If you, like a shockingly large number of celebrities, recently downloaded FaceApp to predict what you’ll look like in old age, you may be unsettled to learn what you agreed to in the app’s terms and conditions.
After the app went viral this week, some noticed the legal document is worryingly vague. It gives the app permission to use your likeness, name and username, for any purpose, without your consent, forever, even if you delete it.
(This is the second time FaceApp has gone viral. Its first brush with fame, back in 2017, was boosted by outrage over filters that changed your ethnicity.)
FaceApp isn’t unique here. Many apps use similarly vague ― and frighteningly far-reaching ― boilerplate language in their terms and conditions. This should concern you about all apps, not just FaceApp.
You’ve agreed to similar terms if you use Twitter, for example:
But because FaceApp is the handiwork of developers in Russia, there’s an added bit of handwringing. Backed by those terms and conditions, some speculate the app could conceivably help build a database of photorealistic avatars that, when paired with bots, could result in a far more convincing fake profile on social media.
FaceApp founder Yaroslav Goncharov told HuffPost in an emailed statement it’s doing no such thing.
“We don’t sell or share any user data with any third parties,” he said. “Even though the core R&D team is located in Russia, the user data is not transferred to Russia.”
The company has also been accused of uploading users’ entire photo libraries to its own servers, but security researchers say the current version of the app doesn’t exhibit that behavior. (FaceApp does request full access to users’ photo libraries, but it isn’t required for the app to function.)
Will Strafach, the CEO of Guardian App, said he analyzed FaceApp’s network traffic to see what data it’s collecting and sending from your phone, and concluded the app is doing no such thing.
As noted by TechCrunch, Apple now permits apps to access a single photo in a users’ library if the user physically selects it, even if permission to access the entire library has been denied. That’s what’s happening in this case. Those single photos are then being uploaded to the cloud, where they’re edited by FaceApp.
FaceApp told HuffPost it performs edits in the cloud to boost performance and cut down on traffic, and that most photos are deleted 48 hours after they’re uploaded.
“They do appear to upload single images in order to apply the filters server-side,” Strafach said in a tweet. “While not as egregious, this is non-obvious and I am sure many folks are not cool with that.”
There’s an old and overused cliche in tech that if you aren’t paying for a product, you’re not the customer — you’re the product.
It’s overused because it’s often true. Many apps (hey there, Facebook) generate revenue by vacuuming up personal data, some for nefarious purposes like sharing your real-time physical location with robocallers.
Despite forcing users to agree to an imposing and far-reaching set of terms and conditions, Goncharov said that’s not the case with FaceApp.
Here’s Goncharov’s entire statement:
1. FaceApp performs most of the photo processing in the cloud. We only upload a photo selected by a user for editing. We never transfer any other images from the phone to the cloud.
2. We might store an uploaded photo in the cloud. The main reason for that is performance and traffic: we want to make sure that the user doesn’t upload the photo repeatedly for every edit operation. Most images are deleted from our servers within 48 hours from the upload date.
3. We accept requests from users for removing all their data from our servers. Our support team is currently overloaded, but these requests have our priority. For the fastest processing, we recommend sending the requests from the FaceApp mobile app using “Settings->Support->Report a bug” with the word “privacy” in the subject line. We are working on the better UI for that.
4. All FaceApp features are available without logging in, and you can log in only from the settings screen. As a result, 99% of users don’t log in; therefore, we don’t have access to any data that could identify a person.
5. We don’t sell or share any user data with any third parties.
6. Even though the core R&D team is located in Russia, the user data is not transferred to Russia.
Additionally, we’d like to comment on one of the most common concerns: all pictures from the gallery are uploaded to our servers after a user grants access to the photos (for example, https://twitter.com/joshuanozzi/status/1150961777548701696). We don’t do that. We upload only a photo selected for editing. You can quickly check this with any of network sniffing tools available on the internet.