Is FaceApp Dangerous? An Investigation into the Viral App's Privacy Policy

Iris Hearn

  • Connect:
Is FaceApp Dangerous? An Investigation into the Viral App's Privacy Policy Blog Feature

Published on July 24th, 2019

Print this Page/Save it as a PDF

If you’ve been on social media in the last week, you may have noticed the people in your feed looking a bit….different

These humorous photos are the work of FaceApp, a smartphone app that transforms your face into a (scarily realistic) depiction of what you may look like in a few decades. 

While its “old” filter is what caused the app to go viral, it also offers a variety of other (equally realistic) effects, like “young,” “smile,” and other ways to transform your face. 

Seeing this all over the internet prompted many (including me) to join the bandwagon and see how their elderly personas may look. 

(I was going to share mine here but I’m scared of getting old and the photos upset me) 

However, soon after, the app went viral for another reason: Privacy concerns. 

Essentially, FaceApp’s strict privacy policy language, combined with the fact that all data runs through a Russian-owned company, quickly sent many into a panic that Russian hackers could gain access to their private data. 

This controversy brings to light just what exactly we’re allowing companies to access when we allow services, but also provides a lesson to brands around transparency behind data collection and usage. 

FaceApp privacy issues 

The reason public panic set in was mainly due to the permissions you have to allow in order to use the app to edit photos. 

Essentially, you have to give the app access to all your camera roll photos, which appear directly in the app’s home screen rather than a separate “camera roll” screen as other apps have. 

This, combined with the viral privacy concerns, caused people to think that FaceApp (and its Russian developers) now had access to every photo in your camera roll. 

Not only that, but an article from Forbes suggested that the app may have access to even more than just your photos: 

“To make FaceApp actually work, you have to give it permissions to access your photos — ALL of them. But it also gains access to Siri and Search .... Oh, and it has access to refreshing in the background — so even when you are not using it, it is using you.”

Understandably, this caused uneasiness among many.  

However, as the news became more widespead, more technical experts tested the app themselves and weighed in on how your data is actually shared, stored, and processed within FaceApp, and what threat it poses for the security of its users. 

The reality of FaceApp’s privacy policy 

Upon further review by experts, it appears that things aren’t as bad as they may seem. 

While the app does have access to your photos, it seems as though it only can access the ones you select for editing in the app. Per the app’s purpose, this makes sense, as it would need to see these in order to transform your picture with the desired filters. 

Still, even though the app may not have access to as much as we thought, the app’s roots in Russia may make users uneasy regardless. However, Forbes reported that data from the app is sent to servers mainly based in the United States, not Russia: 

“This all turns out to be another of the Web’s many storm-in-teacup moments. A security researcher who goes by the pseudonym Elliot Alderson (real name Baptiste Robert) downloaded the app and checked where it was sending users’ faces. The French cyber expert found FaceApp only took submitted photos — those that you want the software to transform — back up to company servers.”

“And where are those servers based? Mostly America, not Russia. A cursory look at hosting records confirmed to Forbes that this was true: The servers for FaceApp.io were based in Amazon data centers in the U.S. The company told Forbes that some servers were hosted by Google too, across other countries, including Ireland and Singapore. And, as noted by Alderson, the app also uses third-party code, and so will reach out to their servers, but again these are based in the U.S. and Australia.”

So, even though the app’s servers are not Russian-based, what data is stored within the app’s servers, and why? 

To answer this question, FaceApp founder Yaroslav Goncahrov weighed in, telling Forbes

“We only upload a photo selected by a user for editing. We never transfer any other images from the phone to the cloud."

"We might store an uploaded photo in the cloud. The main reason for that is performance and traffic: we want to make sure that the user doesn't upload the photo repeatedly for every edit operation. Most images are deleted from our servers within 48 hours from the upload date."

Essentially, just like when a user visits your website, you can access their in-app or on-site activity — but can’t see what other website’s they currently have open, or any other specific details on their computer. 

Additionally, if you’re still uncomfortable with FaceApp having this data, Goncahrov noted you can request to have all of your user data wiped entirely with the following steps: 

  1. Go to “Settings” 
  2. Click on “Support” and then “Opt to report a bug” 
  3. In the text box, ask for your data to be deleted from the app (Note: Goncahrov says by putting “privacy” in the subject line, it can help your matter get dealt with more quickly) 

State of data privacy in 2019

What’s interesting about this public outcry over FaceApp is that it seems to be rooted in its seemingly alarming terms of service language. However, it’s actually not much different than other widely used apps like Facebook, Instagram, Twitter, or TikTok.

It didn’t take long for this comparison to become its own kind of “meme” on social media: 

While I’m not trying completely discredit concern over FaceApp’s “perpetual, irrevocable, nonexclusive, royalty-free” rights to your content produced in-app, it is worth noting that we grant the same level of access if not more to apps like these regularly, and they’re just as free to use the data however they want. 

For example, YouTuber Cody Ko learned his lesson on TikTok’s data access levels the hard way, and shared a video about his experience. 

I won’t dig into the details, but essentially, Ko made a video poking fun at the app, and made a few TikTok videos in the process. 

Although his account was set to private, he noticed that TikTok was using screenshots of his videos posted in the app as advertisements on Facebook. 

tik-tok-privacy-policy-faceapp

After looking at the app’s Privacy Policy, he saw that TikTok was, unfortunately, well within its rights to do so. 

tik-tok-privacy-policy-faceapp

Does that language sound familiar? 

My point is that when we download apps to our phone or give information to websites, we’re often giving up more than we may think as we scroll through the terms of service. 

If you’re worried about FaceApp, you may want to re-evaluate the other apps you’re using as well. 

What companies can do about data transparency 

The main issue with situations like FaceApp’s privacy policy is that its users feel “tricked” when they find out what they’re agreeing to when downloading. 

Sure, you could read the full Terms of Service list before downloading, but we all know how rare that is. Still, it makes users feel like these claims were “snuck in,” knowing most people would never see it. 

The fact is, many apps and websites rely heavily on customer data to run and gain analytics to improve. 

So as a marketer who relies on this data, what do you do? 

The first step is transparency. Be upfront with exactly what information you’re collecting, where it’s going, and what you’re planning to do with it. 

This allows users to make a more educated decision if they want to use your app. Sure, it might turn off some users, but it’s better than making your audience feel as though you’ve intentionally misled them. 

For example, after the backlash, FaceApp updated its features and now shows a clear message asking users for permission to send data to the cloud, and what they need this access for. 


faceapp-privacy-policy

Additionally, when it asks users to grant permission to access photos, it added a note explaining why

faceapp-privacy-policy

While this doesn’t cover all the concerns, it does make users more educated on what exactly they’re signing up for when using the app. 

Whether you have an app or a website, there are valuable lessons to be learned here. Make sure you’re transparent with your customers on what you’re collecting and why. By making it clear exactly what you’re planning to do with collected data, you can put customers at ease and avoid making them distrust you when if they want to know more about your data policies. 

When you’re upfront, you control the story, and it’s better for everyone involved. People deserve to know what the data they’re providing to you is going to be used for. 

Additionally, with privacy laws like GDPR in effect (which will inevitably become more widespread) it’s smart to have good data practices in place now so it’s second nature if stricter laws become enforced. 

Overall, as brands, it’s our responsibility to communicate things like this to our customer base clearly and transparently. Like any other marketing tactic, transparency is key in building brand trust and ultimately leveraging that trust to create a loyal following of customers. 

Recent articles

Want to Contribute Content to impactbnd.com? Click Here.