Do you hate robocalls enough to let an app give your data to third parties in exchange for blocking the spam? Researchers found that's exactly what's happening to millions of people using the most popular robocall-blocking apps.
Robocalls have become an epidemic, as lawmakers and phone carriers seek to stomp out the massive number of spam calls sent per day. A study found that there were 26.3 billion robocalls made in the US in 2018, and it's the No. 1 source of complaints to the Federal Communications Commission and Federal Trade Commission.
Hastings found that a majority of them were collecting personal data on people's devices without their explicit consent and sharing it with analytics firms.
"If most people took the time to read and try to understand privacy policies for all the apps they use (and are able to understand them!), they might be surprised to see how much these apps collect," the researcher said in a statement.
Hastings is presenting his findings at Defcon's Crypto & Privacy Village on Sunday.
While robocalls are the top consumer complaint to the FTC and the FCC, privacy is also a major concern for the agencies. The FTC levied a record $5 billion fine on Facebook for the social network's privacy violations, and people are becoming more aware of all the ways tech giants siphon personal data.
Free apps that provide one solution can turn out to be creating another problem for people's privacy, like when an innocuous-seeming weather app turns out to be selling your location data. Robocall blocking apps are no different, Hastings found.
These apps are sharing people's phone numbers with data analytics firms, looking at your text messages and phone calls, and can learn what apps you have on your device, the researcher said.
"TrapCall only shares phone numbers with service providers who power our internal analytics and app messaging platforms. Additionally, service providers are prohibited from using TrapCall data for their own or any other purpose," the company said in a statement.
"While it is true that Hiya currently sends some basic device data to third party services upon opening the app (a standard industry practice in compliance with Apple's guidelines), that does not and has never included phone numbers or any Personally Identifiable Information (PII)," the company said in a statement.
In its permissions on Android, Hiya requests for access location data, which has nothing to do with blocking phone calls. The company said that it requests location data so that people can find nearby businesses more easily.
The company said it would be addressing these concerns and re-submitting its apps to the iOS and Play stores to make sure that basic device information is not sent without people's consent.
These three apps are among the top robocalling apps available. Together, they have more than 110 million installs on the Google Play Store alone.
"I can only hope that more transparency about exactly what data is being sent and where will be made more digestible and transparent for end users," Hastings said. "Until that day comes, users will continue to have to read through privacy policies and hope researchers provide more insight into what various types of apps collect about them."
Originally published Aug. 9, 7 a.m. PT.
Update, 9:23 a.m. PT: Added response from Truecaller.
Correction, 12:35 p.m.: Clarifies that Hiya collects and sends data to analytics companies, but not phone numbers.
Correction, Aug. 10 at 11:53 a.m.: A debug version of Hiya's app available on the Google Play Store requested access to USB storage, not the consumer version.