Yet another spam call? Here’s how they probably got your number & why you should worry

New Delhi: Have you ever wondered why banks you have never dealt with flood you with calls, hellbent on offering you credit cards and loans, and seeking investments? Or why you get so many messages from unknown sources, crammed with links to “update your KYC” or “recharge your prepaid number”? Why do so many strangers know your name and number?

‘Spam’ calls and messages may seem like mere annoyances, but they usually stem from acts of intrusion into your personal data. Your number is not just a number. It is linked to data sets about you that slot you into various categories — age, location, employment, net worth, shopping habits.

But after that, your consent doesn’t matter. Your personal data could be sold to anyone who is willing to buy it — whether it’s a telemarketing company, or a criminal module searching for targets.

Some callers that ask you for details could be out to con you (‘vishing’) and spam SMSes may contain phishing links that could remove money from your bank account.

“Companies as well as citizens should be careful and responsible about who they are sharing data with,” K.P.S. Malhotra, Deputy Commissioner of Police (DCP) at Delhi Police’s Intelligence Fusion & Strategic Operations (IFSO) unit, said.

“Scams are run by well-oiled syndicates that work through modules, but they source mobile numbers from different entities.”

Some databases are even available to download for free online. Try searching for your name with your number and address and you might find yourself listed on one for a targeted category, like HNI (high net-worth individuals). Anyone could reach you if they wanted.

There is no dedicated data protection law in India, and thus no need for accountability when it comes to selling, sharing, or buying data.

“In the present legal framework, no organisation is obliged to tell the customer what they are going to use data for,” Anas Tanwir, Supreme Court advocate and founder of the Indian Civil Liberties Union, a collective of lawyers and activists, told ThePrint. “Even without the consent of the individual, people’s data can be shared. This is where the dynamics of the data protection law come in.”

Also Read: 64% Indians are pestered by 3 or more spam calls every day, survey finds

Cybercrimes fuelled by lack of data protection laws

Cybercrimes that defraud targets by getting them to click on malicious links and give out banking information are becoming increasingly common.

This can take the form of phishing or smishing, referring respectively to links sent over email or SMS. Vishing, meanwhile, involves targets giving their details while speaking on the phone.

This problem, according to senior IFSO officers, is fuelled by the lack of a proper data protection law in India, which makes it difficult to affix responsibility and accountability.

An IFSO officer cited the example of a KYC (know your customer) fraud case, in which the police busted a gang that targeted around 8,000 people across the country. The scam involved asking people to update their KYC and then sending them phishing links.

In this instance, the officer said, the gang was given data — mobile numbers of potential targets — by a woman who claimed she was “unaware of the intentions”. She has not been named as an accused in the case.

“We don’t have data protection laws, which would have made companies selling data more responsible in terms of whom they are dealing with. Now, anyone can buy data and then further sell it,” he added.

Using the mobile numbers they had procured, the gang carried out scams using multiple steps and teams, the officer said.

“One team was responsible for sending out the first phishing links. If the target didn’t click it once, then the number went to the second team, which sent fresh links again. This continued until someone clicked on the link. All of this was continuously monitored by a third team,” the officer added. “Once the link was activated, and the money transferred to the bank accounts, another team came into play — withdrawing the cash immediately. The money trail is cut off.”

India’s proposed Personal Data Protection Bill has been in the pipeline for years, but IT Minister Ashwini Vaishnaw has reportedly said that the government hopes to get Parliament’s approval on it in the monsoon session.

Among other things, the proposed law will restrict the use of personal data without the consent of citizens. According to the draft, data fiduciaries could be held accountable under cybercrime laws and provisions under the Indian Penal Code.

The draft also talks about identifying organisations who anonymise personal data and make it harder to find out the sources of a leak.

A Local Circles survey released this May revealed that 64 per cent of Indians get three or more spam phone calls daily on average. The survey also found that 95 per cent of those individuals who have registered their numbers with TRAI’s DND [Do Not Disturb] list still continue to receive such calls.

In its ‘Global Spam Report 2021’, the caller ID and blocking app Truecaller ranked India fourth on a list of countries most affected by spam/scam calls. India had ranked ninth the previous year.

‘Customers don’t know what they are consenting for’

According to legal experts, there is no way of tracing a data trail and finding the source of a breach.

Also, whenever an organisation or business seeks any data from a customer, they rarely specify what they will use it for or provide any terms and conditions in their entirety.

“When we shop, companies may have a valid reason to retain your phone number — products have warranties and in order to cross-check that some kind of user information would be necessary. But there is no informed consent from people,” advocate Anas Tanwir said.

“There is no way of knowing if they are sharing the data with anyone. Customers don’t know what they are consenting for.”

On the question of whether victims or customers can seek redressal in court if they find out their data has been leaked, Tanwir said there is little scope: “There are a few redressals in the IT Act but they can barely be enforced. A customer can just get compensatory rights and nothing further than that.”

ThePrint spoke to a staff member of a popular cosmetics company in New Delhi who said that contact numbers are generally taken from customers so they can benefit from a store points system and be informed of new products via text messages. “We don’t call customers or share their data anywhere,” the employee said.

Last May, pizza delivery service Domino’s India fell victim to a massive data breach that led to details from about 18 crore orders becoming publicly available. ThePrint emailed Domino’s seeking comment, but there was no response until the time of filing this report.

Even major social media intermediaries sometimes use ambiguous wording in their privacy policies, thus preventing users from making fully informed decisions, Tanwir said.

“For example, Meta (formerly Facebook) has immensely broad terms and conditions, to which we agree readily. Many companies draft their data privacy policies in a manner wherein there is no stipulated direction on how the data can be utilised. There is no purpose limitation and it could only be regulated via a tight data protection law. This aspect is already mentioned in the data protection bill that the processing should take place in a fair and transparent manner,” he added.

This April, Facebook came under fire when a leaked memo reportedly compared data to a bottle of ink being poured into a lake — insinuating that the company has no way of knowing where data goes or what is done with it.

Also Read: ‘Hi, I’m calling from…’ – Why tele-calling is a hit among India’s youth desperate for a job