Some apps are apparently storing people’s information without their consent

There are several security apps that can help you block unknown callers and even identify who’s calling.

However, a report has revealed that such apps also add users’ contact information to their databases. The information can then be used by anyone.

An investigation by Factwire has found that websites for these apps allow users to connect any number with a name even if they haven’t downloaded the app. However, numbers cannot be obtained by merely entering a name.

Apps such as Truecaller, Sync.me and CM Security block spam calls and feature “reverse-look up” functionality for numbers users do not recognise. What many don’t know is that these apps also upload their phones contacts to databases upon installation, essentially gathering contact information without the owner’s knowledge.

The BBC has found that many British numbers including that of former prime minister David Cameron are also listed. Security researcher Rik Ferguson of Trend Micro also had his contact on Truecaller’s database.

Speaking to the BBC, he confirmed he had never used the app or consented to having his number stored. “Data can only be collected for specific, explicitly stated and legitimate purposes, may not be kept for a longer period than is necessary and crucially only with the explicit and informed consent of the data subject,” he said.

Some of the apps have over a billion contacts saved on their databases, a cause for concern. Truecaller, which suffered a security breach in 2013, insisted no sensitive information had been exposed in the cyber-attack.

Truecaller told the BBC that the app ensured that its data stored in Sweden remained secure and information was not shared with external organisations. “Truecaller is not in violation of the data protection laws in Sweden, nor across the EU as a whole” a statement from the company read.

One of the apps, CM Security, has now halted its reverse-look up function. Most of the apps do mention in their terms and conditions that users should have permission from their contacts before giving out their data.

This article originally appeared on BBC.