The mobile phone numbers of former Prime Minister David Cameron, Labour leader Jeremy Corbyn, celebrities and millions of other people are being stored in databases that can be searched by the public.
Rory Cellan-Jones, Technology correspondent
While the numbers cannot be obtained simply by entering a name, data watchdogs are concerned about the way the information has been gathered.
These databases have been compiled by phone apps that promise to block spam calls and let people “reverse-look up” calls from numbers they do not recognise. But it appears many of the names and numbers have been gathered without their owners’ knowledge.
The apps, which include Truecaller, Sync.me and CM Security, ask users to upload their phone’s contact lists when they install them. That means they end up with huge databases – one app claims to have two billion numbers while another claims more than a billion.
These can then be searched to connect any number with a name, although you cannot put in a name and get a number. Searches can be conducted on the app provider’s website without even installing the software.
The issue has been highlighted by Factwire, an investigative journalism organisation that found the numbers of leading Hong Kong lawmakers had been stored in the systems.
The BBC has found that many British numbers are also listed – including that of Mr Cameron, Mr Corbyn, Transport Secretary Chris Grayling, the Olympic diver Tom Daley and the music producer Pete Waterman.
We had those numbers already, as did Hong Kong-based Factwire when it conducted its searches.
Many numbers appear to be stored in the databases without the knowledge or consent of their owners.
For example, we found the number of the security researcher Rik Ferguson of Trend Micro in the database of Truecaller, which is based in Sweden. He told us he had not installed the app and had not consented to having his number stored.
He described the app as “highly deceptive” and questioned whether it broke data protection regulations.
“Data can only be collected for specific, explicitly stated and legitimate purposes, may not be kept for a longer period than is necessary and crucially only with the explicit and informed consent of the data subject,” he said.
There is also concern about the security of the data. In 2013 Truecaller suffered a data breach, admitting that it had fallen victim to a cyber-attack but insisting that no sensitive information had been exposed.
Truecaller told the BBC that it ensured strict protection of user data, which was safely stored in Sweden. The company said it did not share any information with external organisations and in a statement said: “Truecaller is not in violation of the data protection laws in Sweden, nor across the EU as a whole.”
We asked the Information Commissioner, Britain’s data protection regulator, about Truecaller. The ICO told us: “UK data protection law says businesses are required to process data fairly and lawfully. We’re asking questions on behalf of UK citizens and are following up with the Swedish authorities.”
The security blogger Graham Cluley, whose mobile number is stored by one of the apps, says everyone needs to be more careful about what they share: “If you upload your address book, you’re not just putting your own privacy at risk – but the privacy of everybody else in that address book.”
Most of the apps mention in their terms and conditions that users should have permission from their contacts before sharing their data.
One of the apps, CM Security, has now halted its reverse-look up function. All of them say users can opt out if they do not want to have their numbers stored.
Additional reporting by Helier Cheung