This article was published on July 17, 2019

PSA: FaceApp can use your uploaded photos and your likeness for “commercial purposes” (Updated)


PSA: FaceApp can use your uploaded photos and your likeness for “commercial purposes” (Updated)

FaceApp appears to be having a viral moment, again.

The two-year-old AI-driven photo editor from Russian company Wireless Lab, which rose in popularity for its realistic facial transformations in photos, is back in the spotlight.

This time it’s for a new aging feature that allow you to edit a person’s face to make them appear older or younger.

This has recently triggered an #AgeChallenge (also #FaceAppChallenge) on social media, and everyone’s hopping on board. But with the sudden surge in popularity have come renewed questions about privacy, and whether the app is doing enough to protect users’ data.

Does it upload all your photos?

The latest privacy kerfuffle appears to have been kicked off by a tweet (since deleted) from app developer Joshua Nozzi who cautioned users against using FaceApp. He claimed the app uploads all your pictures in the library to its servers.

But the legitimacy of this claim has been seriously contested by various security researchers, who said there’s no evidence for this behavior. Technical analyses have found that the app does not upload a person’s entire library of photos or open their data to third-parties.

However, what FaceApp does is allow users to select an image to apply the neural network filters remotely — as opposed to locally applying the edits — i.e. on users’ devices without uploading information to the company’s servers.

Ambiguous privacy policy strikes again

The app makers don’t make this explicitly clear in their privacy policy as well. It neither mentions processing photos on their servers nor states how long it retains uploaded photos.

The policy does acknowledge that it collects photos (including metadata) and personal information (email addresses), and that the collected information may be transferred by FaceApp and its affiliates to other countries or jurisdictions around the world.

Even worse, this applies even if you are located in the EU or other regions that have more stringent data protection regulations.

Although there’s no evidence that the developers are doing anything questionable, FaceApp’s standard-issue privacy policy gives the company a lot of room to play fast and loose with personal information, effectively offering users no privacy protection at all.

What’s more, the terms of service (last updated: 08/03/2017) also gives FaceApp a free hand to do whatever it wants with them:

You grant FaceApp a perpetual, irrevocable, nonexclusive, royalty-free, worldwide, fully-paid, transferable sub-licensable license to use, reproduce, modify, adapt, publish, translate, create derivative works from, distribute, publicly perform and display your User Content and any name, username or likeness provided in connection with your User Content in all media formats and channels now known or later developed, without compensation to you. When you post or otherwise share User Content on or through our Services, you understand that your User Content and any associated information (such as your [username], location or profile photo) will be visible to the public.

A problem of permission

Separately, concerns have been raised about how the app allows users to select a photo even if access has been denied. This, in turn, has been found to be an API Apple introduced in iOS 11 that makes it possible for you to select just one photo from the photo library. The effectively means the app cannot see your photos unless you tap on one.

But this behavior raises questions about why have this option at all when a user has set photo access is set to “never.”

The big picture

FaceApp has previously fielded accusations of “racism” for lightening skin tones, and criticized for adding ethnicity filters that allowed a person to see what it would look like if they were Caucasian, Black, Asian or Indian.

FaceApp is far from the only app to have shady data collection practices — there’s Facebook, and there are lots of other apps and services that turn user data into revenue through advertising and partnerships. But in this post-Cambridge Analytica privacy climate, it’s time to think twice before freely giving away your personal information.

More than anything, incidents like these serve to highlight the importance of going through apps’ privacy policies and terms of service before signing up to use them. So, the next time a social media fad catches on, be sure to read between the lines — because you might be giving up more than you bargained for.

Update on July 18, 2019 9:30 AM IST: In a statement to TechCrunch, FaceApp responded to the privacy concerns, confirming it only uploads  the photo users select for editing so as to ensure that the user doesn’t upload the photo repeatedly for every edit operation. It also said “most” of the uploaded photos are deleted after a period of 48 hours.

“We never transfer any other images from the phone to the cloud,” FaceApp said, adding “We don’t sell or share any user data with any third parties.” Founder Yaroslav Goncharov, in a separate statement to TechCrunch, told it uses AWS and Google Cloud for its backend service.

Cybersecurity firm Check Point Research echoed the findings by other security researchers, and said a network traffic analysis of the app revealed “nothing out of the ordinary” in the app.

Get the TNW newsletter

Get the most important tech news in your inbox each week.

Also tagged with