There’s no evidence that the app is uploading your whole camera roll to Russia.
FaceApp — the photo-transforming smartphone app that recently went viral after Drake, LeBron James, the Stranger Things cast, and many more shared AI-aged selfies on social media — has had a hell of a week.
On Wednesday, the Democratic National Committee sent a notice to 2020 presidential campaigns, urging them to delete the app “immediately” over concerns that there was no way to know what FaceApp was doing with the data. Senate Minority Leader Chuck Schumer wrote a letter to the FBI and the Federal Trade Commission, asking for an investigation. FaceApp “could pose national security and privacy risks for millions of U.S. citizens,” he cautioned. And moms the world over texted their kids to delete the app, just in case.
FaceApp was developed by a small team out of Saint-Petersburg, Russia.
“We developed a new technology that uses neural networks to modify a face on any photo while keeping it photorealistic. For example, it can add a smile, change gender and age, or just make you more attractive,” founder and CEO Yaroslav Goncharov told.
And Goncharov explains that the fact that FaceApp is so realistic is what sets it apart from any of its competition.
“Our main differentiator is photorealism,” he said. “After applying a filter, it is still your photo. Other apps intentionally change a picture in a way it is entertaining, but not a real photo anymore.”
You can either take a photo through the app’s camera functionality or get one from your pre-existing gallery. However, for security reasons, be wary of any app that asks for access into your personal gallery. FaceApp, like most apps, has a privacy page detailing how they use user content. There, the app does admit that they “may share User Content and your information with businesses that are legally part of the same group of companies that FaceApp is.”
This is normal for many apps, but if it’s something that deters you, maybe just download it for a bit, and then scrap it when you’re done.
To be sure, FaceApp’s terms of service are incredibly broad. Its permissions explicitly claim a right to a “perpetual, irrevocable, nonexclusive, royalty-free, worldwide, fully-paid” license once users upload their photos to the app. Adding to the public anxiety, FaceApp is based in St. Petersburg — and Russia is a country many folks automatically associate with US election interference.
If you use #FaceApp you are giving them a license to use your photos, your name, your username, and your likeness for any purpose including commercial purposes (like on a billboard or internet ad) — see their Terms: https://t.co/e0sTgzowoN pic.twitter.com/XzYxRdXZ9q
— Elizabeth Potts Weinstein (@ElizabethPW) July 17, 2019
According to FaceApp CEO Yaroslav Goncharov, the app’s terms of service and permissions are nothing to panic over, because the company isn’t doing anything nefarious with your data.
“We only upload a photo selected for editing,” Goncharov told BuzzFeed News. “You can quickly check this with any of the network-sniffing tools available on the internet.”
We took Goncharov’s claim and ran the tests. Now we’re publishing the results so that you can see for yourself.
FaceApp claims that photos are stored on servers run by Amazon and Google, and that no user data goes back to its research and development team in St. Petersburg. The servers we were able to see were from Amazon Web Services and Google Cloud Platform, located in Ohio; Portland, Oregon; Mountain View, California; and Singapore — although there is a possibility that some data is hosted on Russian servers beyond what we can observe. (Fun fact: Whoever set up the subdomains at FaceApp is a big Game of Thrones fan, naming them after the characters Tyrion, Arya, Bran, and Jaime, among others.)
There’s one big caveat to add: There’s nothing that would stop FaceApp from changing its behavior later. It is possible that FaceApp could add data snooping in the future, given its broad terms of service.
For the most part, though, the viral story of FaceApp tells us that we all should be more aware of what permissions we give applications. We’re far too quick to jump into something fun without thinking about the implications of giving up our data.
But, best we can tell, there is nothing to indicate you are giving up more than a single photo of your face at a time to a company that we know very little about.