FaceApp isn’t taking all of your photos, but the privacy concerns are very real

From shady fine print to Russian law, FaceApp's geriatric filter may not be worth all the fun.
FaceApp privacy
From shady fine print to Russian law, FaceApp's geriatric filter may not be worth all the fun. (Getty)

Using FaceApp to figure out how you’ll look when you’re old and wrinkly may be the viral sensation of the week, but that fun may not be worth it once you look at the fine print.

Users don’t have to explicitly click on any user agreement and aren’t forced to read through FaceApp’s privacy policy before using it, but when users apply “old” filters to their photos, they are giving FaceApp license to display their photos worldwide as well as access to location data, according to the fine print.

The app does not appear to be uploading users’ full camera rolls in the background, however, as software developer Joshua Nozzi incorrectly claimed on Twitter.

After downloading the app, users are prompted with an option to have FaceApp access their camera rolls. This is done so they can select photos to modify with the app. When users select a photo, the app uploads that photo to their server, and — this is key — does not appear to upload any other photos to their server, according to Guardian App CEO Will Strafach, who used a network traffic analyzer to test the app. Researcher Baptiste Robert found similar results.


“When I granted [FaceApp] photo library permission, it did not do that full upload that was being claimed,” Strafach told CyberScoop in an interview. “I found that when I selected a photo it actually then does an upload to the server of a file size about the size of a photo.

“There’s no indication that they were going to send this to a server so [they] can analyze it and apply these filters,” Strafach told CyerScoop

Two years ago when the app first went viral, interviews with FaceApp CEO Yaroslav Goncharov — a former executive at Yandex, the Russian version of — often focused on the artificial intelligence behind the app. But concerns about data transfers show how people really aren’t knowledgeable about policies or nefarious surveillance they may be unwittingly subjecting themselves to, Strafach said.

“Because it was so non-obvious that it was being uploaded to a server, that was never reported on because that was not something anybody noticed,” he said. “[Users] don’t have informed consent here if it’s so non-obvious.”

Consumers often don’t have to read through the fine print of privacy policies and user terms before using many apps that may have access to sensitive data. But the concern here is that because the company is headquartered in Russia, it could be beholden to the Russian government, and users could be unwittingly advancing nefarious Russian interests, in ways that may not be apparent even in user terms.


No guarantees

Although photos uploaded to FaceApp may be looked at in St. Petersburg where the company is headquartered, it’s not apparent that the FaceApp servers are feeding information directly to the Kremlin. Although FaceApp notes it may hand over information in response to legal requests from outside of the U.S., FaceApp’s servers are based in Amazon data centers in the U.S. and Australia, according to Forbes.

But two years ago, Goncharov told The Verge that FaceApp doesn’t track GPS data. In fact, users are actually giving up their location to the app, which FaceApp may share with other businesses and third-party organizations, according to FaceApp’s privacy policy.

Goncharov also told The Verge FaceApp will not sell users’ data. However if FaceApp gets acquired or otherwise changes ownership, user content and other information may be sold or transferred as well, according to the privacy policy.

Users are also allowing FaceApp to publicly reproduce, modify, or display users’ likeness anywhere in the world by using the app, according to the terms of use.


“You grant FaceApp a perpetual, irrevocable, nonexclusive, royalty-free, worldwide, fully-paid, transferable sub-licensable license to use, reproduce, modify, adapt, publish, translate, create derivative works from, distribute, publicly perform and display your User Content,” the policy notes. “When you post or otherwise share User Content on or through our Services, you understand that your User Content and any associated information (such as your [username], location or profile photo) will be visible to the public.”

Deceptive tactics

While technically these users are not giving up their details unwittingly — by clicking into the app users are presumed to have agreed to the terms and conditions — Sen. Mark Warner, D-Va., has introduced bipartisan legislation to try and change deceptive user interfaces and agreements.

The legislation, albeit targeted towards reining in large social media companies, shows there may be momentum on Capitol Hill to change the way user agreements are presented to consumers.

CEO and Founder of Common Sense Media Jim Steyer told CyberScoop more needs to be done to protect consumers and their sensitive data when reached for comment about FaceApp.


“The burden of safeguarding sensitive data should not rest on consumers alone,” Steyer said.

Sen. Chuck Schumer, D-NY, has asked FBI Director Chris Wray and Federal Trade Commission Chair Joe Simons to assess whether Americans’ data on FaceApp is ending up in the hands of the Kremlin and whether there are sufficient protections for Americans’ privacy in using the app, respectively, according a letter Schumer sent them, which CyberScoop obtained.

The FTC confirmed it had received the letter but would not comment on whether its responses would be made public. The FBI had no comment.

Low-hanging fruit

Strafach, who often analyzes suspicious apps, said there may be other photo manipulation apps that toe the privacy line, noting, “maybe FaceApp is the one that got caught.”


Strafach said the way the company wasn’t transparent about their server upload process raises some questions about how the company will use the data it does have — and how seriously it takes security.

“Can the company be trusted?” Strafach said. “How seriously locked down is this database, who has access to it, who can be bribed to get other people access to tons and tons of facial data?

FaceApp caveats its entire privacy policy by noting that nothing in the terms guarantees information given to FaceApp will not be accessed or disclosed.

“FaceApp cannot ensure the security of any information you transmit to FaceApp or guarantee that information on the Service may not be accessed, disclosed, altered, or destroyed.”

FaceApp did not immediately return request for comment.

Shannon Vavra

Written by Shannon Vavra

Shannon Vavra covers the NSA, Cyber Command, espionage, and cyber-operations for CyberScoop. She previously worked at Axios as a news reporter, covering breaking political news, foreign policy, and cybersecurity. She has appeared on live national television and radio to discuss her reporting, including on MSNBC, Fox News, Fox Business, CBS, Al Jazeera, NPR, WTOP, as well as on podcasts including Motherboard’s CYBER and The CyberWire’s Caveat. Shannon hails from Chicago and received her bachelor’s degree from Tufts University.

Latest Podcasts