FaceApp, the company that developed and runs the aging software used to do the popular online "age challenge," is based in St. Petersburg, Russia. The company uploads user-submitted photographs to the cloud.
FaceApp doesn't take all of the images off users' phones when they use the app. It only accesses the images that are uploaded.
It's unclear what FaceApp stores on its servers and what it does with that data.
The so-called "#AgeChallenge" went viral in mid-July 2019, starting with celebrities using technology from the St. Petersburg, Russia-based firm FaceApp to apply wrinkles, bags and gray hair to their faces. But almost as soon as people uploaded pictures of their "aged" selves on social media profiles came a backlash.
Days after the challenge went viral, software developer Joshua Nozzi took to Twitter and mistakenly raised the alarm that the app was uploading all of the images on users' devices, whether they selected them or not for the challenge (the app transforms people's uploaded photographs to show them smiling, sad, etc.). Then came sensationalist headlines reporting (falsely) that "Russians now own all your old photos."
Before long, the panic reached fever pitch, with Democratic lawmakers calling for investigations and warning the technology could be used for election meddling similar to what occurred in the 2016 U.S. presidential election.
Although FaceApp is based in Russia, that detail alone is not a cause for concern, said Will Strafach, a security researcher and CEO of Guardian Firewall, because "anyone from anywhere in the world can access a server and data on it."
So far, no evidence exists supporting fears that using FaceApp creates a national security risk. Instead, concerns relate to personal data privacy. Strafach said many users believed that the images they filtered through the app were processed locally on their phones, but FaceApp actually uploaded the images to the cloud.
"Nobody knew this data was being uploaded, and no one was able to say whether they were comfortable with that," Strafach told us. "They should have had informed consent, and the reason people are so upset is that they didn't have that choice." Strafach also said he wasn't impressed with the company's public statements in response to fears about the product, stating it did little to assuage concerns about what FaceApp would do with the images once they were uploaded.
In a statement sent to TechCrunch (FaceApp has yet to respond to our inquiries), FaceApp said the company only uploaded photographs selected by users, not entire camera rolls, and FaceApp accepts requests from users to delete data from the servers. The company also doesn't share or sell data to any third party, and said that, "Even though the core R&D team is located in Russia, the user data is not transferred to Russia."
But Strafach said he was bothered by the company's vague statement that "most" of the images were deleted after 48 hours, but that officials offered no proof of that. He also expressed concerns about whether the company had adequate security measures to protect the collected data from hackers.
"Nothing in the app made me suspicious until I started seeing their answers. I don't know what to think because only they know what’s on their servers, that’s the bottomline," Strafach added.
The user agreement that gives the company wide leverage is a symptom of a bigger issue, Bannan said. "It’s a problem that we really do not have privacy protection [legislation] in the U.S."
FaceApp also isn't new, and when the app itself first went viral in 2017, technology experts raised privacy concerns then. In light of the 2016 election-hacking scandal in the U.S. presidential fight between Donald Trump and Hillary Clinton, said David Carroll, associate professor of media design at New York's New School, "The trust in tech has collapsed, and people are more suspicious of Russia."
Ben Lamm, CEO of the AI technology and service company Hypergiant, told us in an email that, "Any mass aggregation of highly personal information including a likeness to unknown parties should be considered very carefully." He added:
FaceApp is based in Russia, and with that comes concerns about data transfer, data privacy, and government access to data. However, regardless of whether or not the Russian government has malicious intent relevant to this data, anyone could have malicious intent and we have no idea how secure or insecure the data is that the FaceApp team is handling. The general insecurity of all of our data should be the broader national security level concern we must grapple with as a nation.
These types of scandals are exacerbated by the fact that the U.S. lags behind other countries, particularly those in Europe, in enacting data-privacy legislation, Bannan said. But on a positive note, Congress is drafting bills on the issue, she added.
"There is hope something could come out of this Congress. There seems to be genuine bipartisan commitment to agreeing to a bill, but it’s ongoing now," Bannan told us. "There's always the hope that stories like this get members of Congress to pay attention and give more urgency to passing something."
Lamm added that the fact the viral challenge spread so quickly "Does show the ease with which potentially malicious products or news can spread that seem 'fun.' What else can spread while also stealing our information or potentially attacking our systems? We must become a culture that learns to ask questions and protects ourselves."
In summary, no evidence exists that FaceApp gave any information from its servers to any third party, including the Russian government, and using the app doesn't result in a person's entire camera roll from a phone being uploaded, either. But as experts have pointed out, the current concern lies with the company's lack of disclosure about uploading images to its servers, and a lack of transparency about what it does with the data.