Viral FaceApp may infect your privacy, according to experts

FaceApp home screen

FaceApp, an Android and iOS app that changes users faces, is facing criticism because the app is allegedly harvesting vast amounts of sensitive user information, without their knowledge. According to John Koetsier at Forbes: “While according to FaceApp’s terms of service people still own their own “user content” (read: face), the company owns a never-ending and irrevocable royalty-free license to do anything they want with it … in front of whoever they wish:

You grant FaceApp a perpetual, irrevocable, nonexclusive, royalty-free, worldwide, fully-paid, transferable sub-licensable license to use, reproduce, modify, adapt, publish, translate, create derivative works from, distribute, publicly perform and display your User Content and any name, username or likeness provided in connection with your User Content in all media formats and channels now known or later developed, without compensation to you. When you post or otherwise share User Content on or through our Services, you understand that your User Content and any associated information (such as your [username], location or profile photo) will be visible to the public.”

The terms of service for the app, created by Russian company Wireless Lab, could allow for a user’s photos to be used for stock images, advertisements without their knowledge, or even for training artificial intelligence (AI) facial recognition engines in Russia.

Those phrases “perpetual, irrevocable, nonexclusive, royalty-free, worldwide, fully-paid, transferable” and so on are especially troublesome to privacy and security experts because, even if the user deletes their account, the TOS allows Wireless Lab to continue to use the images. Further, the users’ information can also be transferred anywhere around the world:

“FaceApp, its Affiliates, or Service Providers may transfer information that we collect about you, including personal information across borders and from your country or jurisdiction to other countries or jurisdictions around the world. If you are located in the European Union or other regions with laws governing data collection and use that may differ from U.S. law, please note that we may transfer information, including personal information, to a country and jurisdiction that does not have the same data protection laws as your jurisdiction.”

There’s no evidence, however, FaceApp is up to no good, but the widespread reports of privacy concerns have raised the question. An app like FaceApp does its image processing in the cloud. The transfer of image data, location, browsing history and more are necessary to do the computations; how the company handles the data after use is something users should be aware of.

According to a statement from FaceApp company CEO Yaroslav Goncharov:

We are receiving a lot of inquiries regarding our privacy policy and therefore, would like to provide a few points that explain the basics:

1. FaceApp performs most of the photo processing in the cloud. We only upload a photo selected by a user for editing. We never transfer any other images from the phone to the cloud.

2. We might store an uploaded photo in the cloud. The main reason for that is performance and traffic: we want to make sure that the user doesn’t upload the photo repeatedly for every edit operation. Most images are deleted from our servers within 48 hours from the upload date.

3. We accept requests from users for removing all their data from our servers. Our support team is currently overloaded, but these requests have our priority. For the fastest processing, we recommend sending the requests from the FaceApp mobile app using “Settings->Support->Report a bug” with the word “privacy” in the subject line. We are working on the better UI for that.

4. All FaceApp features are available without logging in, and you can log in only from the settings screen. As a result, 99% of users don’t log in; therefore, we don’t have access to any data that could identify a person.

5. We don’t sell or share any user data with any third parties.

6. Even though the core R&D team is located in Russia, the user data is not transferred to Russia.