Is FaceApp Safe? – A Deeper Look at the Viral Hit

Trends and Controversies. These are two words that keep getting mentioned in the same breath since the turn of the social media age. Very often, something (literally anything) catches the world by storm for weeks or months at a time and nobody seems to be able to get enough – we create memes, slang, songs and even videos to share with friends and have some fun. The various social platforms are set ablaze with a #hashtag until the hype eventually dies down. This is the life cycle of everything that ever goes viral on the internet. Out with the old; in with the new. So, what’s new? Two answers: The Bottlecap challenge and the FaceApp age challenge- and I must admit, these are really fun. From Hollywood celebrities to athletes, everyone is posting videos and images of themselves indulging in one or both of these challenges and allowing us to fawn over them (… and cry about our bandwidth). So, whilst one has reached its climax and is about to lose steam, the other has reached a stage of massive controversy – a debacle of cyber and national security. Enter FaceApp

FaceApp is a mobile application that uses artificial intelligence to analyze images of faces and produce incredibly lifelike edits on them. These edits range from: changing a straight face to a smile; ageing your face or making it look younger; changing your hairstyle and changing your gender. The results are mind-blowing, to say the least, and the ageing feature particularly has been taken as somewhat a true prediction of people will look decades from now. With over  100 million downloads from the Google Play Store alone, the app has become an instant hit (again, since 2017), after many celebrities posted their ‘future faces’ on Instagram accompanied with hilarious captions. The whole internet has been thrown into a frenzy with few seemingly willing to look under the hood of the app i.e. privacy policy and terms of use. But is FaceApp really worth looking under the hood?

Developed by Wireless lab, FaceApp is the brainchild of Yaroslav Goncharov, a Russian programmer and entrepreneur who has worked for Microsoft and Yandex in the past.  Along with 12 staff members, he created the app in 2017 and has been working on it ever since. This small company come under scrutiny twice in the launch year (surprise, surprise) with the first issue centred around a feature called ‘spark’ that supposedly made the user look more attractive than the original photo. It was criticized as being racist as it lightened the skin tone of black users and made them look ‘bleached’ or Caucasian. The feature was aptly removed after Mr Goncharov apologized and explained that it was “an unfortunate side-effect of the underlying neural network caused by the training set bias, not intended behaviour”.  Soon after this, there was another backlash as the app featured ethnic filters that could make a user look more “White”, “Black”, “Asian” or “Indian. Once again, apologies were rendered and these filters were removed. Fast forward to 2019, FaceApp is still around and has now found itself as the center of this sensational challenge – all because of its new features with filters that make you look younger or older. So how relieved Wireless lab will feel that for the first time, the controversy around the app is not about it being politically incorrect or ethnocentric (lol). No, this year, the narrative is far better (depending on who you ask, of course) – ESPIONAGE.


The first point of concern -though not publicly quoted- is the fact that the CEO and some of his staff are Russian. Companies owned by Russians have come under a lot of scrutiny recently as former special counsel Robert Mueller’s office charged more than a dozen Russian citizens in connection to a campaign in 2016 to undermine the 2016 presidential election, reports Business Insider. This, perhaps, prompted an unusual look into the fine print of FaceApp once it started making waves all over the world. And my, was there a lot to look at. The issues found are

  • Unlawfully backing up user data (pictures) on the company’s servers
  • Creative if not nefarious terms and conditions, giving it permission to do the above without repercussions.

In a now deleted tweet, someone stated, “Russians now own all your old photos,”. This raised an alarm that was taken more seriously when the Democratic National Committee sent out a message, urging staff members on presidential campaigns to delete the app immediately, citing its ties to Russia. According to the critics, once you install FaceApp, every picture in your gallery is actually uploaded to FaceApp’s servers in Russia and every edit that you make is applied by the AI there, not on your device.

