Tag: laws

By Hanno Labuschagne by MyBroadband

Popular call screening app Truecaller could be in violation of South Africa’s incoming Protection of Personal Information Act (POPIA), according to two law firms who recently spoke to MyBroadband.

Many South Africans may be familiar with the app, particularly given its usefulness in identifying unknown phone numbers and blocking unsolicited calls from telemarketers or scammers.

The app has more than 150-million daily users across the globe – 1.7-million of which are based in South Africa.

Truecaller is often able to show the owner of a number which a user does not yet have through its universal database which is supported by crowd-sourcing of data from its users.

Contrary to popular belief, Truecaller does not actually automatically upload your address book or contact list to its servers when you download and install the app from the Apple App Store or Google Play Store.

This is because both companies have strict data protection policies which prohibit the app from doing so.

However, this is not the case if the app is downloaded directly from the truecaller.com website. In this instance, Truecaller will prompt the user with an option to upload their full address book as part of its crowd-sourcing features.

This information is then uploaded to the company’s database, which is stored in a foreign server.

In addition, Truecaller allows users to manually submit the details of a number which was not yet available on its database.

According to law firms Werksmans Attorneys and Norton Rose Fulbright, there are several issues with these features under POPIA.

No lawful basis for data processing
Director at Werksmans Attorneys Ahmore Burger-Smidt said Truecaller failed to comply with POPIA in a number of areas.

“Without a doubt, concerns can be raised from a POPIA perspective in relation to the manner and the purposes for which personal data is collected and processed via the Truecaller app,” Burger-Smidt said.

She said that there were grave concerns in terms of POPIA regulations when the app is considered from the perspective of a person or business who has not registered for the service.

The primary issue was that the app allowed full disclosure of a contact list, which could amount to confidential information being disclosed.

“From a data protection perspective, a responsible party, in this instance Truecaller, can only process the personal information of a data subject if he has a lawful basis to do so,” Burger-Smidt said.

“POPIA provides for lawful bases, which include: consent, compliance with a legal obligation, if there is a legitimate interest, and the performance of a contract.”

“One can argue that there might indeed be a legitimate basis for processing the personal information of the individual that subscribes to the Truecaller service,” she stated.

“However, on what basis are they processing all the contact information that the subscriber holds?” Burger-Smidt asked.

“It is very difficult to motivate for this to be done on the basis of a legitimate interest.”

“It is entirely possible that individuals do not have any knowledge of this use of their data at all. This means that they are being denied their rights as data subjects in terms of POPIA and that their privacy is being infringed,” Burger-Smidt stated.

Shifting the blame to the user
Director in Competition Practice at Norton Rose Fulbright Rosalind Lake echoed these views.

She said POPIA requires a responsible party – in this case Truecaller – to notify a data subject of how it will process – use, store, transmit, and access – its personal information, even when it is not collected directly from the data subject.

“These notification requirements are usually fulfilled through a privacy policy,” Lake stated.

“However, it appears that Truecallers’ privacy policy places this obligation on the user,” Lake said.

According to its privacy policy, Truecaller says users must confirm with another party whose details they share with Truecaller before doing so.

Lake said this approach was problematic under POPIA.

“If you are reporting a number as spam, you are hardly going to phone them to tell them that their number has been added to the database,” Lake said.

“In this situation, the user of the app would not be considered a responsible party when it consents to provide access to its phone book. Truecaller is the one who requests access and use of the information and they are therefore responsible under POPI.”

“The user of the app may be considered an ‘operator’ for Truecaller, but then POPI says there must be an agreement in place to impose certain obligations on the operator, but the liability still sits with the responsible party.”

Lake warned that users should still think carefully before consenting to provide access to their address book and carefully peruse the privacy settings on the app.

“There have been some circumstances reported where a person’s safety may be compromised by their name being on the database – such as a journalist working undercover – or indeed, businesses may suffer losses in some way from being identified without their knowledge,” Lake cautioned.

What Truecaller can do
Burger-Smidt said that Truecaller ought to consider how it collects personal information from non-subscribers.

According to Lake, the inclusion of its privacy policy on its website does not give sufficient notice to the data subjects, as they are explicitly directed to it during the process.

She said that POPIA requires a responsible party to take reasonably practicable measures to notify the data subject of the collection and processing of their personal information.

“It would be our recommendation, therefore, even though consent may not be required if Truecaller relies on its legitimate interests to process the information, that under POPI Truecaller notify by SMS or email each person who is added to their database, direct them to their privacy policy and highlight their ability to delist from the database.”

However, this could introduce another problem under POPIA, Lake added.

“A tricky issue is that the responsible party is required to disclose where it is collecting the personal information from if it is not collecting it directly from the data subject,” Lake said.

“It is not clear yet whether stating that it is collected from users of the app will be sufficient or whether the particular individual from whom the information is collected has to be disclosed.”

“It seems unlikely to be the latter as this may also be unnecessary processing of the user’s personal information.

Truecaller not anticipating any issues
Truecaller told MyBroadband that the POPIA offered a good opportunity for companies to review their practices and think more deeply about the importance of privacy of their users.

“We are continuing to look at changes we can make to align with the evolution of privacy laws in different jurisdictions, including South Africa,” the company said.

