At a time when the Indian government is glorifying the success of the indigenous digital payments app BHIM, which is said to have crossed 18 million downloads since its launch in December 2016, many privacy activists have claimed that the app has serious privacy issues that many of those millions of users may be unaware of.
According to Srikanth L, a Hyderabad-based software professional who has been driving awareness campaigns to educate consumers about digital/cashless payment systems, there are potential surveillance and privacy issues with the BHIM app and its terms and conditions.
Srikanth said that the BHIM app's terms and conditions authorise the National Payments Corporation of India (NPCI), a non-government, not-for-profit entity operated by banks, to manage and record users' phone calls.
Although the permission to manage phone calls is likely intended to get IMEI (International Mobile Equipment Identity) for registered devices, it could legally authorise NPCI to ask any telecom operator to provide recordings of users' calls.
In addition, all transactions and communications through any UPI app, not just BHIM, embed the geo-location of the UPI users along with it.
#BHIM wants access to manage your phone calls & as per 6.3 of TnC,*you* agree to let NPCI monitor, record any or all telephone conv #privacy pic.twitter.com/W0ZjV7KQzn
— Srikanth ஸ்ரீகாந்த் (@logic) April 16, 2017
So is the BHIM app part of a state-backed snooping attempt targeted at consumers?
Srikanth declined to comment on that, but he told International Business Times, India that "the terms and conditions give a non government body NPCI, the legal approval by consumer to snoop".
Interestingly, the terms and conditions in the Android version of the app are available only during installation. But once the app is installed, users cannot access them for future reference even though the app and its terms and conditions update automatically, and users tend to accept the latest version. However, iOS users can access the terms and conditions post installation.
"Users are accepting to sweeping terms and conditions and their consent is taken once even though TnC keeps changing. While this practice was harmless when it came to Facebook/random social networking sites, this is anti-consumer and cannot be consumer friendly when it comes to banking/payment apps," Srikanth said.
There is a PDF version of the BHIM app's terms and conditions hosted in the NPCI website. But, it is not easily available, and requires consumers to search for it. According to Srikanth, there are many differences between the two versions as well.
https://t.co/qeMnNYOzGs TnC screenshots #BHIM app today. https://t.co/1sj9VhHwXh From NPCI website. There are differences between 2 too. https://t.co/l3Rp4P1u1d
— Srikanth ஸ்ரீகாந்த் (@logic) April 16, 2017
@Soliloquyist @calamur @NPCI_BHIM @privacyisright @internetfreedom Many apps have call permission, but TnC on monitoring calls is new high
— Srikanth ஸ்ரீகாந்த் (@logic) April 16, 2017
The liability of NCPI has also been questioned as the umbrella organisation for all retail payment systems in India says in the terms and conditions for the app that it "does not hold out any warranty and makes no representation about the quality of the UPI services or BHIM application".
Srikanth is not the only one who exposed the privacy issues associated with the BHIM app. Other users have also highlighted the clauses that suggest a serious breach of user privacy.
Since Indian Prime Minister Narendra Modi has endorsed a lot of UPI apps, there should a standard operating procedure and checklist for such apps that need to be reviewed properly before they are approved, according to Anivar A Aravind, a Bengaluru-based IT professional.
.@NPCI_BHIM @narendramodi @PMOIndia @CashlessConsumr @pbhushan1 @MamataOfficial @quizderek @SitaramYechury @ShashiTharoor Since @narendramodi endorsed apps are increasing, I think this is high time for PMO to prepare a Standard operating procedure and checklist
— Anivar Aravind (@anivar) April 16, 2017
The BHIM app has been mired in controversy ever since its launch. Various reports said in January that over 40 fake BHIM apps were spotted in the Google Play Store, making it difficult for consumers to identify the genuine one. While some reports criticised the app as buggy, some users also claimed that Rs1.50 was deducted from their mobile balance after they first downloaded the BHIM app following its launch.
"Development of digital payments is crucial as we advance as a nation. However the development must always be inclusive, considering all stakeholders," Srikanth said, adding that consumers are currently under-represented in policies, digital initiatives, which need to be changed.
