Do the Russians have all my photos and data now that I've downloaded FaceApp?
The FaceApp mobile application does present some serious privacy concerns, based on a reading of its terms and conditions.
However, it would be inaccurate to say that the app steals “all of your data,” or that it gives its developer permanent access to all of your photos. It’s also inaccurate to say that the app gives user data to “the Russians,” but we’ll take a closer look at that question in a second—in short, the answer is a bit complicated.
First, let’s review the app’s terms of service agreement, which states that:
You grant FaceApp a perpetual, irrevocable, nonexclusive, royalty-free, worldwide, fully-paid, transferable sub-licensable license to use, reproduce, modify, adapt, publish, translate, create derivative works from, distribute, publicly perform and display your User Content and any name, username or likeness provided in connection with your User Content in all media formats and channels now known or later developed, without compensation to you.
When you post or otherwise share User Content on or through our Services, you understand that your User Content and any associated information (such as your [username], location or profile photo) will be visible to the public.
That sounds slightly terrifying, and when FaceApp’s age filter went viral, many social media users shared screenshots and articles pointing out the privacy issues in the app’s terms of service.
Those users also pointed out that FaceApp’s research and development team is located in Russia—a frightening consideration for many Americans, given the countries’ dicey relationship. However, there is not currently any evidence that FaceApp’s team is coordinating with the Russian government.
FaceApp responded to users’ concerns in a statement issued to TechCrunch and other publications.
“All FaceApp features are available without logging in, and you can log in only from the settings screen. As a result, 99% of users don’t log in; therefore, we don’t have access to any data that could identify a person.”
The company also explained that it performs photo processing in the cloud (in this context, “the cloud" means that they transfer data over the internet for processing at an offsite server), and that the app only uploads photos that users select for editing. The company doesn’t share or sell the photos to any third parties, and they are eventually deleted, they wrote.
Of course, that’s what a company would say if they were harvesting data for nefarious purposes, so in these types of situations, it’s a good idea to look for a knowledgeable third party.
David Carroll, a media design professor who gained fame when he launched a legal case against Cambridge Analytica during their scandal, believes that any data transferred to FaceApp could be taken by the Russian government.
“If data is stored in Russia, the Russian government has jurisdiction over it,” Carroll told PBS. “It is unimaginable that a tech company could exist in Russia and not have some kind of subservience to the [Russian security service] FSB.”
In the company’s statement to TechCrunch, they wrote that “even though the core R&D team is located in Russia, the user data is not transferred to Russia.” Essentially, they’re saying the images (and the processed images that make you look like an old person) are stored outside of Russia on cloud servers owned by Google and Apple. Therefore, the app’s development team doesn’t have direct access to those images.
Of course, we’re taking FaceApp’s word on that. There’s still a chance that using a Russian-based app exposes your data to the country’s security services. But as Ashley Carman noted in a piece for The Verge, other apps based in China or even the United States could have the same type of privacy concerns.
What if you’re not worried about Russia—what if you just want to make sure that your data is safe from unauthorized access?
That’s also somewhat tricky. Because FaceApp is based in Russia, American users don’t have much legal recourse if they want to press charges against them. However, the app’s development team says that they’ll delete stored data at the user’s request.
“We accept requests from users for removing all their data from our servers,” the company wrote. “Our support team is currently overloaded, but these requests have our priority. For the fastest processing, we recommend sending the requests from the FaceApp mobile app using “Settings->Support->Report a bug” with the word “privacy” in the subject line. We are working on the better [user interface] for that.”
The controversy over FaceApp does highlight an important point: If you’re concerned about privacy, always make sure to read the terms and conditions before signing up for something—even if it’s a fun, harmless-looking app.