While many photomorphing apps like FaceApp appear to be a free service offered for fun, such apps are usually a way for artificial intelligence companies to gather huge, free datasets from the app’s users to better train their AI. It is that AI and its datasets which holds the actual value for the company, not the app itself.
This fact, along with the fact that FaceApp is a Russian-based company and that in late 2018 it moved to the Skolkovo Innovation Center, which is run by the Russian government, led to those initial privacy concerns growing into national security concerns yesterday.
— Forensic News (@forensicnewsnet) July 17, 2019
Yesterday Senate Minority Leader Chuck Schumer called on the FBI and FTC to investigate any potential national security and privacy risks the app opens up. From Schumer’s letter calling for a probe:
Furthermore, it is unclear how long FaceApp retains a user’s data or how a user may ensure their data is deleted after usage. These forms of “dark patterns,” which manifest in opaque disclosures and broader user authorizations, can be misleading to consumers and may even constitute a deceptive trade practices. Thus, I have serious concerns regarding both the protection of the data that is being aggregated as well as whether users are aware of who may have access to it.
In particular, FaceApp’s location in Russia raises questions regarding how and when the company provides access to the data of U.S. citizens to third parties, including potentially foreign governments.
BIG: Share if you used #FaceApp:
Because millions of Americans have used it
It’s owned by a Russia-based company
And users are required to provide full, irrevocable access to their personal photos & data pic.twitter.com/cejLLwBQcr
— Chuck Schumer (@SenSchumer) July 18, 2019
In response to the increasing alarm over its privacy policies and associations, FaceApp told TechCrunch that no user data is “transferred to Russia” even though its R&D team is based there. The company says it uses AWS and Google Cloud to process and host uploaded photos.
The company also says that “Most images are deleted from our servers within 48 hours from the upload date,” without specifying how many images they retain after the 48-hour mark. They also say they do have a process in place for users to ask that all their data is deleted from FaceApp’s servers, though that process is in dire need of streamlining. You can see FaceApp’s full statement below:
1. FaceApp performs most of the photo processing in the cloud. We only upload a photo selected by a user for editing. We never transfer any other images from the phone to the cloud.
2. We might store an uploaded photo in the cloud. The main reason for that is performance and traffic: we want to make sure that the user doesn’t upload the photo repeatedly for every edit operation. Most images are deleted from our servers within 48 hours from the upload date.
3. We accept requests from users for removing all their data from our servers. Our support team is currently overloaded, but these requests have our priority. For the fastest processing, we recommend sending the requests from the FaceApp mobile app using “Settings->Support->Report a bug” with the word “privacy” in the subject line. We are working on the better UI for that.
4. All FaceApp features are available without logging in, and you can log in only from the settings screen. As a result, 99% of users don’t log in; therefore, we don’t have access to any data that could identify a person.
5. We don’t sell or share any user data with any third parties.
6. Even though the core R&D team is located in Russia, the user data is not transferred to Russia.
Additionally, we’d like to comment on one of the most common concerns: all pictures from the gallery are uploaded to our servers after a user grants access to the photos (for example, https://twitter.com/joshuanozzi/status/1150961777548701696). We don’t do that. We upload only a photo selected for editing. You can quickly check this with any of network sniffing tools available on the internet.