Actual Investigations

Despite claims from developer Joshua Nozzi who said FaceApp could access all the photos stored on a user’s phone, Forbes reports that a French security researcher who goes by the pseudonym Elliot Alderson discovered FaceApp to be only storing photos that are uploaded by the user. This report was also supported by TechCrunch who also reported that the app does not override any camera-roll privacy specifications.

Alderson has also confirmed that they are not stored in Russia but in the United States although FaceApp privacy policy states that the information collected by the app can be stored and shared to whichever countries the app operates from. TechCrunch reports that the company is currently using servers in the United States purported to be owned by Amazon. Further investigations have shown that the company also uses Google servers in Singapore and Ireland.

Interviews with Owner & Experts

Under immense pressure, the founder of FaceApp who was keen to clear the air sent a statement to Forbes partly denying the accusations levelled against the company.  “We only upload a photo selected by a user for editing. We never transfer any other images from the phone to the cloud… we might store an uploaded photo in the cloud. The main reason for that is performance and traffic: we want to make sure that the user doesn’t upload the photo repeatedly for every edit operation. Most images are deleted from our servers within 48 hours from the upload date.”

“We don’t sell or share any user data with any third parties.” To this, he added that every user data can be deleted upon request. And users can do this by going to settings, then support and opt to report a bug, using the word “privacy” in the subject line message. Goncharov has promised to build a UI for this feature and improve its response.

All this, however, did not sit well with some experts who said that FaceApp had no right to hide what they were doing. “I cannot think of any situation where an app should not be very painfully clear about a photo being uploaded to a remote server, “Users always have the right to know this.” says Will Strafach, an iOS security researcher

The Wild Terms of Use

Perhaps, the way FaceApp has structured its terms of use and privacy policy made it all the more suspicious when the news about the data “theft” broke. The terms which are massively polarized seeks to protect the company in every way imaginable while offering the user one liability after another.

One interesting term reads, “You grant FaceApp a perpetual, irrevocable, nonexclusive, royalty-free, worldwide, fully-paid, transferable sub-licensable license to use, reproduce, modify, adapt, publish, translate, create derivative works from, distribute, publicly perform and display your User Content and any name, username or likeness provided in connection with your User Content in all media formats and channels now known or later developed, without compensation to you. When you post or otherwise share User Content on or through our Services, you understand that your User Content and any associated information (such as your [username], location or profile photo) will be visible to the public. You grant FaceApp consent to use the User Content, regardless of whether it includes an individual’s name, likeness, voice or persona, sufficient to indicate the individual’s identity. By using the Services, you agree that the User Content may be used for commercial purposes.” It basically says your photo forever belongs to Wireless Lab and anyone they want to give it to, to do whatever they want with forever.

Under the how we store your information part of the privacy policy it reads that the company “may transfer information that we collect about you, including personal information across borders and from your country or jurisdiction to other countries or jurisdictions around the world. If you are located in the European Union or other regions with laws governing data collection and use that may differ from U.S. law, please note that we may transfer information, including personal information, to a country and jurisdiction that does not have the same data protection laws as your jurisdiction.” Surely, that is grim.

It is indeed a relief that the allegations levelled against the app are somewhat not concrete. Otherwise, with these terms of use and privacy policy, it would have been really hard to take them on legally. The CEO has promised to revise them and make them more reasonable and fairer to the end-user. Apparently, most social media apps (including twitter) have similarly rigid and abrasive terms – oh well.

Truth be told, no one really knows if there is a conspiracy with Russian intelligence as claimed and every accusation seems hypothetical at best. Given that the app becomes viral again through Hollywood stars, it looks unlikely that it was created and facilitated by the help of the Russian government. It simply would have been promoted more effectively if it had been by them. However, we cannot discount the possibility that they have gotten involved now that it has gained viral status and that the perceived use of it for a facial recognition system is being considered. Whether all this is realistic amidst the growing attention from analysts and politicians also remains to be seen. And hey, what about the countless apps that have access to every information on our devices? Trust or don’t trust? A question for the gods.

Leave a Reply

Your email address will not be published.