People were having fun with the viral #FaceAppChallenge until a software developer, Joshua Nozzi, warned people to “BE CAREFUL WITH FACEAPP….it immediately uploads your photos without asking, whether you chose one or not”.
Most people even became more concerned when they learned that FaceApp is owned by Wireless Lab with HQ in St. Petersburg, Russia.
FaceApp first came into limelight in 2017, amassing over 80 millions subscribers, and 2 years later, it’s blowing up again, thanks to the #FaceAppChallenge where people use the platform to see how they’ll look when old, modify their photos to look younger, as well as swap genders.
After downloading the app, people began raising concerns over permissions it’s asking for. According to its terms of service, when you use the app, you grant it a “perpetual, irrevocable, nonexclusive, royalty-free, worldwide” license to do whatever it wants with your photos.
Again, there were comments about the app uploading your entire camera roll to its servers and can use any of your photos at anytime.
FaceApp’s terms of service also says that it stores “device identifiers” in your mobile device and deliver information about that device to FaceApp and their third party partners to help them provide reports or personalised content and ads.
However, a French security researcher with the pseudonym Elliot Alderson downloaded the app to check where it was sending people’s faces. Alderson found out that it was only sending photos you uploaded to the platform and not your entire camera roll.
But the servers, according to Forbes, are mostly located in the US. Forbes says some are based in Amazon data centers, adding that Google also hosts some of the servers across countries, including Ireland and Singapore.
Alderson also noted that the app also uses third-party code, hence will reach out to their servers, which Alderson says are based in the U.S. and Australia.
Alderson adds that: “As far as I can see, there is no reason to be concerned with the current version available on the store. I don’t see why the nationality of the developers is an issue. There is also some legit devs in Russia.”
Joshua Nozzi has also said he was wrong about his first tweet, which he has now deleted.
“I was wrong. I was wrong about what I thought the app was doing (uploading all pics once granted access), and I was wrong to have posted the accusation without testing it first. Full stop,” he wrote on his website.
However, Nozzi said: “I stand by my original warning to be careful and upgrade it to ‘avoid at all cost if you value privacy even a little’.”
“What are they doing with full access? What might they do in the future? Why request it at all?” he asks.
A security expert Ariel Hochstadt also told Daily Mail that: “Hackers many times are able to record the websites that people visit, and the activities they perform in those websites, but they don’t always know who are those users.”
“Imagine now they used the phone’s camera to secretly record a young gay person, that visits gay sites, but didn’t yet go public with that, and they connect his face with the websites he is using.
“They also know who this image is, with the huge DB they created of FB accounts and faces, and the data they have on that person is both private and accurate to the name, city and other details found on FB.
“With so many breaches, they can get information and hack cameras that are out there, and be able to create a database of people all over the world, with information these people didn’t imagine is collected on them.”
FaceApp founder Yaroslav Goncahrov, has also released a statement on the issue, saying that user data is not transferred to Russia. “Most of the photo processing in the cloud,” he adds.
He continued: “We only upload a photo selected by a user for editing. We never transfer any other images from the phone to the cloud.”
“We might store an uploaded photo in the cloud. The main reason for that is performance and traffic: we want to make sure that the user doesn’t upload the photo repeatedly for every edit operation. Most images are deleted from our servers within 48 hours from the upload date…. We don’t sell or share any user data with any third parties.”
Goncahrov also said users can request all their data to be deleted by going to settings, then support and opt to report a bug, using the word “privacy” in the subject line message.
Photo Credit: FaceApp