A photo editing app has introduced a few new wrinkles to the faces of celebrities — and to the ongoing discussion around personal digital security.
FaceApp, a more than 2-year-old app created by a Russia-based developer, has seen a recent spike in use due to some celebrities and influencers taking part in the “FaceApp Challenge.”
The app has a host of image-altering features such as adding a smile or appearing to change a person’s gender. Those taking part in the challenge are using the app to make themselves appear elderly, giving fans a preview of what their favorite athletes or celebrities would look like once they become senior citizens.
The recent spike in traffic to FaceApp has also given way to memes about certain famous faces who never seem to age, like the actors Paul Rudd and John Stamos.
But the sudden popularity of the app has also triggered growing concerns about how apps use the data and images supplied by users, particularly those that are owned or operated outside the U.S. One such concern for FaceApp centered on whether the app could access user photos without permission. Researchers found that those concerns were unfounded.
Despite the exoneration, security experts have mixed feelings about the app. They said it isn’t likely the app is stealing entire camera rolls of photos from its users, but added FaceApp is not completely risk free.
The Democratic National Committee felt the app posed enough of a risk to send an alert to its party’s presidential campaigns on Wednesday, warning against using the app that was “developed by Russians,” according to a source familiar with the alert who was not authorized to speak publicly. The warning was first reported by CNN.
Justin Brookman, director of privacy and tech policy at Consumer Reports, said the app’s user agreement should concern its fans.
“I would be cautious about uploading sensitive data to this company that does not take privacy very seriously, but also reserves broad rights to do whatever they want with your pictures,” said Brookman, a former policy director for the Federal Trade Commission’s Office of Technology Research and Investigation.
Brookman said that FaceApp’s privacy policy allows the company to do whatever it pleases with photos uploaded to its server, and the app’s terms of use gives the company broad license to use the photos as it sees fit.
“They could turn them into stock photos or advertisements in Russia,” Brookman said. “But I don’t know how much the Russianness is concerning, although Russia has been known to use personal information in the past.”
FaceApp denies collecting information on user’s identities or selling their images.
In a statement, FaceApp said that “99 percent of users don’t log in; therefore, we don’t have access to any data that could identify a person,” and added that they “don’t sell or share any user data with any third parties.”
FaceApp said most of their photo editing is done off of a user’s device in remove servers, and the image that is uploaded must be selected by the user. Additionally, most photos are held on remote servers for approximately 48 hours before being deleted, the statement read.
“We accept requests from users for removing all their data from our servers,” FaceApp’s statement said. “Our support team is currently overloaded, but these requests have our priority.”
Brookman said the company’s statement doesn’t reassure him that the company isn’t keeping or using the images for its own benefit.
“They say they only retain the photos for so long, and that you can have them removed, but that’s not necessarily reliable,” he said. “In some ways their statement raises many questions about their additional policies.”
On Tuesday, Baptiste Robert, a French security researcher who also goes by Elliot Alderson, fact-checked concerns about the app’s uploading of photos by looking at the backend of the app and concluding that the only image the app was uploading was the modified “aged” image.
“I found that FaceApp is not uploading the full gallery of the user. Only the photo the user is modifying is uploaded to their server in order to apply filters,” Robert told NBC News via email on Wednesday. “In general, this app is not asking a lot of data from the user.”
Will Strafach, a security researcher and CEO of the Guardian Firewall app, tweeted that he was unable to replicate any claims of the app uploading a full gallery of images without permission. However, he did say users might be unaware the app was uploading the single modified image in order to apply the filters.
“They do appear to upload single images in order to apply the filters server-side,” Strafach wrote. “While not as egregious, this is non-obvious and I am sure many folks are not cool with that.”
During his research, Robert said he found that FaceApp was asking only for information such as what type of phone model a person is using and service identification information. He added that FaceApp relies heavily on third-party services through U.S.-based companies like Facebook.
In general, Robert said he hopes people will be wary of uploading any information to any app they’re not familiar with.
“People should know that giving a photo of their face to a random app is a very bad idea and has a lot of privacy issues,” Robert said. “They have no idea how their photo can be used.”
Brookman said he feels that people have become more skeptical about technology.
“People are starting to worry in ways maybe they didn’t when social networking first rolled out,” Brookman said.
He added that the responsibility should not be on consumers to read privacy policies to know what the risk of each app is. Still, he said that although he doubts FaceApp is doing anything seriously shady, he urged users to remember that they’re giving up control of their image when they upload pictures to the app.
“I wouldn’t download it. It looks kind of cool, but even then I wouldn’t feel comfortable turning over my photos and saying you can do whatever you want with these in order to find out what I’ll look like in 10 years,” Brookman said. “I think I’ll wait 10 years.”