Viral Russian AI-Powered Photo Editing App ‘FaceApp’ Raises User Privacy Concerns

Privacy advocates have alleged that the viral app sensation FaceApp is a targeted effort to harvest personal data on a global scale.

FaceApp, released in 2017, makes alterations on a user’s face designed to provide people a glimpse at what they might look like in 50 years. Experts say the Russian-made application can access, store, and use camera images.

FaceApp’s terms of service appear to stipulate that the developers can use the images at their leisure:

You grant FaceApp a perpetual, irrevocable, nonexclusive, royalty-free, worldwide, fully-paid, transferable sub-licensable license to use, reproduce, modify, adapt, publish, translate, create derivative works from, distribute, publicly perform and display your User Content and any name, username or likeness provided in connection with your User Content in all media formats and channels now known or later developed, without compensation to you. When you post or otherwise share User Content on or through our Services, you understand that your User Content and any associated information (such as your [username], location or profile photo) will be visible to the public.

This means that FaceApp can also use your real name, your username, or “any likeness provided” in any format without notifying users, much less paying them. They can retain that material as long as they want, even after users delete the app, and you won’t be able to stop them. Even those who set their Apple iOS photo permissions to “never,” as TechCrunch points out, are not protected against the terms.

The privacy worries and Russia link prompted U.S. Senate minority leader Chuck Schumer to call for the FBI and Federal Trade Commission to open a national security and privacy investigation into FaceApp, reported Reuters.

“It would be deeply troubling if the sensitive personal information of US citizens was provided to a hostile foreign power actively engaged in cyber hostilities against the United States,” he wrote, in a letter to the heads of both organizations.

In response to privacy concerns, FaceApp on Wednesday provided a statement to TechCrunch, saying most images are deleted from their servers within two days of the upload date.

“Most images are deleted from our servers within 48 hours from the upload date,” FaceApp said in the statement. “We accept requests from users for removing all their data from our servers. Our support team is currently overloaded, but these requests have our priority.”

FaceApp said it performs most of its photo processing in the cloud, but it doesn’t transfer photos from the phones that haven’t been selected for editing to the cloud. The app said it might store an uploaded photo in the cloud for performance and traffic. The app also noted that all FaceApp’s features are available without logging in and no data is sold or shared.

“Even though the core R&D team is located in Russia, the user data is not transferred to Russia,” the app added.

Ultimately, the truth here may simply be a poorly written privacy policy versus any malicious activity. As whitehat hacker Marc Rogers wrote on Twitter, “#faceapp terms aren’t different from other social apps.”