Taking the right calls

It takes a bit of time to get Alan Mamedi, CEO and co-founder at Stockholm-based Truecaller, to talk. With good reason: His app is doing most of the talking for him. Truecaller, essentially a giant phone book, is one of the most popular smartphone apps in India, with as many as 600,000 people downloading it every week to join the existing 29 million users from the country. The company recently opened an office in Gurgaon, among other things, to pre-install Truecaller in smartphones for the Indian market. Mamedi talked to Fortune India about the idea of identity in a connected world, why Truecaller is so popular in India, data security challenges, and how the company is trying to overcome them. Edited excerpts:

How did Truecaller become so popular in India?
We decided early to go East. It was more interesting and more challenging for us. And there are many more people to work for. While a lot of companies think of going to Silicon Valley, we decided to go the other way. Besides India, we are also strong in markets like Lebanon. More than half the population there uses Truecaller.

We have 29 million users in India, and are adding about 600,000 a week. That’s about 50% of our growth. Most of them are from the bigger cities, with a population of over 10 million. We block around 2.5 million spam calls a day.

In India, we have noticed that people don’t pick up their phones until Truecaller searches and tells them who the caller is. We have a big challenge to scale up backend and systems because if there is a delay in getting the search result, the operators might have a problem: No one will take calls (laughs). We have become successful because we are solving everyday problems: Who’s calling? Is it spam? People here are looking for tools to identify [phone numbers].

We have been transparent from day one in saying what we do and what kind of permissions we ask for [from users]. My phone number is on our website. I want people to feel that they can call me if they have a question.

Do they call?
Every day, from all over the world. I am fine with that because this is my baby.

What is the role of the India office?
We have 40 full-time and 30 part-time employees globally, and one person in Gurgaon. We are working here with OEMs [original equipment manufacturers] for business development. There are lots of apps in the market, so it’s a challenge.
You are not as popular in China, the other big market.
China is a different ecosystem. There is no Google Play but we are available on all Chinese app stores. We haven’t made a big effort to grow there but will probably do that.

What is the pre-installed vs. downloads ratio?
Downloads account for 99% of our growth. We recently started tieups with OEMs. We are trying to strike OEM deals globally, but you need to have a strong brand. In India, we are pretty strong.

What is the financial arrangement in these deals?
It’s usually about OEM customisation [like adding the OEM’s logo to the Truecaller widget]. We have different ways of sharing revenues. If you have tried our service, you will know that we have premium services. I can’t go into details but customisation is mostly the feature that OEMs appreciate. In India we have partnerships with Gionee, Karbonn, Celkon, and Micromax and we have partnered Nokia on the recently launched Nokia X platform. We try to talk with everyone. But I think it is more fun to work with entrepreneurs. If you go to visit those companies you will see the same kind of spirit that you see in our office. People are really engaged. I do identify with every entrepreneur I meet—in the mobile space, the vehicle space, anywhere. You can see they want to solve problems. That doesn’t mean that I would exclude Samsung. That would be a golden deal to get. The thing with bigger corporations like Samsung is that they have longer processes.

What will Truecaller be in five years?
The cellphone has become a time-consuming machine. People call ten times a day. Recently we launched a feature called People in Common [it helps the recipient decide whether to take a call from an unknown caller, based on the number of people the caller and the recipient know in common]. Another feature, People You May Know, is similar to the one on LinkedIn, but is based on our own social graph, which is more accurate than LinkedIn’s or Facebook’s. Like these, many features can be built on Truecaller. Many of them require a lot of research. The technology for some of the stuff we want to do is not in place.

At the heart of Truecaller is the idea of identity and its relationship with a phone number. A phone number is a more powerful identity tool than an e-mail and Facebook is using phone number-based sign-ups. Is identity authentication a direction you could take?
We think about what’s the next mobile identity and see it as a big vision. How do you verify that a person is who he or she claims to be? Many people don’t have social security numbers; they just have a first name, and so forth. I think it’s an interesting area. We don’t have any plug-ins [like application programming interfaces] with other developers to authenticate their users, even though we can do that. What does it bring to the end user? Probably We think about what’s the next mobile identity and see it as a big vision. How do you verify that a person is who he or she claims to be? Many people don’t have social security numbers; they just have a first name, and so forth. I think it’s an interesting area. We don’t have any plug-ins [like application programming interfaces] with other developers to authenticate their users, even though we can do that. What does it bring to the end user? Probably a lot, if you could use a tool without entering your number because you have Truecaller installed. Initially, we thought, ‘Should we have verification through e-mail?’ But not everyone has e-mail and even if they have it, not everyone has it on their phone.

There have been instances of Truecaller being used in law enforcement. That’s a problem for a lot of digital companies of late.
I have been reading news items saying that law enforcement agencies have been using our app [to identify phone numbers like normal users]. I don’t see any reason why I should stop certain people from using it. But all the interaction with the app is encrypted and it’s not possible for them [law enforcement] to read the traffic. For us, that’s very important.
Our hardware is located in Sweden and we have our own servers. We took a decision early on not to use cloud-based services. You don’t really know where your data is [if you are using cloud]. For us, it’s critical that we have control over our data. It’s old school to host your own machines but we decided to go with it because we work with a lot of data and try to create various social graphs. In the end, it’s users’ data and it’s important that they get a sense of trust.
In the early days, it is probably more expensive [to own servers]. But if we were to put our technology on Amazon [cloud], it would be very expensive because we have so much traffic. Our users make 800 million searches every month. If that goes through Amazon, we would go bankrupt. Well, not really, but... (smiles)

You had an instance of intrusion last year. How big a problem is it to have people with malicious intent snooping around?
I can’t speak for other companies, since I don’t have their statistics, but the bigger you become, the bigger you get as a target. For us, what happened last year was very unfortunate. They managed to access our website. However, it is important to understand that the website itself is isolated from the whole Truecaller backend. We were using WordPress which had some loopholes. Since then we have not been using WordPress. My background is in network engineering and security. Our goal is, every person we recruit should be better than the previous one. So we want to make sure we always have a world-class team of backend and security people with a lot of security might. Having your servers hosted internally gives you a great advantage because you can control so much.

Is the nature of data security today more reactionary regarding threats?
We have people constantly scanning for loopholes. We do this proactively, making sure every line of code written is reviewed. I think a lot of companies do this. I think most of these [intrusions] are related to small issues like SSL encryption, rather than big ones, where someone actually hacks into machines. It is more about sniffing data. I think users too need to be aware that the world is changing and it’s up to them to stop for a while and think, ‘Do I really want to post my baby’s picture on Facebook?’ Not everyone is thinking, taking a step back.

You have had privacy problems yourself.
I don’t think we have had privacy problems like that. Such instances come from not understanding the product; you cannot get someone’s phone number from Truecaller without them actually giving access to it. It’s based on permissions. However, if you enter a number, you might get some details about it. But then, if you have the number, you can just call and ask the person who they are. We always give the user an option to share their contact information because that’s what it is all about.