Many might receive more than a few telemarketing or spam calls every day. In the hope of minimising disturbance to their daily lives, people may choose to download mobile apps that block spam calls. However, if consumers do not study the terms and conditions carefully for making prudent choices, their personal data and even those of their friends and relatives may be disclosed without their knowledge. The Consumer Council reviewed 5 spam call blocker apps more widely used in Hong Kong and found that 2 apps, after obtaining access rights, would upload and consolidate information of the entirety of the users’ contacts into the apps’ databases, rendering it available for search by other users, either automatically or by user’s activation of the “Enhanced Search Functionality”. Personal information such as names, email addresses, and even home addresses could possibly be disclosed to and fully accessible by others. 1 app might even store personal data that was meant to be erased after the expiry of its data retention period in its backup system, which was obviously an unsatisfactory arrangement. The Council advises consumers to study the terms of service and privacy policy carefully before downloading and using blocker apps, and to pay attention to the reasonableness of the permissions requested when choosing one.
The study sampled 5 spam call blocker apps that were more commonly used among Hong Kong consumers by referencing the rankings of 2 mobile app stores and third-party market analysis reports. User trials were conducted, along with collection of relevant information from the terms of service, privacy policies, websites, and online customer support. Except for 2 apps which did not respond to the Council’s enquiry, all information was verified by the developers.
Account Registration with Third-party Platform
1 App Would Access Up to 8 Items of Personal Data
Among the 5 apps, 2 mandated users to register for an account while the Android version of 1 other app also had the same requirement. Users typically had the option to register with an email address, phone number, or by logging into a third-party account such as Facebook or Google. If registration was made through Facebook, 1 app would access up to 8 items of personal information, including name, profile picture, email address, date of birth, photos, videos, friends list, and timeline links. Consumers who do not wish to provide such personal data should consider registering through other channels or choose other blocker apps.
2 Apps Implicated in Uploading User Contacts for Others to Search
In order to identify incoming calls from contacts, most spam call blocker apps would require access to users’ contact lists. Except for 1 app that did not read contact list and another app that did not access contacts by default, the Android versions of the remaining apps generally required such permission. The study found that 1 app, upon accessing users’ contact lists, would automatically upload and integrate all contact information into the traders’ databases for other users to perform “reverse lookup”. By simply entering a mobile number, other users could trace the name of the number holder and read their personal information, including names in Chinese and English, email addresses or social media links, etc. In other words, if a user had stored the mobile numbers of friends and relatives in their contact list and permitted access when using the app, personal data of these friends and relatives would also be accessed and uploaded by the app even if they had never downloaded or authorised such use, which was close to impossible to guard against. The privacy policy of that app stated that if users allow the developer to collect data belonging to others, they should inform their contacts and others of the developer’s practice of collecting and sharing data, and the users should also direct their contacts to the developer’s privacy policy and terms of service. The Council considers this to be tantamount to imposing on the user the responsibility of the developer for extracting data from user contacts, which is deemed an unreasonable and impracticable requirement. Another app would also access and upload users’ contact lists in a similar manner, but only when the user downloaded a file (e.g. APK file) from its official website, installed the app, and enabled the “Enhanced Search Functionality”.
To confirm whether the apps surveyed would publicly disclose users’ contact information, Council staff downloaded the apps into a mobile phone with a brand new SIM card and only stored the newly registered phone numbers in its contact list for a trial test. It was found that the newly registered phone numbers in the contact list appeared in the database of 1 app, signifying that the app did share contact information. In addition, personal telephone numbers of numerous staff members as well as their friends and relatives could also be found in the database of the aforementioned 2 apps, and the names and other information of these number holders were available for viewing without any need for approval from the relevant persons. In some cases, sensitive information such as former residential addresses (including floor and flat number) and the amounts of monthly rent were listed alongside the names of the number holders, raising suspicions that such data was obtained from the contact lists of the number holders’ landlords or real estate agents.
User Information of 1 App Might be Backed Up and Hard to Be Completely Erased
All apps in the study allowed users to apply for the removal of their phone numbers from the app databases. 1 app stated that the removal request must be reasonable, e.g. a company representative wanting to revise their information in the whitelist database, or the user’s phone number being added to the blacklist by mistake, etc. Council staff attempted to submit unlisting requests to 2 apps that uploaded users’ contacts, and found that the relevant personal information no longer appeared in the search results within the specified period of time as promised by the developers.
When a user account is deleted or deactivated, developers would normally keep the user information for a certain period of time before its erasure in accordance with their privacy policies. However, the privacy policy of 1 app which uploaded user contacts stipulated that users’ personal data and unlisted data would be retained for a maximum of 5 years. Even after the retention period, the relevant data might still be stored in the developer’s backup system, implying that the data might not be completely deleted. It is advisable for consumers to think twice before choosing to use this app.
Pay Heed to Details of Paid Service Plans
Removing App Not Equivalent to Unsubscribing
The functions of the blocker apps were similar and could basically meet the needs of blocking spam calls. The Android versions of these apps generally offered more functions than their iOS counterparts, such as blocking calls with no caller ID or from overseas, etc. 3 apps embedded the database of a local unsolicited call reporting website with default whitelists indicating caller ID from organisations such as hospitals, universities, government departments, etc., to prevent users from refusing such calls and missing important information. In addition, the Android versions of 3 apps were equipped with advanced features such as flagging spam SMS and identifying contacts in instant messaging apps. However, activating these features may entail the user’s permission to grant more access rights, such as allowing the apps to view all SMS content and phone notifications, which may involve one-time passwords issued by banks. This could potentially pose information security risks and consumers are advised to weigh the pros and cons of using these features.
All apps offered paid features with pricing ranging from $8 per month to $1,790 per year, including major functions such as automatic database update, removal of advertisements, and advanced call blocking, etc. Consumers should keep in mind that most of the paid service plans would be automatically renewed by default, and removing the app from their phones does not equal to cancelling a subscription. If consumers do not wish to continue their payment, proper cancellation is necessary to avoid being automatically charged for the next instalment. The study also found that the Android version of 1 app would show options of various non-auto-renewal service plans only when the user chose not to pay and leave the subscription page, an operation which lacks transparency.
Telemarketing and spam calls can bring significant annoyance, and blocker apps can help consumers identify spam calls and avoid such nuisances. However, their blocking functions are not always foolproof, so consumers still need to stay vigilant at all times. Consumers should pay attention to the following when using blocker apps:
- Read the terms of service and privacy policy before use, and evaluate whether the blocker app is trustworthy and the permissions it seeks reasonably commensurate with the functions offered;
- Regularly update the blocker app and its database to ensure the best blocking performances;
- Proactively report spam calls to help the app identify and block the latest telemarketing and spam calls;
- Request developers to delete personal information if it is found to have been uploaded by apps and made available for public search, and remember to enter the area code before the phone number when sending an unlisting request;
- Pay heed to whether payment plans are pre-set for automatic renewal of subscriptions, and bear in mind that removing the app is not equivalent to cancelling a subscription. To discontinue payment, unsubscribe the service from app store within the specified timeframe (typically 24 hours before the subscription or trial period ends);
- Consider installing a suitable blocker app for seniors at home, keep reviewing the terms and conditions and update the app regularly, to help protect them from spam calls.
Download the article (Chinese only): https://ccchoice.org/571spamcall
Consumer Council reserves all its right (including copyright) in respect of CHOICE magazine and Online CHOICE.