How Much Of Your Personal Data Are Payment Apps Mining And Is It Ethical?
On Wednesday, Siddharth Jalan had a short call with Indane to book a gas cylinder. Within a few minutes of his phone call, Jalan got a notification on his phone from Paytm asking him pay for the gas cylinder booking for an assured cashback.
On a normal day you¡¯d dismiss it, but it raised a more sinister question for Jalan: Was Paytm listening in on his calls?
What followed was an exchange with Paytm customer care which was anything but reassuring. After Jalan didn't receive a detailed response to his original tweet, he tagged Paytm again after 24 hours, demanding to know more about the app's infringing behaviour.
This time Paytm wrote back, claiming in an email that they "do not store any personal information or track calls/SMS," further justifying the notification alert because Jalan is a "common customer of Indane and Paytm". You can read the full email response Jalan received which he has subsequently made public on his Twitter handle.
Just after my tweet I got a call from @Paytmcare . Told them to email me their answer which is given below. I don't buy their explanation... Stop invading my privacy... https://t.co/pDqAtzLK1v pic.twitter.com/TF0bwiuofq
¡ª Siddhaarth Jalan (@sjalan) November 6, 2020
Needless to say, Jalan remains skeptical of the explanation Paytm provided to him through the email. In response to this story, a Paytm spokesperson said, "Our customers' privacy is of utmost importance to us. We do not track call data of customers. In this case, the notification to move customer to digital platform was sent based on information provided by the merchant."
Siddharth Jalan's case isn¡¯t an isolated one. How many times have we experienced scarily accurate and hyper-contextual ads popping on websites, notification triggers based on our message chats or our smartphone activity?
Recently a friend was discussing Goa plans on WhatsApp when he got another scarily contextual notification -- this time from Google Pay.
A WhatsApp chat mentioning a trip to Goa resulted in a push notification within hours by payments app Google Pay, suggesting paying for a trip to Goa through the app. Note the time of the chat and the app notification from Google Pay.
Now this might just be an ad campaign being run by the company or it could be a nefariously targeted ad to a specific user triggered by a chat. The point here is that it is hard to see the connection until one knows about the personal data being transmitted between two channels.
What's going on here?
It is important to note that smartphone apps require the user¡¯s permissions to gather any such data and that Paytm must have had it beforehand to access the call logs in the case above. That, however, does not answer if Paytm really needs it in this particular case. it does not even explain if that is the only questionable data that the app is collecting.
To know that, we have a look at Paytm's privacy policy. In the policy, the company describes "personal information" of an individual gathered by it to include "name, address, mailing address, telephone number, email ID, credit card number, cardholder name, card expiration date, information about your mobile phone, DTH service, data card, electricity connection, Smart Tags" and any other information voluntarily provided by the user. Note that this voluntary handover of data can take place by simply giving the app all the permissions it asks for, something that many of us have a tendency to practice.
This is not all. The payments app specifically mentions that it may collect information regarding "mobile/ tab device details, domain and host from which you access the internet, the Internet Protocol [IP] address of the computer or Internet service provider [ISP] you are using" as well as anonymous site statistical data.
How can this data be used?
Paytm further confirms it "will not sell, share or rent your personal information to any 3rd party or use your email address/mobile number for unsolicited emails and/or SMS." Note that the promotional message in the tweet above is a push notification by Paytm itself and not a SMS or a call by any third party.
There is, however, a different way in which the company shares data with third parties which it collects from its users. In its privacy policy, Paytm mentions that "aggregate cookie and tracking information may be shared with third parties." For those unaware, such cookies contain small pieces of information on a web server on a web browser, which can be later read back from that browser. These can help track user behaviour on the Internet, further instigating targeted ads based on the same.
The dilemma of permissions
The problem of unsolicited app permissions is not one of specific apps but one that persists across the smartphone ecosystem. In a race to provide the best services, smartphone applications are in a constant endeavour to personalise and curate their experience as per the user. Such personalisation can be amped up as these applications gain more insight into a person¡¯s activities.
For this, the apps ask for permissions, which at times, they do not necessarily require for functioning. This is where the line between necessary access to data and privacy infringement grows thin.
You see, a cab-hailing app like Uber or Ola will need to have access to your smartphone¡¯s location to direct the driver to you. What such an app would/ should not require, is access to your phone¡¯s camera, microphone or even media files.
While most of us grant permissions to these apps willy-nilly just to make them work, a look at how much data is being collected by these apps can come as an eye-opener to many. Jalan¡¯s tweet is a stark reminder of the same.
A 2018 report by Symantec mentions that up to 46 percent of the apps on Android OS request a phone¡¯s camera access to operate. Meanwhile, 45 percent of the apps require location tracking whereas 25 percent require permission to record audio. 15 percent of the apps need permission to read SMS messages and 10 percent sought access to phone call logs.
The ratio is much lower in iOS but is not absent. This is because Apple is stringent about app listings on the App Store. It only allows the listing of apps that do not access data from any other apps, thus creating a safety net for data collected by a particular app.
Taking back some control
It is thus important to monitor the types of apps one is using on his/ her smartphone. Any app to be used, especially the ones that require permissions to multiple facets of the phone, should be looked into and only downloaded and used if the developer is trusted by the user.
Once downloaded, a careful check on the permissions needed by the app also helps. To check the permissions allotted to the apps already downloaded on your phone, you can follow these steps -
- Open Settings < App & notifications
- Click on App permissions
- A categorised view of apps using different data sets on your phone appears - like Camera, Call logs, Contacts and more
- Click on any and check which apps are using the permissions
- Toggle the permissions on or off as deemed fit
Note that applications require multiple permissions for various aspects of their operations. A multiplayer game might require access to your microphone for voice chats in a team match. Similarly, payment apps might require camera access to scan QR codes. Thus, not all permissions that seem fishy should be revoked and the users will have to select and allow the essential permissions to let the apps run smoothly. The point is to be vigilant about it, just as Jalan was in his tweet.
Need for a strong data privacy law
It is not just the users that can bring about some order to this absolute chaos of a data collection. Legal policies around the world are now being framed on data privacy, clearly laying down the process and extent of data collection by such apps, something that India badly needs.
The US state of California, for instance, recently voted for Proposition 24, expanding the state's existing privacy laws. The Prop. 24 majorly restricts the amount of data that the tech giants can garner from the users going forward.
This will in turn keep a check on the amount of data being sold by these companies to advertising partners. As data privacy takes centrestage in a technology laden world, such legal measures will be the ultimate weapon to keep unnecessary privacy infringements in check and the personal data of users safe and protected.