Apple continuously stores customers’ call history on its iCloud servers for as long as four months, cautioned Elcomsoft, a Russian computer forensics firm, on Thursday.
Anyone who uses an iPhone or iPad automatically transmits this private information—including phone numbers, dates, and length of calls—to Apple when iCloud is enabled, the firm said. Privacy buffs will note that Apple can provide law enforcement with the encryption keys that unlock the data because the company holds onto these data-unscrambling cryptographic secrets.
Get Data Sheet, Fortune’s technology newsletter.
In addition to logging regular call history, Apple appears to be keeping records of metadata associated with FaceTime calls at least since the introduction of the iOS 8.2 version of its mobile software in March 2015, The Intercept reports.
It’s worth noting that FaceTime employs end-to-end encryption that protects the audio and visual content of messages sent over the service, as Apple’s security guide lays out. Elcomsoft said that its findings contradicted other statements in the iOS security guide, however.
For instance, Apple says that it “has no information as to whether the FaceTime call was successfully established or duration of a FaceTime call” and that “FaceTime call invitation logs are retained up to 30 days.” Elcomsoft, on the other hand, said it found that iCloud accounts do indeed retain this information.
“Synced data contains full information including call duration and both parties,” Katalov wrote in his post. He added that “we were able to extract information going back more than 4 months ago.”
Apple also appears to retain the metadata records associated with popular communications apps that rely on Apple CallKit, the company’s voice integration tool, since its debut of iOS 10, Elcomsoft said. Among the set are Microsoft’s (MSFT) Skype, Facebook’s (FB) WhatsApp, and Viber.
For more on iPhones, watch:
Elcomsoft further noted that when someone downloads synced call logs, users are not notified, unlike when iCloud backups are downloaded. Katalov said that this “effectively allows spying upon you without you even knowing.”
Elcomsoft gained notoriety in 2014 when a hacker reportedly used the company’s software to download personal photos of celebrities from their iCloud accounts.
Apple did not immediately reply to Fortune’s request for comment. A company spokesperson provided the following statement, however, to Forbes, which first reported the news, as well as The Intercept: “We offer call history syncing as a convenience to our customers so that they can return calls from any of their devices. Apple is deeply committed to safeguarding our customers’ data.”
“That’s why we give our customers the ability to keep their data private,” the note continued. “Device data is encrypted with a user’s passcode, and access to iCloud data including backups requires the user’s Apple ID and password. Apple recommends all customers select strong passwords and use two-factor authentication.”
Hackers looking to get their hands on people’s call histories can be foiled by two-factor authentication, an essential security feature that adds an extra layer of security to online accounts, Elcomsoft said. Those looking to keep their communications logs from the eyes of prying government authorities might have more to worry about, though.
Of course, investigators can also obtain call records from telecom providers. Chris Soghoian, chief technologist at the American Civil Liberties Union, told The Intercept that he was more worried about other aspects of iCloud’s data management.
“The fact that iCloud backs up what would otherwise be end-to-end encrypted iMessages is far worse in my mind,” Soghoian said. “There are other ways the government can obtain [call logs]. But without the backup of iMessages, there may be no other way for them to get those messages.”
Apple, for its part, won acclaim from privacy buffs for its strong stance in a high-profile legal battle with the Federal Bureau of Investigation over access to the encrypted contents of an iPhone used by a terrorist. The company refused to write software that would allow the Feds to extract the phone’s PIN code and stored data, and it ultimately avoided a protracted legal battle when the FBI found an alternate means of entry via a third-party contractor.