Using FaceApp to figure out how you’ll look when you’re old and wrinkly may be the viral sensation of the week, but that fun may not be worth it once you look at the fine print.
The app does not appear to be uploading users’ full camera rolls in the background, however, as software developer Joshua Nozzi incorrectly claimed on Twitter.
After downloading the app, users are prompted with an option to have FaceApp access their camera rolls. This is done so they can select photos to modify with the app. When users select a photo, the app uploads that photo to their server, and — this is key — does not appear to upload any other photos to their server, according to Guardian App CEO Will Strafach, who used a network traffic analyzer to test the app. Researcher Baptiste Robert found similar results.
“When I granted [FaceApp] photo library permission, it did not do that full upload that was being claimed,” Strafach told CyberScoop in an interview. “I found that when I selected a photo it actually then does an upload to the server of a file size about the size of a photo.
“There’s no indication that they were going to send this to a server so [they] can analyze it and apply these filters,” Strafach told CyerScoop
Two years ago when the app first went viral, interviews with FaceApp CEO Yaroslav Goncharov — a former executive at Yandex, the Russian version of — often focused on the artificial intelligence behind the app. But concerns about data transfers show how people really aren’t knowledgeable about policies or nefarious surveillance they may be unwittingly subjecting themselves to, Strafach said.
“Because it was so non-obvious that it was being uploaded to a server, that was never reported on because that was not something anybody noticed,” he said. “[Users] don’t have informed consent here if it’s so non-obvious.”
Consumers often don’t have to read through the fine print of privacy policies and user terms before using many apps that may have access to sensitive data. But the concern here is that because the company is headquartered in Russia, it could be beholden to the Russian government, and users could be unwittingly advancing nefarious Russian interests, in ways that may not be apparent even in user terms.
Although photos uploaded to FaceApp may be looked at in St. Petersburg where the company is headquartered, it’s not apparent that the FaceApp servers are feeding information directly to the Kremlin. Although FaceApp notes it may hand over information in response to legal requests from outside of the U.S., FaceApp’s servers are based in Amazon data centers in the U.S. and Australia, according to Forbes.
“You grant FaceApp a perpetual, irrevocable, nonexclusive, royalty-free, worldwide, fully-paid, transferable sub-licensable license to use, reproduce, modify, adapt, publish, translate, create derivative works from, distribute, publicly perform and display your User Content,” the policy notes. “When you post or otherwise share User Content on or through our Services, you understand that your User Content and any associated information (such as your [username], location or profile photo) will be visible to the public.”
While technically these users are not giving up their details unwittingly — by clicking into the app users are presumed to have agreed to the terms and conditions — Sen. Mark Warner, D-Va., has introduced bipartisan legislation to try and change deceptive user interfaces and agreements.
The legislation, albeit targeted towards reining in large social media companies, shows there may be momentum on Capitol Hill to change the way user agreements are presented to consumers.
CEO and Founder of Common Sense Media Jim Steyer told CyberScoop more needs to be done to protect consumers and their sensitive data when reached for comment about FaceApp.
“The burden of safeguarding sensitive data should not rest on consumers alone,” Steyer said.
Sen. Chuck Schumer, D-NY, has asked FBI Director Chris Wray and Federal Trade Commission Chair Joe Simons to assess whether Americans’ data on FaceApp is ending up in the hands of the Kremlin and whether there are sufficient protections for Americans’ privacy in using the app, respectively, according a letter Schumer sent them, which CyberScoop obtained.
The FTC confirmed it had received the letter but would not comment on whether its responses would be made public. The FBI had no comment.
Strafach, who often analyzes suspicious apps, said there may be other photo manipulation apps that toe the privacy line, noting, “maybe FaceApp is the one that got caught.”
Strafach said the way the company wasn’t transparent about their server upload process raises some questions about how the company will use the data it does have — and how seriously it takes security.
“Can the company be trusted?” Strafach said. “How seriously locked down is this database, who has access to it, who can be bribed to get other people access to tons and tons of facial data?”
“FaceApp cannot ensure the security of any information you transmit to FaceApp or guarantee that information on the Service may not be accessed, disclosed, altered, or destroyed.”
FaceApp did not immediately return request for comment.