Think Twice Before Using FaceApp

If you were on social media lately (who doesn’t), you’ve probably noticed a lot of old faces, young faces, weird faces, altered faces of your friends, colleagues and strangers on your news feed. So what is actually happening?

FaceApp,  the AI-powered selfie-editing app that’s been going viral for the past few weeks, has now responded to a privacy controversy. Concerns had been raised that FaceApp, a Russian startup called Wireless Lab, uploads users’ photos to the cloud — without making it clear to them that processing is not going on locally on their devices.

FaceApp recently confirms that most of the processing needed to power its app’s beautifying/gender-bending/age-accerating/-defying effects are indeed accomplished in the cloud. Though FaceApp claims that the app only uploads photos users have specifically selected for editing, security tests so far have also not found evidence that the app uploads a user’s entire photo gallery.

FaceApp goes on to specify that it “might” store the photos users have chosen to upload in the cloud for a short period, claiming this is done for “performance and traffic” — to make sure that a user doesn’t repeatedly upload the same photo to carry out another edit. It claims that most images are deleted from the FaceApp servers within 48 hours from the upload date.

It also claims no user data is “transferred to Russia”, even though its R&D team is based there. So the suggestion is that storage and cloud processing is being performed using the infrastructure based outside Russia (Possible AWS and Google Cloud).

FaceApp also says users can request their data is deleted. Though it doesn’t yet have a very smooth way to do this — instead it asks users to send delete requests via the mobile app using “Settings->Support->Report a bug” with the word “privacy” in the subject line, adding that it’s “working on a better UI for that”.

It also points out that the vast majority of FaceApp users don’t log in — making the point that it’s not able to link photos to identities in most cases.

We’ve pasted the company’s full statement at the bottom of this post:

1. FaceApp performs most of the photo processing in the cloud. We only upload a photo selected by a user for editing. We never transfer any other images from the phone to the cloud.

2. We might store an uploaded photo in the cloud. The main reason for that is performance and traffic: we want to make sure that the user doesn’t upload the photo repeatedly for every edit operation. Most images are deleted from our servers within 48 hours from the upload date.

3. We accept requests from users for removing all their data from our servers. Our support team is currently overloaded, but these requests have our priority. For the fastest processing, we recommend sending the requests from the FaceApp mobile app using “Settings->Support->Report a bug” with the word “privacy” in the subject line. We are working on the better UI for that.

4. All FaceApp features are available without logging in, and you can log in only from the settings screen. As a result, 99% of users don’t log in; therefore, we don’t have access to any data that could identify a person.

5. We don’t sell or share any user data with any third parties.

6. Even though the core R&D team is located in Russia, the user data is not transferred to Russia.
Additionally, we’d like to comment on one of the most common concerns: all pictures from the gallery are uploaded to our servers after a user grants access to the photos (for example, https://twitter.com/joshuanozzi/status/1150961777548701696).  We don’t do that. We upload only a photo selected for editing. You can quickly check this with any of network sniffing tools available on the internet.