No, FaceApp isn’t taking photos of your face and taking them back to Russia for some nefarious project. At least that’s what current evidence suggests.
After going viral in 2017, and amassing more than 80 million active users, it’s blowing up again thanks to the so-called FaceApp Challenge, in which celebs (and everyone else) have been adding years to their visage with the app’s old-age filter. The app uses artificial intelligence to create a rendering of what you might look like in a few decades on your iPhone or Android device.
But one tweet set off a minor internet panic this week, when a developer warned that the app could be taking all the photos from your phone and uploading them to its servers without any obvious permission from the user.
The tweeter, Joshua Nozzi, said later he was trying to raise a flag about FaceApp having access to all photos, even if it wasn’t uploading them to a server owned by the Russian company.
Storm in an internet teacup?
This all turns out to be another of the Web’s many storm-in-teacup moments. A security researcher who goes by the pseudonym Elliot Alderson (real name Baptiste Robert) downloaded the app and checked where it was sending users’ faces. The French cyber expert found FaceApp only took submitted photos—those that you want the software to transform—back up to company servers.
And where are those servers based? Mostly America, not Russia. A cursory look at hosting records confirmed to Forbes that this was true: The servers for FaceApp.io were based in Amazon data centers in the U.S. The company told Forbes that some servers were hosted by Google too, across other countries, including Ireland and Singapore. And, as noted by Alderson, the app also uses third-party code, and so will reach out to their servers, but again these are based in the U.S. and Australia.
Of course, given the developer company is based in St. Petersburg, the faces will be viewed and processed in Russia. The data in those Amazon data centers could be mirrored back to computers in Russia. It’s unclear how much access FaceApp employees have to those images, and Forbes hadn’t received comment from the company at the time of publication about just what it does with uploaded faces.
So while Russian intelligence or police agencies could demand FaceApp hand over data if they believed it was lawful, they’d have a considerably harder time getting that information from Amazon in the U.S.
Permission to land on your phone
So is there a privacy concern? FaceApp could operate differently. It could, for instance, process the images on your device, rather than take submitted photos to an outside server. As iOS security researcher Will Strafach said: “I am sure many folks are not cool with that.”
It’s unclear how well FaceApp’s AI would process photos on the device rather than more powerful servers. FaceApp improves its face-changing algorithms by learning from the photos people submit. This could be done on the device, rather than the server, as machine learning features are available on Android and iOS, but FaceApp may want to stick to using its own computers to train its AI.
Users who are (understandably) concerned about the app having permission to access any photos at all might want to look at all the tools they have on their smartphone. It’s likely many have access to photos and an awful lot more. Your every move via location tracking, for instance. To change permissions, either delete the app, or go to app settings on your iPhone or Android and change what data tools are allowed to access.
Forbes contacted FaceApp founder Yaroslav Goncahrov, who provided a statement Wednesday morning. He said that user data is not transferred to Russia and that “most of the photo processing in the cloud.”
“We only upload a photo selected by a user for editing. We never transfer any other images from the phone to the cloud,” Goncharov added.
“We might store an uploaded photo in the cloud. The main reason for that is performance and traffic: we want to make sure that the user doesn’t upload the photo repeatedly for every edit operation. Most images are deleted from our servers within 48 hours from the upload date.”
He said that users can also request that all user data be deleted. And users can do this by going to settings, then support and opt to report a bug, using the word “privacy” in the subject line message. Goncahrov said this should help speed up the process.
And he added: “We don’t sell or share any user data with any third parties.”