Home of internet privacy

FaceApp’s popularity sparks privacy concerns, but when will we learn?

NOTE: This post was originally published on July 19, 2019

Chances are you’ve recently come across photos of friends and family years into the future, thanks to viral photo app FaceApp.

The app, which first shot into prominence in 2017, has made a comeback of sorts due to the popular #FaceAppchallenge, fueled by celebrities uploading a rendition of what their future selves may look like.

But despite the seemingly harmless nature of the social media trend, privacy concerns came to the fore after a tweet (now deleted) by security researcher Joshua Nozzi.

Joshua’s since published an apology of sorts, saying he “was wrong to have posted the accusation without testing it first.” But lots of publications picked up on that tweet, with one loudly proclaiming that “Russians own all your old photos.”

The issue is now attracting attention at the highest echelons of the U.S. government, with Senate minority leader Chuck Schumer making an official request to the FBI to conduct a national security investigation into FaceApp.

Is the FaceApp privacy fuss real?

FaceApp’s core team, including its CEO and developers, operate out of St. Petersburg, which (obviously) doesn’t help matters and is the major point of contention for most of the dissenting voices.

The app’s terms of use do little to assuage concerns. If you download and sign up to FaceApp, you grant the company “a perpetual, irrevocable, nonexclusive, royalty-free, worldwide, fully-paid, transferable sub-licensable license to use, reproduce, modify, adapt, publish, translate, create derivative works from, distribute, publicly perform and display your User Content and any name, username or likeness provided in connection with your User Content in all media formats and channels now known or later developed, without compensation to you.”

And its privacy policy takes it a step further: “by registering for and using the Service you consent to the transfer of information to the U.S. or to any other country in which FaceApp, its Affiliates or Service Providers maintain facilities.”

TL;DR: FaceApp owns all your content

Once uploaded, FaceApp owns and can transfer all your content to servers in countries where it has a physical presence (read: Russia). What’s more, it has free rein to do whatever it likes with it, including altering, distributing, or publicly displaying it.

If you’re unhappy about this, there’s not much you can do apart from deleting the app and never using it again. Part of the service agreement waives your right to sue the company in court.

Yes, the terms and privacy implications are egregious. But is the company really a stooge for the Russian government, on a mission to invade the personal lives of millions of Americans?

Not quite, say security researchers Elliot Anderson and Will Strafach. They state there’s “no evidence” that FaceApp uploads users’ full camera rolls to remote servers. Elliot, in a statement to NBC News, added that “in general, this app is not asking a lot of data from the user.”

In a statement to TechCrunch, FaceApp’s CEO Yaroslav Goncharov directly addressed the controversy and accusations of privacy invasion.

He stated that “we don’t sell or share user data with any third parties,” adding that “all FaceApp features are available without logging in, and you can log in only from the settings screen. As a result, 99% of users don’t log in; therefore, we don’t have access to any data that could identify a person.”

The app’s cloud infrastructure isn’t located inside Russia either, with the company using a combination of Amazon Web Services and Google Cloud to keep its AI editing tech afloat.

So while your awkward selfies probably won’t be part of a massive database monitored by the KGB, the FaceApp controversy reveals potential privacy concerns in our embrace of all things tech.

But what about my privacy?

The unfortunate reality is that we don’t do enough to hold tech companies accountable for the data they request.

How often have you hurriedly accepted all the app permissions put forward, in a rush to edit your selfie with the latest cat filter? You’re most likely granting explicit consent for the app to monitor and gather more information than what’s absolutely necessary.

As a matter of fact, there’s virtually no difference between FaceApp and Facebook’s terms of service, which also grant the company a “non-exclusive, transferable, sub-licensable, royalty-free and worldwide licence to host, use, distribute, modify, run, copy, publicly perform or display, translate and create derivative works of your content.”

Let’s not forget that the crux of the Cambridge Analytica scandal was a seemingly innocent quiz app called “thisisyourdigitallife.” Many quickly accepted all the end-user agreements with nary a thought of what that might encompass. In the process, unscrupulous developers gained access to the personal data of 87 million people.

There’s no doubt that tech companies could do more to help users understand what they’re getting themselves into. But what’s the incentive for them to do so when the entire model hinges on a highly invasive framework of data points for precise ad targeting?

Sure, every once in a while there’s a scandal that erupts and indignant users plaster messages on the same platforms they’re hating on. But the news cycle moves on and so do we. There are bills to pay and jobs to get back to. Our privacy can wait another day.