How Worried Should You Be About FaceApp?

Technology companies and app developers will design any tool – especially entertaining ones – that dupes or manipulates people into handing over their data.

If you logged onto Twitter or Facebook over the past day or so, you probably saw friends who appeared to have suddenly aged 30 or 40 years. That’s because a new app that allows users to accelerate their age, change their hair colour and even “swap” their gender went viral. Celebrities like Nick Jonas and Drake are doing it. My friends are doing it. Even I did it – several times.

The problem is that as soon as the app took off, some people began raising serious privacy concerns about it. Two privacy concerns, to be specific: one about the general ecosystem of apps that vacuum up our information, and one about FaceApp’s country of origin.

Originally released two years ago, FaceApp was designed by the St. Petersburg, Russia-based firm Wireless Lab. Twitter quickly took notice of the app’s national origin, and several users expressed concern that their funny aged photos (any may be the originals, too) were being sent across the cloud to servers in Russian President Vladimir Putin’s backyard – for who knows what.

Privacy Matters and several news outlets (some in rather alarming termspointed out that when you use the app, you grant Wireless Lab a lot of rights. That includes a “perpetual, irrevocable, nonexclusive, royalty-free, worldwide, fully-paid, transferable sub-licensable license to use, reproduce, modify, adapt, publish, translate, create derivative works from, distribute, publicly perform and display your User Content … without compensation to you.”

Also read: It’s Hard to Understand Privacy in India

That basically means FaceApp can do whatever it wants with your photos, according to New York Law School professor Ari Waldman. “You retain copyrights and photos that you upload, but you grant them the opportunity to pretty much do anything they want with the photos that are stored on their servers,” Waldman told me. And in many cases, it’s not just photos of the individual using the app – people upload images of their friends and families, too, meaning such a database of faces would be massive, and that same policy would apply regardless of who is in the photo. “It’s pretty broad, to say the least,” Waldman said.

But the worst of the panic about FaceApp’s privacy protections happened when a now-deleted tweet suggested that FaceApp might be gaining access to and uploading a user’s entire camera roll. If true, that could have been a massive privacy concern. After all, people also store screenshots of bank records and credit card numbers in their camera rolls as well as personal shots that – let’s just say – they wouldn’t want in the hands of the Russian government or anyone else, really.

That – combined with the permissive terms and a privacy policy that allows data to transferred across borders and jurisdictions – sparked justified concern. But we have some good news on that front, at least. Digital security expert Will Strafach performed a quick network traffic test and found that the app was not, in fact, uploading your entire camera roll to the cloud.

(Marlo Stanfield is a character on the HBO series, The Wire) That reassurance aside, there’s no real way to know if data is ending up in Russia somehow, how long it’s staying there and what the company is using it for. Photos you actively select are uploaded to the cloud, which isn’t really standard practice for a photo-editing app, according to Strafach.

Most photo-editing applications perform edits on the phone instead of in the cloud. “When you select a photo and edit it, it does get sent to their servers,” Strafach said. “To me, as someone who hadn’t used the app before, they did not make it obvious that they were sending it to their servers. When you apply filters, it’s their servers performing the edits.” In essence, it’s not just the final version you picked to post on your Instagram story that’s been sent to the cloud somewhere – it’s all the edits and the original, too.

Yaroslav Goncharov, FaceApp’s creator and Wireless Lab CEO, said in an emailed statement that no user data is transferred to Russia even though “the core R&D team is located” there, and he echoed that the entire camera roll is not tapped for upload. Forbes reported that FaceApp uses Amazon servers located in the US and Australia. And, to be fair, FaceApp said it deletes most photos after 48 hours: “We might store an uploaded photo in the cloud. The main reason for that is performance and traffic: we want to make sure that the user doesn’t upload the photo repeatedly for every edit operation.”

Also read: What India’s Data Protection Committee Can Learn from US, EU and China

But, again, all we have here is its word. When I asked Goncharov what Wireless Lab uses the photos for, he didn’t say. “Privacy policies and terms are drafted by lawyers and they always prefer to be on the safe side,” Goncharov wrote in an email. “We are planning to do some improvements here.” I directly asked if the company actively uses personal data for commercial purposes, and he didn’t respond.

Goncharov is right, though, that privacy policies and terms are often broad. They are notoriously long, boring and difficult to read, but they list what a company can do with your data – and often offer some insight into what it plans to do with your data. FaceApp’s terms are vague, permissive, and allow for commercial use of your personal data, but that’s not an issue unique to this app. “It’s a doozy of a privacy policy. But it’s not uncommon,” Waldman said. “Facebook takes a nonexclusive worldwide license to do whatever it wants with the photos that we upload as well. So there, it’s not unusual.”

Other photo-editing apps like VSCO alert users in their policies that, like FaceApp, they may transfer data outside of the user’s country. “As you put it in the privacy policy, then you can do a lot with data. But of course, we know that that doesn’t actually end up protecting people’s privacy,” Waldman said. It is especially an issue with an app like FaceApp. Users might not anticipate that a photo they are editing could be made public or shared for commercial purposes. “Even if the initial commotion is not exactly true, what they are doing is still an issue,” Strafach said. (FaceApp says it does not “sell or share any user data with any third parties” and that you can request your data be deleted by using the app’s report a bug feature.)

This viral sensation does offer a glimpse at how quickly millions of faces could be gathered up for nefarious purposes, though. And such a collection of data in the hands of any company could have pretty significant commercial possibilities. FaceApp has an “insanely detailed data set for anyone who wants to work on facial recognition technology,” Waldman said.

Facial recognition technology – even though it’s been shown to be biased and discriminatory – and the databases that power it are becoming increasingly profitable for government surveillancelaw enforcement and even marketing. A collection like FaceApp’s could be used to train facial recognition technology or to form a database that could be sold to another company. In 2017, the Guardian reported on a similar technology in Russia, FindFace, that allowed users to photograph people in crowds and work out their identity with nearly 70% reliability. (To be clear, FaceApp doesn’t seem to be connected to FindFace.) The public features of FindFace have been discontinued, but it remains available for government and business use.

Concerns about privacy in the app has risen as far as the US Democratic National Committee, which told presidential campaigns not to use the viral app because of the Russian developers. US Senator Chuck Schumer has even asked the US Federal Bureau of Investigation and the Federal Trade Commission to investigate FaceApp. With the combination of social media, personal data privacy, and Russia, it’s no wonder there is a widespread concern. But Baptiste Robert, a French security expert who goes by the pseudonym Elliot Alderson, said on Twitter the “story is out of control,” especially considering the app uses mostly US-based internet infrastructure like Amazon Web Services and Google – and that its terms are not markedly different than other social media companies like Snapchat, for example.

Still, Waldman says it’s always good to be wary. “It’s a Russian company, which, with the statist structure they have over in Russia, means that there are likely connections between the company and the government.” So if you haven’t already aged your face, it’s probably a good idea to be cautious.

But that applies to your entire digital life, not just FaceApp. Technology companies and app developers out there are after data, and they will design any tool – especially entertaining ones – that dupes or manipulates people into handing over their data, according to Waldman. And we shouldn’t just be worried about Russian companies. “We should be equally (and significantly) concerned about all of it,” Waldman said. “Both FaceApp and Facebook are manipulative tools that enrich their designers by data gathering via a pretext of fun.”

This piece was originally published on Future Tense, a partnership between Slate magazine, Arizona State University and New America.