No, FaceApp isn’t taking photos of your face and taking them back to Russia for some nefarious project. At least that’s what current evidence suggests.
After going viral in 2017, and amassing more than 80 million active users, it’s blowing up again thanks to the so-called FaceApp Challenge, in which celebs (and everyone else) have been adding years to their visage with the app’s old-age filter. The app uses artificial intelligence to create a rendering of what you might look like in a few decades on your iPhone or Android device.
But one tweet set off a minor internet panic this week, when a developer warned that the app could be taking all the photos from your phone and uploading them to its servers without any obvious permission from the user.
The tweeter, Joshua Nozzi, said later he was trying to raise a flag about FaceApp having access to all photos, even if it wasn’t uploading them to a server owned by the Russian company.
Storm in an internet teacup?
This all turns out to be another of the Web’s many storm-in-teacup moments. According to FaceApp they only take submitted photos—those that you want the software to transform—back up to company servers.
And where are those servers based? Mostly America, not Russia. A cursory look at hosting records confirms this to be true: The servers for FaceApp.io were based in Amazon data centers in the U.S. The company confirmed that some servers were hosted by Google too, across other countries, including Ireland and Singapore. And, as noted by Alderson, the app also uses third-party code, and so will reach out to their servers, but again these are based in the U.S. and Australia.
FaceApp confirmed and expaned on this with its own statments.
They Stated: We are receiving a lot of inquiries regarding our privacy policy and therefore, would like to provide a few points that explain the basics:
FaceApp performs most of the photo processing in the cloud. We only upload a photo selected by a user for editing. We never transfer any other images from the phone to the cloud.
We might store an uploaded photo in the cloud. The main reason for that is performance and traffic: we want to make sure that the user doesn’t upload the photo repeatedly for every edit operation. Most images are deleted from our servers within 48 hours from the upload date.
We accept requests from users for removing all their data from our servers. Our support team is currently overloaded, but these requests have our priority. For the fastest processing, we recommend sending the requests from the FaceApp mobile app using “Settings->Support->Report a bug” with the word “privacy” in the subject line. We are working on the better UI for that.
All FaceApp features are available without logging in, and you can log in only from the settings screen. As a result, 99% of users don’t log in; therefore, we don’t have access to any data that could identify a person.
We don’t sell or share any user data with any third parties.
Even though the core R&D team is located in Russia, the user data is not transferred to Russia.
So, should you be concerned?
Well, the truth is the license you give faceapp seems to be the same that you give to reddit, facebook, twitter, or any site that allows you to upload images.
Close research suggests FaceApp isn’t doing anything particularly unusual in either its code or its network traffic, so if you’re worried about FaceApp, there are probably a bunch of other apps on your phone doing the same thing. Still, the conversation does bring attention to standard tech practices that might be more invasive than users realise. You should think about how your data is being used before sharing it with an any known or unknown app. It’s easy to give away your privacy and data at the click of a button.
Think before you click “Accept”
