Those robocall blocker apps are hanging up on your privacy

Women use mobile application software on smartphone phone

You might have stopped the robocalls, but now comes the privacy concerns.

Getty Images

Do you hate robocalls enough to let an app give your data to third parties in exchange for blocking the spam? Researchers found that’s exactly what’s happening to millions of people using the most popular robocall-blocking apps. 

Robocalls have become an epidemic, as lawmakers and phone carriers seek to stomp out the massive number of spam calls sent per day. A study found that there were 26.3 billion robocalls made in the US in 2018, and it’s the No. 1 source of complaints to the Federal Communications Commission and Federal Trade Commission. 

But when you’re downloading robocaller-blocking apps, you could be trading one evil for another, found Dan Hastings, a security researcher at NCC Group. He looked at the privacy policy on the top robocaller-blocking apps in the iOS App Store and compared it with network traffic data actually being sent from the apps. 

Hastings found that a majority of them were collecting personal data on people’s devices without their explicit consent and sharing it with analytics firms.

“If most people took the time to read and try to understand privacy policies for all the apps they use (and are able to understand them!), they might be surprised to see how much these apps collect,” the researcher said in a statement.

Hastings is presenting his findings at Defcon’s Crypto & Privacy Village on Sunday. 

While robocalls are the top consumer complaint to the FTC and the FCC, privacy is also a major concern for the agencies. The FTC levied a record $5 billion fine on Facebook for the social network’s privacy violations, and people are becoming more aware of all the ways tech giants siphon personal data

Free apps that provide one solution can turn out to be creating another problem for people’s privacy, like when an innocuous-seeming weather app turns out to be selling your location data. Robocall blocking apps are no different, Hastings found. 

These apps are sharing people’s phone numbers with data analytics firms, looking at your text messages and phone calls, and can learn what apps you have on your device, the researcher said. 

The top robocaller-blocking app, TrapCall, is sending people’s phone numbers to three data analytics companies, Hastings found. This was happening even though it wasn’t explicitly stated in the privacy policy when Hastings did his research. The company has now changed its privacy policy to tell users that they are sharing their data with third parties.

TrapCall said that its users agree to the privacy policy when they install the app, and that the data was not being abused by the analytics companies. 

“TrapCall only shares phone numbers with service providers who power our internal analytics and app messaging platforms. Additionally, service providers are prohibited from using TrapCall data for their own or any other purpose,” the company said in a statement.

Hiya, another top robocalling app, also sends people’s phone numbers to three data analytics firms — and that happens before users even agree to the privacy policy, Hastings found. 

“Hiya’s mobile apps in Google Play and the App Store are provided to users on a purely opt-in basis and the company does not share PII with any third parties prior to users agreeing to the Hiya privacy policy,” the company said in a statement.

In its permissions on Android, Hiya requests for access to photos, location data and web activity logs — features that have nothing to do with blocking phone calls. The company said that it requests location data so that people can find nearby businesses more easily. 

He also found that Truecaller had been sending data about people’s devices to social media platforms before users agreed to the privacy policy.  The company said it’s revising its privacy policy. 

“Note that our Privacy Policy is common across all mobile platforms and that’s why the confusion exists. We’re looking at updating the privacy policy to make it clearer what we’re doing on each platform,” the company said in a statement. 

These three apps are among the top robocalling apps available. Together, they have more than 110 million installs on the Google Play Store alone. 

“I can only hope that more transparency about exactly what data is being sent and where will be made more digestible and transparent for end users,” Hastings said. “Until that day comes, users will continue to have to read through privacy policies and hope researchers provide more insight into what various types of apps collect about them.”

Originally published Aug. 9, 7 a.m. PT. 
Update, 9:23 a.m. PT: Added response from Truecaller.