Getty Images

Do you hate robocalls enough to let an app give your data to third parties in exchange for blocking the spam? Researchers found that's exactly what's happening to millions of people using the most popular robocall-blocking apps.

Robocalls have become an epidemic, as lawmakers and phone carriers seek to stomp out the massive number of spam calls sent per day. A study found that there were 26.3 billion robocalls made in the US in 2018, and it's the No. 1 source of complaints to the Federal Communications Commission and Federal Trade Commission.

But when you're downloading robocaller-blocking apps, you could be trading one evil for another, found Dan Hastings, a security researcher at NCC Group. He looked at the privacy policy on the top robocaller-blocking apps in the iOS App Store and compared it with network traffic data actually being sent from the apps.

Hastings found that a majority of them were collecting personal data on people's devices without their explicit consent and sharing it with analytics firms.

"If most people took the time to read and try to understand privacy policies for all the apps they use (and are able to understand them!), they might be surprised to see how much these apps collect," the researcher said in a statement.

Hastings is presenting his findings at Defcon's Crypto & Privacy Village on Sunday.

While robocalls are the top consumer complaint to the FTC and the FCC, privacy is also a major concern for the agencies. The FTC levied a record $5 billion fine on Facebook for the social network's privacy violations, and people are becoming more aware of all the ways tech giants siphon personal data.

Free apps that provide one solution can turn out to be creating another problem for people's privacy, like when an innocuous-seeming weather app turns out to be selling your location data. Robocall blocking apps are no different, Hastings found.

These apps are sharing people's phone numbers with data analytics firms, looking at your text messages and phone calls, and can learn what apps you have on your device, the researcher said.

The top robocaller-blocking app, TrapCall, is sending people's phone numbers to three data analytics companies, Hastings found. This was happening even though it wasn't explicitly stated in the privacy policy when Hastings did his research. The company has now changed its privacy policy to tell users that they are sharing their data with third parties.



TrapCall said that its users agree to the privacy policy when they install the app, and that the data was not being abused by the analytics companies.

"TrapCall only shares phone numbers with service providers who power our internal analytics and app messaging platforms. Additionally, service providers are prohibited from using TrapCall data for their own or any other purpose," the company said in a statement.

Hiya, another top robocalling app, also sends people's phone data to three data analytics firms -- and that happens before users agree to the privacy policy, Hastings found. Hiya is not alone, as many apps have analytics tracking that send device data.

"While it is true that Hiya currently sends some basic device data to third party services upon opening the app (a standard industry practice in compliance with Apple's guidelines), that does not and has never included phone numbers or any Personally Identifiable Information (PII)," the company said in a statement.

In its permissions on Android, Hiya requests for access location data, which has nothing to do with blocking phone calls. The company said that it requests location data so that people can find nearby businesses more easily.

The company said it would be addressing these concerns and re-submitting its apps to the iOS and Play stores to make sure that basic device information is not sent without people's consent.

Hastings also found that Truecaller had been sending data about people's devices to social media platforms before users agreed to the privacy policy. The company said it's revising its privacy policy.

"Note that our Privacy Policy is common across all mobile platforms and that's why the confusion exists. We're looking at updating the privacy policy to make it clearer what we're doing on each platform," the company said in a statement.

These three apps are among the top robocalling apps available. Together, they have more than 110 million installs on the Google Play Store alone.

"I can only hope that more transparency about exactly what data is being sent and where will be made more digestible and transparent for end users," Hastings said. "Until that day comes, users will continue to have to read through privacy policies and hope researchers provide more insight into what various types of apps collect about them."



Originally published Aug. 9, 7 a.m. PT.

Update, 9:23 a.m. PT: Added response from Truecaller.

Correction, 12:35 p.m.: Clarifies that Hiya collects and sends data to analytics companies, but not phone numbers.

Correction, Aug. 10 at 11:53 a.m.: A debug version of Hiya's app available on the Google Play Store requested access to USB storage, not the consumer version.