See all of those people on your social media feeds sharing pictures from FaceApp's aging filter that show what they'll look like when they're old? Maybe you've even posted your own. What you and your friends were probably unaware of, though, is that the app that lets you share these silly photos for a quick laugh can collect a considerable amount of data about you and presents some significant security concerns.
FaceApp isn't new. The application, marketed as an artificial intelligence-powered photo editor, first launched in January 2017 and quickly went viral when people saw the extremely realistic filters that they could apply to their pictures. Since its debut just over two years ago, the app has racked up more than 1.7 million ratings in the Google Play Store and another 546,000 reviews in Apple's iOS App Store. ABC News reported that it has more than 80 million monthly users. Despite its undeniable popularity, the app first rose to prominence in part because of controversy. Just a few months after launching, FaceApp came under fire when it added "ethnicity filters" that allowed people to change their appearance to look "black," "Indian" or "Asian." The backlash against the filters was swift, and the company quickly did away with them.
FaceApp is back in fashion now thanks to the so-called FaceApp Challenge, though it's not really much of a challenge. You download the app, take a picture of yourself, apply the aging filter that shows what you'll look like in 50 years and post it online. That's all there is to it. The real driving force behind it is the major pick up is the fact that celebrities have taken to it in droves. Basically everyone has gotten involved in the campaign, from the Jonas Brothers to Drake to Gordon Ramsay. That has led to a resurgence in popularity among us normal folk, as well, since famous people can't have all the fun.
The problem with FaceApp's return to popularity is that it brings with it some troubling privacy concerns. Attorney Elizabeth Potts Weinstein raised the issue on Twitter, pointing out that FaceApp's terms of service give it access to a considerable amount of your information, that it is free to use basically however it sees fit.
In a wide-ranging policy filled with legalese, FaceApp lays claim to a "perpetual, irrevocable, nonexclusive, royalty-free, worldwide, fully-paid, transferable sub-licensable license" to "use, reproduce, modify, adapt, publish, translate, create derivative works from, distribute, publicly perform and display your User Content." Basically, FaceApp owns everything you create on the app and can use it or sell it to anyone that it would like. That includes, per the terms, any information associated with your content, including your username, real name, location, and profile photos. By simply using the app, FaceApp also states that users grant it consent to use their content even if it contains their "name, likeness, voice or persona" or anything "sufficient to indicate the individual's identity." Put a little more clearly, FaceApp owns whatever you create with the app, can use it however it sees fit, and can freely profit off of your likeness and personal information without owing you a cent.
Some people have also pointed out potential security concerns related to the fact that FaceApp has access to the photos on your phone and processes them on its own servers. This stems primarily from the fact that the company behind FaceApp, Wireless Lab, is headquartered in St. Petersburg, Russia. The fact that the company is located in the country that has become synonymous with online mischief — be it launching troll farms or meddling in elections around the world — is enough to raise hackles for some. The overarching concern, though, is that with full access to your phone's camera roll, FaceApp could take all of your pictures and send them off to their servers in Russia, where they can use them without restriction.
For what it's worth, that doesn't appear to be what is actually happening. Will Strafach, an iOS security researcher and CEO of Guardian Firewall, noted on Twitter that there's no evidence to suggest FaceApp is grabbing all of your photos. Forbes also reported that most of the company's servers used to process images are actually located in the United States, not Russia. However, Strafach said that the app does upload single photos to company servers in order to apply filters. That isn't made clear to users when they use the app, and while it isn't an unheard of practice, it certainly isn't the preferred approach for people concerned about their privacy. It would be better for the app to process photos on a person's device, ensuring that no information is transferred away from the phone — though doing so would limit the information that FaceApp has access to and would likely hinder its machine learning algorithms, which count on having access to tons of photos to improve over time.
In a statement to Forbes, FaceApp founder Yaroslav Goncahrov noted that photos are uploaded and temporarily stored in the cloud in order to process them and apply filters. He claimed that photos were sometimes stored after an edit is applied because the company wants to "make sure that the user doesn't upload the photo repeatedly for every edit operation." According to Goncahrov, photos are typically deleted from the company's servers "within 48 hours from the upload date." This process makes sense for the company. As privacy expert and reverse engineering pro Jane Manchun Wong pointed out on Twitter, the process allows the company to hide its photo processing code from competitors who may want to copy it (see: Snapchat, Facebook, etc.) and limits the possibility of piracy.
While some of the concerns surrounding FaceApp may be overblown, it's always good to think carefully about what permissions you are giving to applications, especially when they are free like FaceApp is. Typically, when you don't pay for an app in cash, you're paying for it some other way. In the case of FaceApp, it's by providing the service with the photos you upload, which it can use to fine tune its algorithm and potentially market or sell to third parties. Free apps are never truly free, and it is worth regularly culling your phone of unused apps and checking the permissions of the apps you do have to make sure that you aren't giving away information that you aren't comfortable with.
If you're suddenly having second thoughts about just how much access FaceApp has to your information, it is possible to pull your user data from the company's servers. If you have the app downloaded on your phone, go the the Settings, then go to Support tab. Select the Report a bug option and type "privacy" in the subject line. According to Goncharov, the company will delete all user data associated with your account when it receives that message.