Kenneth Chan Kin-nin, vice-chairman of the Consumer Council’s publicity and community relations committee, said on Thursday that a test run between February and April on five widely used spam call blocker apps showed that two of them, CallApp and Truecaller, had disclosed “personal information such as names, email addresses and even home addresses … and [made them] fully accessible to others”.
He urged residents to read the terms of service and privacy policies of such apps to evaluate their trustworthiness, even as he acknowledged that telemarketing or spam calls brought significant annoyance.
Chan explained that CallApp, upon accessing the user’s contact lists, automatically uploaded all contact information to its database, allowing other parties to perform a “reverse lookup” by simply entering a phone number.
These parties could then trace the owner’s name and view their personal information, including their full name in both Chinese and English, email address, social media links and other details.
“If a user stores the mobile numbers of friends and relatives in their contact list and permits access when using the app, [those contacts’] personal data can be accessed and uploaded by the app even if [the contacts] never downloaded the app or authorised such use,” Chan said, noting that such actions were “close to impossible to guard against”.
The app’s privacy policy stated that if a user granted permission for the developer to collect data, then that person became responsible for informing their contacts about the developer’s practices.
“The council considers this to be tantamount to imposing on the user the responsibility of [notifying others of] the developer’s extraction of data from contacts, which is an unreasonable and impracticable requirement,” Chan said.
The watchdog found that Truecaller accessed and uploaded users’ contact lists in a similar manner, but only when the user downloaded an APK file from its official website, installed the app and enabled the “enhanced search” function.
A trial test by the council confirmed that information of contacts saved in a new SIM card were found in the databases of both apps, which allowed unrestricted access without consent.
“Some entries even included sensitive details such as previous residential addresses and monthly rent amounts, suggesting data extraction from the contact lists of landlords or real estate agents,” Chan said.
All apps in the study allowed users to apply for the removal of their phone numbers from the databases, but CallApp’s privacy policy indicated that personal information and data, even when removed, could be retained for up to five years.
“Consumers should think twice before choosing to use this app,” Chan said, adding that developers of CallApp and Truecaller had not replied to the council’s inquiries.
Consumer Council chief executive Gilly Wong Fung-han said the watchdog had not received any complaints about blocker apps and had submitted its findings to the Office of the Privacy Commissioner for Personal Data.
“Allowing your contact lists to be uploaded to the app’s database and accessed by other people is a significant authorisation,” Wong said. “Consumers need to determine whether they are willing to do so.”
Francis Fong Po-kiu, the honorary president of the Hong Kong Information Technology Federation, said residents should fully understand the terms of service and privacy policies of blocker apps before downloading as some might access more data than others.
“Granting your phonebook access to developers is unavoidable for the purpose of identifying incoming calls from contacts in most spam call blocker apps,” Fong said. “But people need to be mindful of what information is at risk as some may even access your SMSs.”