However, it said it did not anticipate any disruption to the services or features its app offers due to the implementation of POPIA.

Both Burger-Smidt and Lake submitted that Truecaller is beneficial in its ability to identify and screen unsolicited calls.

Lake added that POPI in and of itself would also help restrict direct marketing, which will hopefully reduce the volume of spam calls in South Africa.

By Riccardo Spagni for Fin24

Privacy is widely held as a fundamental human right and is recognised in the UN Declaration of Human Rights, the International Covenant on Civil and Political Rights and in the Constitution of nearly every country in the world.

Privacy is becoming a growing concern as the world continues its mass digitisation. As we move more of our day-to-day business and personal communications and interactions online, the trail of personal data breadcrumbs we leave behind grows.

Take something as simple as an online transaction: when the average consumer pays a merchant in Europe via their PayPal account, their data goes to as many as 600 different companies. The consumer has zero visibility over any of the companies involved. The amount of metadata about our lives is staggering – and we have no control over any of it.

Financial privacy and its malcontents

Regulators have tried to resolve some of the issues around data privacy and use of personal information by businesses. The European Union’s General Data Protection Regulation is a far-reaching piece of legislation that aims to protect EU citizens from unwanted or unauthorised personal data use. Although the upper limits of its sanctions still need to be tested, GDPR promises fines of up to €20-million to organisations that compromise the personal data of any EU citizen.

But for most transactions, consumers and businesses remain at the mercy of a vast network of interlinked companies that process and distribute our personal metadata across the globe. A lot of this is driven by convenience: when cash was still the preferred payment method, people enjoyed a fair amount of privacy as cash transactions can be concluded away from any prying eyes.

With the introduction of electronic payment methods such as wire transfers, SWIFT, credit cards and mobile payments, privacy has been sacrificed for convenience. The amount of Know-Your-Customer (KYC) and Anti-Money Laundering (AML) processes in place means consumers have little in the way of financial privacy as financial services firms are bound by law to constantly analyse transactions for any irregularities and report them to authorities where appropriate.

Shining a light on criminality

Financial crime is a massive problem. A 2018 Thomson Reuters survey of 2373 respondents in 19 countries – including South Africa – found that the aggregate lost turnover as a result of financial crimes amounted to $1.45-trillion, or 3.5% of their total global turnover. In Europe, on average one in every 200 transactions reviewed by bank compliance officers lead to a criminal investigation, but only 1% of criminal proceeds generated in the EU are confiscated by authorities.

But financial privacy is not only important to criminals; it is a critical safety measure for every digital citizen. Without financial privacy, personal and financial safety can be compromised by criminals who could, for example, see the value of a purchase that someone made – as well as their personal details – and use that information to target them with criminal activities. As a business, financial privacy keeps intimate business details such as salary information, profit margins and revenue away from unwanted eyes.

Cryptocurrencies often come into the firing line for their anonymity and lack of regulatory oversight. High-profile examples of illicit purchases on the dark web using cryptocurrencies have made regulators wary of their potential for driving criminal activity.

Not all cryptocurrencies are made equal

A large part of the appeal of cryptocurrencies is that they are more discrete than mainstream payment methods. And while this is partly what makes them attractive to criminals, it is unfair to assume all discrete transactions are criminal. We all make purchases we would rather other people not know about, for fear of embarrassment or judgement. Anonymity also has its benefits: who hasn’t suddenly seen a spike in advertisements related to something you once searched for online, or saw similar products to one you’ve just bought advertised on sites you visit?

Privacy enhancing cryptocurrencies are built on five pillars, namely:

  • Unlinkability, which conceals where transactions are going to;
  • Untraceability, which conceals the origins of transactions;
  • Cryptgraphically valueless, which hides the value of a transaction;
  • Passively hidden, which conceals the transaction from other internet users; and
  • Optionality, which maximises the privacy set while still enabling you to reveal information should you need to.

But not all cryptocurrencies are created equal. And not all have the privacy of their users as a primary concern. Cryptocurrencies such as Monero were built to provide users with the optimum amount of privacy. That’s why I’d add a sixth pillar to the above, namely Ideology. Since cryptocurrencies involve thousands – even millions – of people, it is critical that the cryptocurrency is managed according to a strict set of privacy-enhancing guidelines.

Every contributor to Monero, for example, understands they are responsible for other people’s money, privacy and, by extension, safety. Contributors could, through reckless actions, compromise someone’s financial security or even their lives. Any privacy project that treats it with less care is indistinguishable from a scam and can put people’s lives at risk.

There’s a popular argument that honest people don’t need privacy since they have nothing to hide. But that’s fallacy. As Edward Snowden put it, “Arguing that you don’t care about the right to privacy because you have nothing to hide is no different to saying you don’t care about free speech because you have nothing to say.”

Financial privacy is a fundamental human right. Technology can be both the greatest inhibitor or promoter of privacy. The responsibility rests on all of us who participate in the new world of cryptocurrencies to ensure we protect the privacy of our users.

Follow us on social media: 

               

View our magazine archives: 

                       


My Office News Ⓒ 2017 - Designed by A Collective


SUBSCRIBE TO OUR NEWSLETTER
Top