New Delhi: Four years after Harshit Gupta dropped out of school to set up ItDoon.com, an SMS marketing firm in his home town of Dehradun, he began to notice a trend. “Somebody with a political background, say, would want to send campaign SMSes to voters in Uttarakhand, but they wouldn’t have any numbers to target,” Gupta recalls. “When I said that I didn’t have any numbers either, they’d simply take their business elsewhere.”
Also Read What Can You Do? (PDF)
So, five months ago, Gupta did what any pragmatic businessman would do: He started to sell databases of mobile -phone information as well, Excel sheets full of names and numbers, sometimes running into the millions. “There are a lot of vendors out there,” Gupta says. “I just buy the databases and resell them.”
At the seamy heart of the Rs200 crore per year SMS marketing industry—and, indeed, of the far larger Rs11,000 crore per year telemarketing industry—sits a remarkable auxiliary business: the buying and selling of mobile phone numbers. Here, telemarketeers can be both retailers and customers. Every small SMS marketing shop such as ItDoon.com now offers Excel sheets of mobile numbers, and every shop makes the same claim Gupta does: “I don’t know how my sources get the databases. I simply buy them.”
Also Read Scourge of SMS spam swamps mobile users
This auxiliary business is responsible for not only the millions of spam SMSes sent, but also for rendering ineffectual the lone barrier that the Telecom Regulatory Authority of India (Trai) has erected against spam: the National Do Not Call (NDNC) registry, established in 2007.
These mobile number databases can get eerily specific. Jaspreet Singh, owner of a service called Database4India, which operates out of a basement in Connaught Place, says he can provide numbers by geography, or by the incomes of their owners; he can even purchase a database of all the Honda car owners in New Delhi. “Although, to be honest, not every number in that database will be accurate,” he admits. “There will be a lot of fake numbers in these really specific databases. But the generic databases, with lots of numbers, are all accurate.”
How these numbers are collated remains the subject largely of speculation, though one Trai official, who asked to remain anonymous, contends that it is “not difficult to get the information.”
Many firms use auto-diallers, trying one number after another, and compiling the results. “They can…just call in a series,” the Trai official said. “Anybody in the telecom sector knows that the 98 series is full and so is the 94.”
Even less sophisticated and even more rampant, however, is the phenomenon of data leakage—trickles of personal information that seep out of banks, schools, courier companies, employment websites, credit card companies, insurance brokers, and (if Singh’s database of Honda owners is any indicator) car dealerships. One executive at a large multinational bank, who did not want to be named, admitted that, as recently as last year, “a lot of our databases were freely out there”. He emphasized the main challenge: that the systems of vendors and data collection agents were not necessarily as secure as the bank’s own.
At one major insurance firm, several internal investigations are under way to identify and stop leaks of customer records. In this case, with their information available on the open market, customers are prime targets to be called and poached by other firms. “We’ll match this data being sold to see how accurate it is and where it’s coming from,” says one member of the investigation. “The guy we’re buying the data from is confident that he’ll be able to provide mobile numbers and policy details.”
Surprisingly, the sale of consumer information is not illegal. (The rudiments of a privacy Bill are only now being discussed, as Mint reported in June.) “A personal data protection Bill was introduced in the Rajya Sabha in 2006, but it more or less disappeared,” says Lawrence Liang, a Bangalore-based legal researcher. Some regulations approach privacy, he points out, “obliquely”. Section 72 of the Information Technology Act, 2003, for example, “provides protection against breach of confidentiality and privacy” of electronically stored data.
Another close brush with protecting customer data came in 2006-07, when the ministry of consumer affairs set up a working group to study online shopping. “We recommended that leaking data constitutes a deficiency of service and therefore be actionable under the Consumer Protection Act—and not just for online retailers, for any company,” recalls Bharath Jairaj, a Chennai-based consumer rights advocate who served on the working group. “But that recommendation is still lying with the Central government. It hasn’t been implemented.”
In the absence of such legal recourse, the NDNC registry is the sole, flimsy guardian against spam. Three years after it was established, the registry contains around 60 million mobile numbers—barely one-tenth of all the mobile subscribers in India.
Worse, even NDNC-registered numbers receive spam texts; in fact, in the world of database vending, an Excel sheet of NDNC numbers is often worth a premium.
Partly, the fault lies with the insufficiency of the NDNC filter. Registered telemarketeers should present Trai with every number they are calling or messaging; within 24 hours, Trai should “scrub” that set of numbers, winnowing NDNC numbers from others. “Barring a few exceptions, most of the scrubbing has been given back within the stipulated time,” the Trai official says, though he then admits: “There are many telemarketeers that haven’t registered.”
Trai’s scrubbing capacity is, in the face of 150 million bulk SMSes sent daily, also severely limited. For each telemarketeer login, Trai offers to scrub 0.39 million numbers every day, so companies such as ValueFirst Messaging Pvt. Ltd, which sends 50 million text messages daily, must buy multiple login. “We have a team of 12 or 13 people who do nothing but scrubbing,” says Vishwadeep Bajaj, chief executive officer, ValueFirst. With a host of prestigious, legitimate clients, a company such as ValueFirst cannot afford the taint of spam and, is therefore, meticulous about its scrubbing.
But smaller resellers have no such compunctions. “If a customer gives me a database of numbers and assures me that they’re all opt-in customers of his, I can hardly check each one,” says Singh. In such situations, he “lifts the filter”, sending the SMSes on through a system that performs no scrubbing. “Only if I get a complaint about a particular customer will I realize that they are sending spam.”
Even when complaints are registered, they bear sparse fruit. Unregistered telemarketeers, when caught, should be disconnected; registered telemarketeers who violate NDNC protocol are levied meagre fines. “If the operator doesn’t take any action, they are penalized Rs25,000 for the first offence and Rs50,000 for the second,” says the unnamed Trai official. “But the operators don’t let it reach that stage. It’s easier for them to disconnect that account of the violator and create another one.”
The NDNC could be applied far more strongly, but that apart, few solutions appear to exist. Trai recently mooted a Do Call registry, a mirror image of the NDNC that would consist of people wanting to receive marketing messages. In consultation papers that Trai invited on the subject, the Do Call concept was almost universally scoffed at.
“It won’t work. I don’t think that even five million people would register in a Do Call list, but imagine if they do,” Bajaj says. “Then these poor guys will get 500 SMSes a day, and they’ll also drop out.” What’s needed, in his view, is enforcement, “and that’s just not happening. That’s why this industry has become so messy.”
This is the last of the two-part series on the SMS spam industry.