I’ve got a Problem with Koko!

Before the arrival of Mintpay and Koko “Buy Now Pay Later” or interest-free easy payment schemes were available only to Credit Card holders and buyers with guarantors (as far as my knowledge permits). The aforesaid Fintech apps however allow consumers to pay in instalments using even a debit card. Apps like Koko by Daraz let you pay even for a pair of pants or a shirt with interest-free instalments. Sounds fantastic, or is it? Recently while fooling around with the Mintpay app, I realized it doesn’t have Multi-Factor Authentication and wanted to see whether Koko is the same. Forget about Multi-Factor Authentication. What happened after installing the app was a total invasion of my online privacy (Even before making my first purchase through the app). Keep on reading to find out what happened. I hope my thoughts will help you protect your privacy if you are planning to use the app in future. [Image Credit: Mayur Roshen from SR Productions]

Koko’s dodgy App Permissions

As soon as I installed Koko and launched the app it requested permission to access my phonebook contacts. The reason? To provide me with a better service. Seriously? I immediately refused but if a clueless user who has my contact details on his device happens to install the app and blindly grant permission to access his phonebook contacts the app has immediate access to my phone number and email address at least. Although the privacy policy addresses this behaviour it sounds evasive and therefore unhelpful. More on that later.

Unsolicited & Unethical Emails

I call emails from Koko to be unsolicited on the account of three grounds. First, I did not sign up for an electronic newsletter. Never! Second, the frequency. I receive marketing emails from them almost every day and sometimes more than one email within 24 hours. Third I can’t opt out of their marketing emails because there’s no way to unsubscribe. They’re not supposed to contact me via my login email address unless it’s a must. Not for marketing purposes. These reasons make their emails highly unsolicited.

It is illegal in many countries, including the US and the EU, to send unsolicited email newsletters without including an option for recipients to unsubscribe. This is in accordance with laws such as the CAN-SPAM Act in the US and the General Data Protection Regulation (GDPR) in the EU. Sri Lanka probably doesn’t have any rules and regulations governing email campaigns and Daraz and Koko may be taking advantage of the loophole. It makes these email communications highly unethical.

High-volume Push Notifications

As if bombarding me with unsolicited and unethical emails isn’t enough the Koko app is very good at frequently annoying me with high volumes of “Push Notifications”. Although it’s not illegal for smartphone apps to push notifications without the end user’s consent, receiving such large volumes of “Push Notifications” being pushed for promotional purposes is a major annoyance. Fortunately, I am quite tech-savvy and I was able to block further push notifications using the settings in Android. If you want to know how to check these instructions from Google and Apple.

The highly evasive Privacy Policy

It’s the reason that compelled me to dig into their privacy policy and I spotted something vague but interesting. (We usually don’t take time to read privacy policies, right?) The Koko Privacy Policy says: “While Credolab’s mobile technology may scan and process your phone book contacts on your mobile device and may have the ability to send names and contact details to Credolab’s servers, the names and contact details are NOT sent to Credolab’s servers.” What is the conclusion the end users are supposed to draw here? Does the app access and send the phone book contacts to Credolabs’ servers or does it not? Nobody but the developers behind Koko, Daraz and Credolab (A 3rd Party Data Analytics Firm) know the answer.

Wrap Up

A tweet by one Andrew Lewis that is being mass-retweeted says, “If you are not paying for it, you’re not the customer; you’re the product being sold.” Now whatever you order through Koko you have to pay for it. However, when a business establishment offers you an attractive deal it’s because they have something big to gain. Not because they care about your well-being. In this case, it’s the data about you. (In this century the most valuable commodities are time and data.) Although On March 18th, 2022, Sri Lanka enacted the Personal Data Protection Act, No. 9 of 2022 (the “Act” or “PDPA”) thereby becoming the first South Asian country to enact comprehensive data protection legislation, I am not certain how effective it is. Besides the law can be misinterpreted, exploited, and manipulated. I do not know whether Koko is guilty of the same but I do have a problem because of my experience with the app.

---

If you found this content helpful, I kindly ask you to leave your feedback in the comments section below. Sharing it on social media would also be greatly appreciated. In order to promote meaningful and respectful dialogue, I request that you use your full name when commenting. Please note that any comments containing profanity, name-calling, or a disrespectful tone will be deleted. Thank you for your understanding and participation.