Facebook has been collecting call records and SMS data from Android devices for years. Several Twitter users have reported finding months or years of call history data in their downloadable Facebook data file. A number of Facebook users have been spooked by the recent Cambridge Analytica privacy scandal, prompting them to download all the data that Facebook stores on their account. The results have been alarming for some.

“Oh wow my deleted Facebook Zip file contains info on every single phone cellphone call and text I made for about a year,” says ‏Twitter user Mat Johnson. Another, Dylan McKay, says “somehow it has my entire call history with my partner’s mum.” Others have found a similar pattern where it appears close contacts, like family members, are the only ones tracked in Facebook’s call records.

Ars Technica reports that Facebook has been requesting access to contacts, SMS data, and call history on Android devices to improve its friend recommendation algorithm and distinguish between business contacts and your true personal friendships. Facebook appears to be gathering this data through its Messenger application, which often prompts Android users to take over as the default SMS client. Facebook has, at least recently, been offering an opt-in prompt that prods users with a big blue button to “continuously upload” contact data, including call and text history. It’s not clear when this prompt started appearing in relation to the historical data gathering, and whether it has simply been opt-in the whole time. Either way, it’s clearly alarmed some who have found call history data stored on Facebook’s servers.

Facebook hasn’t been able to collect this data on iPhones thanks to Apple’s privacy controls

While the recent prompts make it clear, Ars Technica points out the troubling aspect that Facebook has been doing this for years, during a time when Android permissions were a lot less strict. Google changed Android permissions to make them more clear and granular, but developers could bypass this and continue accessing call and SMS data until Google deprecated the old Android API in October. It’s not yet clear if these prompts have been in place in the past.

Facebook has responded to the findings, but the company appears to suggest it’s normal for apps to access your phone call history when you upload contacts to social apps. “The most important part of apps and services that help you make connections is to make it easy to find the people you want to connect with,” says a Facebook spokesperson, in response to a query from Ars Technica. “So, the first time you sign in on your phone to a messaging or social app, it’s a widely used practice to begin by uploading your phone contacts.”

The same call record and SMS data collection has not yet been discovered on iOS devices. While Apple does allow some specialist apps to access this data in limited ways like blocking spam calls or texts, these apps have to be specifically enabled through a process that’s similar to enabling third-party keyboards. The majority of iOS apps cannot access call history or SMS messages, and Facebook’s iOS app is not able to capture this data on an iPhone.

Facebook may need to answer some additional questions on this data collection, especially around when it started and whether Android users truly understood what data they were allowing Facebook to collect when they agreed to enable phone and SMS access in an Android permissions dialogue box or Facebook’s own prompt.

In a blog post published Sunday, Facebook clarified how the data collection works and that the feature is opt-in, but the company did not say why it needs the data or what it uses it for. The blog post also fails to address why the data is collected under the auspices of a contact upload.

The data collection revelations come in the same week Facebook has been dealing with the fall out from Cambridge Analytica obtaining personal information from up to 50 million Facebook users. Facebook has altered its privacy controls in recent years to prevent such an event occurring again, but the company is facing a backlash of criticism over the inadequate privacy controls that allowed this to happen. CEO Mark Zuckerberg has also been summoned to explain how data was taken without users’ consent to a UK Parliamentary committee.

Update, 11:30AM ET: Article updated to provide more information on the opt-in dialogue box.

Update at 5:37PM ET, Sunday, March 25th: Added link to Facebook’s new blog post on the subject.