FaceApp security concerns arise as Russian-owned face-aging app goes viral

As FaceApp draws viral attention on social media for a popular service that allows users to post aged photos of themselves, privacy experts are warning that the Russia-based firm’s terms of service could pose a data security risk to consumers.

FaceApp, which is owned by Russian startup Wireless Lab, uses artificial intelligence to alter selfies uploaded by its users. The app, which is available on Apple’s App Store and the Google Play store, became a social media sensation this week, with countless users and celebrities, including comedian Kevin Hart and singer Carrie Underwood, posting photos of themselves that were edited using FaceApp.

As the trend went viral, data privacy experts noted that FaceApp’s terms of services and privacy grant the company rights to any uploaded photos, including for potential commercial use, and raised questions about how FaceApp uses and stores data. FaceApp also drew criticism from Senate Minority Leader Chuck Schumer, D-N.Y., who called on Wednesday for the Federal Trade Commission and the FBI to investigate FaceApp's practices and raised questions about the company's ties to the Russian government.

"In particular, FaceApp's location in Russia raises questions regarding how and when the company provides access to the data of U.S. citizens to third parties, including potentially foreign governments," Schumer said in a letter to both organizations. "As FBI Director Wray himself pointed out earlier this year, Russian remains a significant counterintelligence threat. It would be deeply troubling if the sensitive personal information of U.S. citizens was provided to a hostile foreign power actively engaged in cyber hostilities against the United States."

Tech firms around the world have faced unprecedented scrutiny over their data practices in recent months in the wake of the Cambridge Analytica scandal, where a British firm improperly accessed the data of up to 87 million Facebook users. While no evidence has surfaced that FaceApp is misusing photos or other data, experts said the public should exercise caution when using the service, since the exact depth of FaceApp’s access and potential usage of data remains unclear.

“At the moment, there is nothing to indicate that the app is taking photos for malicious intent. However, it is important for consumers to be aware that certain countries have shown little regard for the privacy of people using technologies based there,” said Gary Davis, McAfee’s chief consumer security evangelist. “It’s always best to err on the side of caution with any personal data and think carefully about what you are uploading or sharing.”

According to FaceApp’s terms of service, users grant the company “a perpetual, irrevocable, nonexclusive, royalty-free, worldwide, fully-paid, transferable sub-licensable license to use” content, including photos, without providing notice or compensation. The open-ended nature of that clause could pose a risk to users over time, according to Privacy International, a U.K.-based charity.

"People are right to be alarmed by terms of use like the one FaceApp has — as they should be with similar apps," Privacy International said in a blog post. "It is not clear how FaceApp stores, uses, or manipulates peoples' data, including the detailed biometric maps of their faces, and this could change over time as profit incentives and technologies change."

In a lengthy statement to TechCrunch, FaceApp denied that it accesses the photo libraries of its users without permission or sells data to third parties. Most photos uploaded to FaceApp servers are deleted within 48 hours, the company added.

“Even though the core [research and development] team is located in Russia, the user data is not transferred to Russia,” the company said.

Last year, the European Union implemented the General Data Protection Regulation, or GDPR, to establish data privacy standards for companies active in the region. U.S. lawmakers are considering whether to pursue similar regulations.

Elizabeth Potts Weinstein, a Silicon Valley-based lawyer, noted that FaceApp’s privacy policy is “not remotely GDPR compliant.”

Concerned users should refrain from enabling apps that ask for access for personal data, according to Davis.


“A good security practice is to only share personal data, including personal photos, when it’s truly necessary,” he said.

This story has been updated.