Unlisted private mobile phone numbers of Cabinet ministers such as Kapil Sibal and P Chidambaram, top industrialists such as Mukesh Ambani and Sunil Mittal, celebrities such as Shah Rukh Khan and Sachin Tendulkar are among millions of Indian numbers listed on the database of a Scandinavian app maker, thanks to unsuspecting smartphone users who let the app harvest their phone's contact list.
TrueCaller, a popular app built by a Swedish company, lets users look up the owner of a phone number. So if you get a missed call from a number you do not identify, you can search on the TrueCaller app or its website to see the owner of that number. However, every time a user downloads the app, and enables a function called 'Enhanced Search', it asks your permission to "securely send your phone book contacts to our servers".
App's Database- a Giant Phone Book
When the user grants permission to "securely send phone book contacts to our servers", the app harvests the phone's contact list. What the app does not tell you, unless you read the detailed terms of service, is that these numbers then become part of a publicly searchable database. So every time a user downloads the app, his entire phone book becomes part of a public database without the consent of the people who own those numbers.
The app's database, essentially, is a giant, collective, phone book. The mobile numbers of nearly every Indian Cabinet minister, heads of intelligence agencies such as the Intelligence Bureau and Department of Revenue Intelligence, and CEOs of India's largest companies are all on the database.
According to Alan Mamedi, COO and co-founder of app-maker True Software Scandinavia AB, the app has 1.6 million Indian users. India is the app's single largest market, accounting for nearly half of its user base. Assuming an average of 100 contacts per phone book and allowing for duplicates, the company now owns a database of 50-80 million Indian phone numbers.
Because many people save contacts with names and work identities - 'Ramesh Pepsi', for instance, for someone who works at the cola company - the database has not just the corresponding name for a number, but quite often, work or business-related information as well.
A breach in the database of this small Swedish firm would compromise a vast amount of private information. Telecom analyst Mahesh Uppal said the company's practice of harvesting phone books was dubious. "Mobile phone numbers are not meant to be publicly accessible. It can reach you at a place and time inconvenient to you, so it risks invading your privacy. And when it is not voluntary, like in this case, it is clearly a problem."
Mamedi says the company makes all efforts to keep the database secure. "Our engineers are experienced in this field and we have our own architecture." However, far bigger companies with larger budgets and expertise routinely fall prey to hacking attacks. Recently, business-networking site LinkedIn, which has 150 million members, fell victim to an attack when some 6 million passwords were stolen and posted online. Mamedi says the company does not allow users to search for a name and get that person's number.
But on its website, Truecaller. com, when a user types in a few digits of a phone number, the site provides a prompt - similar to an autocomplete form for email ids - with other numbers that start with those digits. These numbers, and corresponding info, can be legitimately harvested and used by telemarketers.