When it comes to viral applications and videos it is important that you look (or at least read the permission settings) before you jump.
I am sure by now you have seen your followers on social media look a bit different - more gray and an age increase by 30 years perhaps? You can thank FaceApp for the new, funny phenomenon and slight privacy scare. Earlier today there were several reports regarding some privacy and security issues have arisen. Reports showed concerns around:
Access to your entire camera roll vs an individual photo
Where the company is processing your photo (whether it is local to your device or sent to Russia)
Why the application still had access to photos despite permissions being denied.
(As a disclaimer: users should ALWAYS first read the permission settings before allowing access to your account / devices)
The viral AI photo editor, developed by a small team out of Saint-Petersburg, Russia, allows users to edit a person's face and make them appear older or younger. You might remember this same application going viral a few years ago when it allowed for a person's photo to be morphed and bend reality by adding a smile or perhaps a filter.
The scare kicked off after a couple of tweets claimed that FaceApp uploads all of your photos to the cloud. The claim has been denied by the company (included below), as well as multiple security researchers, and there is no evidence that the app is sweeping up entire photo libraries. Some are skeptical because of the location of its research lab, Russia, especially with the recent wrap up of investigations regarding meddling in US elections.
What is important to take away from this viral explosion is that you should always think twice before giving access to your information or accounts. A way to protect yourself, outside of opting out of participating in viral trends, is to check the level of access an application is requesting before granting it. Is it asking for full read and write access? Is it asking to alter information despite it only needing read access? Another way to protect yourself is to read a company's privacy policy when you are allowing them any access to your information. Privacy policies tell the public the what and how of their information being collected as well as what a company does with it after collection. Faceapp's can be found here.
FaceApp CEO Yaroslav Goncharov provided the following statement:
1. FaceApp performs most of the photo processing in the cloud. We only upload a photo selected by a user for editing. We never transfer any other images from the phone to the cloud.
2. We might store an uploaded photo in the cloud. The main reason for that is performance and traffic: we want to make sure that the user doesn't upload the photo repeatedly for every edit operation. Most images are deleted from our servers within 48 hours from the upload date.
3. We accept requests from users for removing all their data from our servers. Our support team is currently overloaded, but these requests have our priority. For the fastest processing, we recommend sending the requests from the FaceApp mobile app using "Settings-> Support-> Report a bug" with the word "privacy" in the subject line. We are working on the better UI for that.
4. All FaceApp features are available without logging in, and you can log in only from the settings screen. As a result, 99% of users don't log in; therefore, we don't have access to any data that could identify a person.
5. We don't sell or share any user data with any third parties.
6. Even though the core R&D team is located in Russia, the user data is not transferred to Russia.
Additionally, we'd like to comment on one of the most common concerns: all pictures from the gallery are uploaded to our servers after a user grants access to the photos (for example, https://twitter.com/joshuanozzi/status/1150961777548701696). We don't do that. We upload only a photo selected for editing. You can quickly check this with any of network sniffing tools available on the internet.