On February 22, while returning from his morning run, Kiran Jonnalagadda, a technologist, went to buy a coffee from a cafe in Indiranagar in Bengaluru. When the cashier asked him for his phone number while billing, Jonnalagadda refused. However, after making the payment, he was surprised that he got a message on his number from the merchant’s bank, thanking him for making the payment.
The reason? Jonnalagadda had made the payment using Unified Payments Interface, a real-time payment system developed by the National Payments Corporation of India. Since its launch in 2016, it has become widely used across India.
This experience made him question the design of UPI and the long-standing concerns about how it is not privacy-friendly. “Despite the fact that I had no intention of sharing my phone number, the merchant got my phone number,” he told Scroll.
Several privacy experts have pointed out that this data sharing is part of UPI’s architecture, which is premised on collecting huge amounts of data from users and sharing it with multiple participants involved in a particular transaction. Being data-centric is one of the reasons, they say, UPI can sustain without any fees, as opposed to other digital payments, such as card transactions, which cost money.
Sharing of numbers
This was not the first time Jonnalagadda got a message acknowledging a payment he made without sharing his phone number. “Earlier, I made a payment using Paytm Bank and I got an acknowledgement from HDFC Bank SmartHub Vyapar, which should not have had my number in the first place,” he explained.
He said that there was no connection between what he was using to pay, and HDFC Bank. “Either my UPI app or my bank shared the phone number as part of the transaction data,” he explained.
Jonnalgadda continued, “I have used payments from two different phone numbers, and both times they got the correct number,” he added.
There are other users who have also complained of getting messages from HDFC Bank SmartHub Vyapar, a payment solution system for businesses having an HDFC account.
On March 4, a Twitter user, Pratyush, with the handle @pratyushpmhptr also tweeted that his UPI service provider shared his phone number with the point of sale machine and the merchant after he made the payment.
“Can someone tell me why @PhonePe and @UPI_NPCI send my phone number to the PoS operator and the merchant after I scan and pay?” he wrote. “Share my VPA [virtual payment address] if you need to keep a record.” [The virtual payment address is the UPI ID to which one can make a payment, such as 98*****21@paytm.]
Apart from these instances, even the author of this piece got a message from HDFC Bank SmartHub Vyapar on his phone after making a UPI payment, despite not sharing his phone number and not using an HDFC Bank UPI.
How did the data get shared?
Jonnalagadda, who is the founder of a tech collaboration organisation Hasgeek believes that the UPI system allowed the sharing of his phone number when he makes the payment.
“I have verified from industry sources that UPI specification requires the sender side [which is making the payment] to send a phone number,” he said. “The app itself requires the phone number to be added when you send the payment.”
Jonnalagadda believes this specification was not brought under the first version of UPI introduced in 2016, but was added in its later updates. “Sharing of numbers is a part of UPI 2.0,” he said. UPI 2.0 was the second version of the payment interface introduced in 2018, and included several new features, such as recurring payments.
As part of UPI, all the parties involved in the transaction get a copy of a person’s payment address and phone number. “Everybody gets a copy of this data. That is how the system works,” he said.
Srikanth Lakshmanan, a member of Cashless Consumer, a collective working on digital payment awareness in India also believed that the number was shared as part of the UPI specification. “Often, your phone number is part of your virtual payment address, because of which, one could argue, the number was shared. But in Jonnalagadda’s example, this was not the case,” he said.
“The merchant got the number through the transaction, and then used it to send a message, which a user never consented to,” he added.
Scroll sent questions to the National Payments Corporation of India, the organisation responsible for regulating UPI, but did not receive a response at the time of writing the story.
Further, the data-sharing policies of UPI are not available to the public. Therefore, it is unclear whether this number which the HDFC app got also shared with the retailer using these services.
UPI data leaks
Jonnalagadda uses two separate numbers. One number is for public purposes and the other he does not share with anyone, except his bank and his UPI app. However, even the private number has been “leaked” to spammers, he believes.
“I have also been getting spam calls on my number, which only my bank and my UPI app are supposed to know,” he said.
In a UPI transaction, there are at least seven parties involved, Jonnalgadda had earlier explained in a conference. There are the UPI apps of both the sender and the receiver, the banks linked to the UPI IDs, the banks processing payments for UPI apps and the National Payments Corporation of India.
“All these parties get a slice of the transaction data,” Lakhsmanan said. “This is built into the UPI system, which works on the model of ‘data maximisation’ – collecting and sharing as much data as possible.”
He continued, “Therefore since there are so many parties involved, it is difficult to pinpoint how Jonnalagadda’s number, which is supposed to be private, got into the spam network.”
The amount of data shared on the digital spending habits of consumers is significantly more in UPI as compared to traditional forms of digital transactions. “In a card payment system, such as credit cards, there are fewer parties,” Lakshmanan explained. “Further, the data stored is not identifiable, since it stores credit card numbers, that too in a redacted fashion.”
There are also strict guidelines about how this data is stored under traditional digital payment system. For example, credit card systems around the world follow a Payment Card Industry Data Security Standard, or PCI DSS, a global standard for storing data. “However, UPI does not have any such standards,” he said.
Further, the entire UPI ecosystem is based on a person’s phone number, which is easy to obtain, Lakshmanan said. This he believed poses privacy risks and allows for large-scale data mining to analyse the income and spending patterns of users. “And since India does not have a vibrant data protection law, how this data is processed and stored is not properly monitored,” he said.
UPI’s data maximisation model could be the reason why the service is still free. Presently, the government has a “zero-charge mandate” for UPI, which means that platforms cannot levy a fee for users and merchants.
“The government could have various incentives in mind, to promote UPI,” said Lakshmanan. “Such as expanding and deepening formal credit and making the population dependent on credit to have ‘economic growth’. It can also have other unstated goals.”
Even Nandan Nilekani, the Infosys co-founder, who has been closely involved in developing UPI, has emphasised the use of UPI data to expand the lending market.
Only selected services, such as mobile recharges or payment for utilities are charged and the government has a Rs 1,5000 crore budget to promote UPI. However, according to The Ken, several stakeholders want to charge fees to foot the bill for UPI, since these revenue sources are not enough.
But since that is not happening, companies may have to resort to other ways to make money. Said Jonnalagadda, “The lack of merchant discount rate [charges for processing debit and credit card payments] is a disincentive to all middle parties in the transaction – banks and apps, so they are forced to cope by upselling other services or collecting data and looking for data monetisation opportunities.”
Srinivas Kodali, a researcher with the Free Software Movement of India, said that the UPI specification itself pushes for large data collection which is used both for fraud detection and also for profiling the consumer. In 2018, Paytm alleged that Google Pay was sharing data with its group companies and third parties, and for advertising purposes.
“This can then be used to provide loans at higher interest rates,” he explained.
Sometimes loan companies may collect extensive data which could lead to the invasion of a user’s privacy. Kodali pointed out that it has started happening that a loan company uses contacts list data to harass people for recovery.