive and take a read?