BHIM app UPI india
Millions of users, who have downloaded the BHIM app, may not be aware of the fact that they have authorised the NPCI to track their phone calls.Google Play Store

At a time when the Indian government is glorifying the success of the indigenous digital payments app BHIM, which is said to have crossed 18 million downloads since its launch in December 2016, many privacy activists have claimed that the app has serious privacy issues that many of those millions of users may be unaware of.

According to Srikanth L, a Hyderabad-based software professional who has been driving awareness campaigns to educate consumers about digital/cashless payment systems, there are potential surveillance and privacy issues with the BHIM app and its terms and conditions.

Srikanth said that the BHIM app's terms and conditions authorise the National Payments Corporation of India (NPCI), a non-government, not-for-profit entity operated by banks, to manage and record users' phone calls.

Although the permission to manage phone calls is likely intended to get IMEI (International Mobile Equipment Identity) for registered devices, it could legally authorise NPCI to ask any telecom operator to provide recordings of users' calls.

BHIM app
BHIM app's terms and conditions authorise the NPCI to manage and record users' phone calls.International Business Times, India

In addition, all transactions and communications through any UPI app, not just BHIM, embed the geo-location of the UPI users along with it.

So is the BHIM app part of a state-backed snooping attempt targeted at consumers?

Srikanth declined to comment on that, but he told International Business Times, India that "the terms and conditions give a non government body NPCI, the legal approval by consumer to snoop".

Interestingly, the terms and conditions in the Android version of the app are available only during installation. But once the app is installed, users cannot access them for future reference even though the app and its terms and conditions update automatically, and users tend to accept the latest version. However, iOS users can access the terms and conditions post installation.

BHIM app
Users cannot access the terms and conditions after the installation of the Android version of the BHIM app.International Business Times, India

"Users are accepting to sweeping terms and conditions and their consent is taken once even though TnC keeps changing. While this practice was harmless when it came to Facebook/random social networking sites, this is anti-consumer and cannot be consumer friendly when it comes to banking/payment apps," Srikanth said.

There is a PDF version of the BHIM app's terms and conditions hosted in the NPCI website. But, it is not easily available, and requires consumers to search for it. According to Srikanth, there are many differences between the two versions as well.

The liability of NCPI has also been questioned as the umbrella organisation for all retail payment systems in India says in the terms and conditions for the app that it "does not hold out any warranty and makes no representation about the quality of the UPI services or BHIM application".

Srikanth is not the only one who exposed the privacy issues associated with the BHIM app. Other users have also highlighted the clauses that suggest a serious breach of user privacy.

Since Indian Prime Minister Narendra Modi has endorsed a lot of UPI apps, there should a standard operating procedure and checklist for such apps that need to be reviewed properly before they are approved, according to Anivar A Aravind, a Bengaluru-based IT professional.

The BHIM app has been mired in controversy ever since its launch. Various reports said in January that over 40 fake BHIM apps were spotted in the Google Play Store, making it difficult for consumers to identify the genuine one. While some reports criticised the app as buggy, some users also claimed that Rs1.50 was deducted from their mobile balance after they first downloaded the BHIM app following its launch.

"Development of digital payments is crucial as we advance as a nation. However the development must always be inclusive, considering all stakeholders," Srikanth said, adding that consumers are currently under-represented in policies, digital initiatives, which need to be changed.