1 in 2 citizens surveyed acknowledge seeing ads based on their private voice conversations; microphone and contact list access to certain apps is leading to privacy breaches

May 26, 2022, New Delhi: It is true that internet-enabled technology such as smartphones has become an integral part of our lives, from managing our daily activities in a calendar, an app that tracks our steps and movements, to shopping, commuting, ordering food, etc. While technology has made our lives easier, it also poses a great risk as individuals expose their personal data to 3rd parties. This enables cybercriminals or hackers who try numerous ways—phishing, malicious malware software, malicious mobile apps, smishing, insecure networks, etc—to get hold of users’ data, which is then put to misuse. There have been growing instances of many Indian users reporting that certain mobile apps are now listening to their phone conversations as they are presented with relevant ads thereafter.

There are many apps that ask users’ permission to access their microphone; however, in many cases, users are not made aware for what reason their phone microphone is being used and where this data is being shared, other than the service they require. There are several apps—for instance, gaming apps require users’ permission to access their microphone—and a few of them go to the extent of recording a user’s voice thereby violating the privacy rights of the user. In the absence of a data protection regime, some websites and apps are using loopholes to manipulate data for various advertising purposes. For instance, some users have also alleged that a caller identification app popularly used, Truecaller, reveals personally identifiable information, including the name registered with a mobile number and sometimes occupation, email address and even employer’s name on the app without the user providing consent to share that information. The information is sourced from a Truecaller user who has shared their contact list in order to use the app and the individual happens to be in that list. In the absence of a data protection law in India, Truecaller continues to use this practice.

LocalCircles has been receiving thousands of posts and comments over the past 12 months on people’s data being shared without their consent and in several cases, people even complained about seeing advertisements based on their voice conversations. To understand the magnitude of this issue, LocalCircles conducted a survey, which received more than 38,000 responses from citizens residing in 307 districts of India. 62% of the respondents were men while 38% were women. 48% respondents were from tier 1, 27% from tier 2 and 25% respondents were from tier 3, 4 and rural districts. The survey understood the magnitude of the issue of voice conversations leading to targeted ads and also attempted to understand the aggregate percentage of users who have given their smartphone’s microphone access to different apps.

53% of the citizens surveyed said they have had one or more instances in last 12 months where they saw advertisements on web/app based on their phone conversations

Over the last 2 years, LocalCircles has received more than a hundred complaints from citizens about advertisements presented to them based on the content of their recent phone conversations. In community discussions, citizens also discussed with each other similar instances they have experienced. In order to gauge the extent of the issue, the first question in the survey asked citizens, “In the last 12 months, have you had experiences where after you spoke to someone on the phone about a particular product/service, when you went on website/apps afterwards you were presented with ads for such product/service?” In response, 28% said “Yes, happens all the time,” 19% said “Yes, has happened several times”, and 6% said it has “happened a few times”. Only 24% of citizens said that it has never happened, while 23% did not have an opinion. The findings of the poll suggest that 53% of citizens are seeing advertisements on web/app based on their phone conversations about products or services. This question in the survey received 8,291 responses.

Majority of Indians have given microphone access to their mobile phone for audio/video calls, social media and audio recording apps

There are reports which indicate that turning the microphone off can help prevent apps from listening to your conversation. However, it is not a viable option for many apps as they require the phone’s microphone for speech to text, call, record voice, etc. That said, users rarely go through the pain of turning a microphone ‘On’ and ‘Off’ only when they need it. This is primarily because users are not made aware of their phone microphones being used for anything other than the service they require or of information being stored.

The following question in the survey sought to know from citizens if they have given access to their phone’s microphone to different apps. In response, 9% said “(1) to all apps,” (2) 18% said “apps used for audio and video call”, and 11% said “(3) apps used for social media, music, audio video recording”, and 4% have given the access to “(4) apps that assist in usage of phone via voice”. Breaking down the poll, 11% voted for “2 & 3” type of apps from the aforementioned options, 5% said “2 & 4”, while 13% voted for “2,3 & 4” options. There were only 11% of citizens who have not given their phone’s microphone access to any apps, while 18% did not have an opinion. Based on aggregate responses, it is clear that the majority of Indians have given microphone access to their mobile phones for audio/video calls, social media, and audio-video recording apps. This question in the survey received 8,928 responses.

84% smartphone users have given access of their contact list to one or more apps

The next question in the survey asked citizens “What is your current status in regards to giving contact list access to one or more apps?” In response, only 16% of citizens said, “Have not given contact list access to any apps”. The majority, 84% of smartphone users said “Have given access of their contact list to one or more apps. This question in the survey received 11,669 responses.

84% smartphones users in India have given their contact list access to Whatsapp; 51% have to Facebook or Instagram or both; 41% have given access to apps like Truecaller

Citizens were asked what are all the apps that they have given their contact list access to and were given multiple options. If the responses are analysed, 84% of citizens have given access to their contact list on Whatsapp, 51% have given access to Facebook or Instagram and 41% have given access to Truecaller. Breaking down the poll, 49% said “Google apps,” 33% said “Skype” and 20% said “Twitter.” There were also 31% of citizens who said “Paytm/PhonePay/ Mobiwik” and 10% said “snapchat/signal/telegram” and 14% said “others.” This question in the survey received 9,802 responses.

The majority of citizens in the survey accept to have given access to their phone’s microphone to several apps, especially audio/video calling apps, social media and audio recording apps. Audio and video-based social networks like Twitter Spaces, as well as video calling apps like Whatsapp, Skype, Zoom, Google Meet, etc. all require microphone access. One can only hope that any apps that have taken user’s consent to their phone’s microphone aren’t recording the verbal conversations and sharing them with 3rd parties. However, since 53% of those surveyed said, they are seeing advertisements on web/app based on their phone conversations about products/services, one has to assume that at least some apps are engaging in such activities. 84% of smartphone users have given access to their contact list to one or more apps, including WhatsApp, Instagram and true caller.

These apps and sites only take secondary consent and do not make users aware of where or how this information will be used and should be mandated under law to take consent of the primary data owner. Also, the Government must mandate that any apps available on Indian app stores and play store and requiring microphone access must be required to give clear declarations of where a user’s information will be used and seek explicit consent from them. If this is not done at the earliest, such access could easily lead to financial frauds and people’s personal information getting compromised with no accountability of how it happened.

It can be mentioned here that Governments from around the world are cracking down on companies that misuse people’s data. One of the most prominent laws that pertain to data collection is the General Data Protection Regulation (GDPR) put in place by the EU in 2018. The Parliament of India is yet to approve the “Personal Data Protection Bill 2019” and the Joint Parliamentary Committee has been meeting with different stakeholders since 2018. The Bill aims to provide legislative and statutory protection to users’ or citizens’ personal information and recognises protecting the data of individuals as their rights. This bill once approved will provide the due powers to a newly created Central Data Protection Authority to act against violators if the personal data breach is established.

Citizens via LocalCircles had escalated various inputs on what constitutes private information to a common citizen along with penalties for data breach to the Government in 2017 and the same was used as a key input in the draft of the Personal Data Protection Bill. As the joint parliamentary committee conducts stakeholder consultations and the parliament debates the bill in the upcoming sessions, LocalCircles will share these recently received concerns for their consideration.