June 23, 2025

Yohan Perera | Sri Lanka

Yohan Perera from Colombo, Sri Lanka writes about Cyber Security, E-Commerce, Social Issues, Family and Relationships, Current Affairs, and Religion

Trending News

5 Red Flags: Products and Sellers to Be Cautious About on Daraz
Productivity
From Sticker to Suspect: What Really Happened?
Humanity
Israel, Hamas, and the Fight: Shattering Myths
Humanity

Find Me On

A black smartphone displaying the KOKO app interface, showing a balance of "Rs. 16,125" and various sections like "KOKO Food," "KOKO Travel," and a prominent banner "NOW ACCEPTS KOKO." The phone is lying diagonally on a wooden table.

I’ve got a Problem with Koko!

Yohan Perera08 mins

Before the arrival of Mintpay and Koko โ€œBuy Now Pay Laterโ€ or interest-free easy payment schemes were available only to Credit Card holders and buyers with guarantors (as far as my knowledge permits). The aforesaid Fintech apps however allow consumers to pay in instalments using even a debit card. Apps like Koko by Daraz let you pay even for a pair of pants or a shirt with interest-free instalments. Sounds fantastic, or is it? Recently while fooling around with the Mintpay app, I realized it doesnโ€™t have Multi-Factor Authentication and wanted to see whether Koko is the same. Forget about Multi-Factor Authentication. What happened after installing the app was a total invasion of my online privacy (Even before making my first purchase through the app). Keep on reading to find out what happened. I hope my thoughts will help you protect your privacy if you are planning to use the app in future. [Image Credit: Mayur Roshen from SR Productions]

Kokoโ€™s dodgy App Permissions

As soon as I installed Koko and launched the app it requested permission to access my phonebook contacts. The reason? To provide me with a better service. Seriously? I immediately refused but if a clueless user who has my contact details on his device happens to install the app and blindly grant permission to access his phonebook contacts the app has immediate access to my phone number and email address at least. Although the privacy policy addresses this behaviour it sounds evasive and therefore unhelpful. More on that later.

Unsolicited & Unethical Emails

I call emails from Koko to be unsolicited on the account of three grounds. First, I did not sign up for an electronic newsletter. Never! Second, the frequency. I receive marketing emails from them almost every day and sometimes more than one email within 24 hours. Third I canโ€™t opt out of their marketing emails because thereโ€™s no way to unsubscribe. Theyโ€™re not supposed to contact me via my login email address unless itโ€™s a must. Not for marketing purposes. These reasons make their emails highly unsolicited.

It is illegal in many countries, including the US and the EU, to send unsolicited email newsletters without including an option for recipients to unsubscribe. This is in accordance with laws such as the CAN-SPAM Act in the US and the General Data Protection Regulation (GDPR) in the EU. Sri Lanka probably doesnโ€™t have any rules and regulations governing email campaigns and Daraz and Koko may be taking advantage of the loophole. It makes these email communications highly unethical.

High-volume Push Notifications

As if bombarding me with unsolicited and unethical emails isnโ€™t enough the Koko app is very good at frequently annoying me with high volumes of โ€œPush Notificationsโ€. Although itโ€™s not illegal for smartphone apps to push notifications without the end userโ€™s consent, receiving such large volumes of โ€œPush Notificationsโ€ being pushed for promotional purposes is a major annoyance. Fortunately, I am quite tech-savvy and I was able to block further push notifications using the settings in Android. If you want to know how to check these instructions from Google and Apple.

The highly evasive Privacy Policy

Itโ€™s the reason that compelled me to dig into their privacy policy and I spotted something vague but interesting. (We usually donโ€™t take time to read privacy policies, right?) The Koko Privacy Policy says: โ€œWhile Credolab’s mobile technology may scan and process your phone book contacts on your mobile device and may have the ability to send names and contact details to Credolab’s servers, the names and contact details are NOT sent to Credolab’s servers.โ€ What is the conclusion the end users are supposed to draw here? Does the app access and send the phone book contacts to Credolabsโ€™ servers or does it not? Nobody but the developers behind Koko, Daraz and Credolab (A 3rd Party Data Analytics Firm) know the answer.

Wrap Up

A tweet by one Andrew Lewis that is being mass-retweeted says, โ€œIf you are not paying for it, you’re not the customer; you’re the product being sold.โ€ Now whatever you order through Koko you have to pay for it. However, when a business establishment offers you an attractive deal itโ€™s because they have something big to gain. Not because they care about your well-being. In this case, itโ€™s the data about you. (In this century the most valuable commodities are time and data.) Although On March 18th, 2022, Sri Lanka enacted the Personal Data Protection Act, No. 9 of 2022 (the โ€œActโ€ or โ€œPDPAโ€) thereby becoming the first South Asian country to enact comprehensive data protection legislation, I am not certain how effective it is. Besides the law can be misinterpreted, exploited, and manipulated. I do not know whether Koko is guilty of the same but I do have a problem because of my experience with the app.

If you found this content helpful, I kindly ask you to leave your feedback in the comments section below. Sharing it on social media would also be greatly appreciated. In order to promote meaningful and respectful dialogue, I request that you use your full name when commenting. Please note that any comments containing profanity, name-calling, or a disrespectful tone will be deleted. Thank you for your understanding and participation.

guest

0 Comments
Inline Feedbacks
View all comments
Back To Top

Our website is currently undergoing renovations. Thank you for your patience as we work to enhance your experience.

Got it!
X
50 Shares