Organizations desire to adopt best practices around data which are aligned with the risk management approaches they have in place. With increasing complexity around privacy and data security, it is necessary to gain deep understanding of the strategic directions adopted at some of leading organizations in India. With this intent, the Privacy Mode Fellowship programme was put together to work with practitioners who document easily adopted practices that are flexible and are based on well understood design principles. The Best Practices Guides provides a quick introduction to some of the topics which receive a lot of attention.
The Privacy Mode Fellowship programme considered the following themes while publishing the Call for Submissions:
- Data protection/security practices.
- Consent frameworks tied to purpose use limitations.
- Data rights.
- Encryption practices.
- Ankita Roychoudhury and Yashodhara Shukla , Frappe Technologies Private Ltd.
- Pratyush Pullela, Doosra, Ten20 Infomedia Pvt. Ltd.
- Rohan Verma, Zerodha Broking Ltd.
- Sathish KS, Zeotap
The following abstracts provide an insight into the topics covered by them. The abstracts are linked to the complete reports:
- Frappe: GDPR Compliance for ERP
- Doosra: Protecting your mobile number
- Zerodha: Data protection, security and privacy practices
- Zeotap: Privacy in Data as a Service (DaaS) business
- Anwesha Sen - Programme Coordinator
- S Kannan - Technical Writer
- Anish T P - Illustrations
- Stephanie Browne - Product Support
- David Timethy - Administration
1. [Uzma Barlaskar](https://www.linkedin.com/in/uzmabarlaskar/), Head of privacy and growth at WhatsApp. 2. [Anand Venkatanarayanan](https://twitter.com/iam_anandv), Independent cybersecurity researcher. 3. [Sankarshan Mukhopadhyay](https://www.linkedin.com/in/sankarshan/), Editor at Privacy Mode.
View acceptance criteria for the fellowship program 👉 here
Data Protection and Security Practices at Doosra
Statement of Purpose
The problem that we at Doosra are trying to solve is simple, with a wide ambit of uses across multiple platforms. We are solving the issue that plagues people daily - is it is prudent to share our number on XYZ platform and what can be the ramifications of doing so? When was the last time any of us had to share our number on a website and had to think twice if it is safe to do so? We have most likely lost count of such instances.
Let's take a step back and look at the reason for us thinking this way. Why do people (or at least most people) hesitate to share their phone numbers anywhere and everywhere? Here are 2 primary reasons:
- Calls and Messages from completely unwarranted sources
- The phone number is a mandatory requirement for nearly every important service - Banking, Aadhar linking, 2FA for various platforms we use
The first problem is that it adds to the mental burden that we already face in this highly connected world. Precious minutes of our time and focus is taken away due to communication that holds no value. Then there are things like prank calls, scam calls, incessant follow-ups from some service providers.
The second problem is where a user's data can potentially be compromised. It is well-known that numbers are not safe once shared. They are shared between multiple parties.
Case in point - Enter a number on an online insurance portal and you'll get at least 3 other calls from other providers.
When this happens with an identifier like a mobile number that is used for literally every service we use today, it's not a surprise that there is a rising number of cases of fraudulent activity. A simple SMS with a link can leave our phone compromised which enables the perpetrator to gain access to critical information like your Name, Date of Birth, and other such information. This can now be used to bypass security questions and even get a new SIM issued to them after which they can access anything that needs an OTP. While OTP as an authentication mechanism is quite robust and safe, it no longer is if someone else can get them.
This is where Doosra comes in. We solve both the problems mentioned above. Our virtual number works as a layer above the primary number that helps one share it without thinking twice. We provide a mobile app interface to manage the number and every call is blocked by default. Only numbers that are whitelisted can reach the user, in which case we forward this call to the primary mobile number. Even then the primary number is unknown to the caller. SMSes can be read on the mobile app or can be left untouched basis the user's choice. Notifications are again consent-based, users can give out their Doosra number, switch OFF their app notifications and forget about receiving any unwarranted call or message notifications.
This way users can gradually take back control of their privacy. Now the question is asked about us being an aggregator of these messages and services, and why we wouldn't do the same as others and monetize the data. Well, what we do not have in common with the others is that we are a paid product and have made that decision right at the inception of our service that we will continue to be paid. This allows functioning without having any need to monetize user data and this is a foundation that our product is built on - Privacy.
Data Security Practices
Moving on to the user data security aspect, here's how we safeguard customer data:
- Sensitive Data like credit card or bank information is not stored at all on our servers
- We collect payments via Razorpay and only get certain metadata about the payment like the method used and the last 4 digits of the credit card
- Users mostly interact with Doosra via their mobile app - We make sure to take minimal permissions and any feature that requires extra permissions is completely consent-based
- Example - A certain feature in the app requires access to the user's location, the user can choose to not use that feature but continue to use the app as usual
- We are a completely ad-free platform and do not collect any personally-identifiable user data on the mobile app
- SMSes are encrypted with unique encryption keys for each user
- User-level data is never shared with any third party whatsoever the case
- Data Analysis is limited to aggregate data and any data provided in reports is based on a unique internal identifier which limits the scope of any number (Primary or Doosra) from being leaked
- When a user chooses to not renew their subscription, their entire messages and calls data is automatically purged 18 months after their account termination
- Periodic cybersecurity audits to figure out any major chinks in our security practices
Furthermore, over the next few months, we are planning on an architectural change wherein:
- User data is pseudonymized where any Personal Identifiable Information (PII) is decoupled from all other data
- All the applications will work with these pseudo identifiers as user IDs instead of storing any PII data within their systems
As an organization that values privacy, we are always looking at improving our data security practices and believe it is an ever-evolving scenario where reassessing and improving is the key to ensuring that the user's privacy and data are protected to the best of our ability. Being part of this fellowship can help us learn and understand from other practitioners and mentors to add value not only to our own users but also to anyone looking to shore up on their user privacy and data security practices.
Doosra Till Date
We launched Doosra in September 2020 and have to date associated with close to 8000 users who have collectively received close to 2.2M SMSes of which 41% of SMSes have been identified as spam either by our system or the user. We have also processed 847,000 calls of which 80.2% were auto-blocked i.e. wasn't forwarded to the users.
Going forward we want to be known as a go-to service to protect user anonymity.
I am the Product Lead at Doosra and am part of the founding team. We started work on Doosra in November 2019 and I have since been associated with Doosra. As part of such a young company, I have donned multiple hats over the last two years and have a good understanding of the product and underlying technology.
Previously, I worked with the Jindal group as a Manager in the Corporate Strategy vertical. I worked on a variety of projects from acquisitions to building KPI dashboards. I have done my PGDM in Finance and Marketing from the Indian Institute of Management, Lucknow, and B.Tech from the National Institute of Technology (NITK), Surathkal.