FaceApp: Is this Russian startup misusing user data?

The FBI has been called to investigate it.

CBS News
  • FaceApp is a popular smartphone app that can take your selfie and make you look older.
  • Recently, some have claimed that FaceApp – created by a Russian company – could be misusing user data.
  • On Wednesday, the Democratic National Committee sent out a security alert about the app to 2020 presidential campaigns.


Some are concerned that FaceApp – the popular smartphone app that alters users' selfies to make them look old – might be misusing user data.

If you're one of the more than 100 million users who've downloaded the app since 2017, don't worry: There's no evidence to suggest that your photos or content have been stolen, or will be misused. But that doesn't mean you shouldn't take a closer look at what this app – and other popular apps – are doing with your data.

The FaceApp debacle started when Joshua Nozzi, a software developer and technical author, claimed on Twitter that FaceApp uploads all of users' photos to its servers, whether "you chose [a photo] or not." Nozzi later retracted that claim, and FaceApp issued a statement saying that, "Most images are deleted from our servers within 48 hours from the upload date." Privacy researchers have confirmed that FaceApp does not upload all of its users' photos to servers. The company does, however, upload single images – the ones users ask the app to manipulate – to remote servers, where it applies image filters.

This process wasn't made clear to users.

"I cannot think of any situation where an app should not be very painfully clear about a photo being uploaded to a remote server," Will Strafach, security researcher and developer of Guardian, an iOS firewall app, told Wired. "Users always have the right to know this."

Other privacy concerns arose over the company's terms of service agreement. Section 5 of the agreement, for example, "grants FaceApp a perpetual, irrevocable, nonexclusive, royalty-free, worldwide, fully-paid, transferable sub-licensable license to use, reproduce, modify, adapt, publish, translate, create derivative works from, distribute, publicly perform and display your User Content and any name, username or likeness provided in connection with your User Content in all media formats and channels now known or later developed, without compensation to you."

And another concern stems from the fact that FaceApp was developed by Wireless Lab based in St. Petersburg, Russia. Of course, this doesn't necessarily tie the company to the Kremlin. (After all, the company's servers are based in the U.S. where they use Amazon's cloud.) But recent reports about the startup were enough to cause the Democrat National Committee to send out a security alert to 2020 presidential campaigns.

"This app allows users to perform different transformations on photos of people, such as aging the person in the picture. Unfortunately, this novelty is not without risk: FaceApp was developed by Russians," read the alert from Bob Lord, the DNC's chief security officer. "It's not clear at this point what the privacy risks are, but what is clear is that the benefits of avoiding the app outweigh the risks."

On Wednesday, Sen. Chuck Schumer (D-NY) asked the F.B.I. and the Federal Trade Commission to investigate FaceApp.

"It would be deeply troubling if the sensitive personal information of U.S. citizens was provided to a hostile foreign power actively engaged in cyber hostilities against the United States," he wrote.

​Are these concerns unfounded?

It's tough to say for sure. FaceApp's terms of service agreement might sound a little overarching — and it is, in a way — but it's also pretty similar to agreements proffered by other popular apps.

"We always have concerns," Jeremy Gillula, tech projects director at the Electronic Frontier Foundation, told The New York Times. "The fact that a lot of apps and services usually contain this catchall clause that says you grant us worldwide license to reproduce, modify, adapt, create derivative works from, distribute, publicly perform and display your user content always seems a little over the top to me."

Nozzi, the software developer who first raised concerns over FaceApp, wrote in a blog post that there are still legitimate security concerns over FaceApp, even if he retracted his initial claim that the app uploads all user photos to its servers.

"The biggest oddity is that the app asks for full, unfettered access to your photos (on iOS) without really needing to. It then begins doing … something … with them that takes time, as they appear a few at a time, and rather slowly. The fact is, it doesn't need access to your photos at all. In iOS, apps can invoke the system's photo picker, a system-managed panel that lets users choose the images they wish to "give" to an app without granting it wholesale access to all your photos. Indeed, you can refuse it access to your photos and still use the button near the bottom to invoke this photo picker to give it just the photo(s) you want it to have. What are they doing with full access? What might they do in the future? Why request it at all?"

Of course it'd be scary to learn that an app has access to all of the photos you store on your phone. But it's worth noting that there's little preventing bad actors from using publicly available photos to do some pretty shady things — namely, create deepfakes. As Big Think reported in May, it's now possible for an A.I. to take one single photo and convincingly animate it. This has frightening implications on the future of propaganda: Soon, it could be easy for bad actors to make it appear as if their targets are doing or saying things they never did in real life.

But before that dystopian nightmare sets in, here are a few simple ways you can protect the data on your smartphone, as Nicholas Thompson, editor-in-chief at Wired, told CBS News:

  1. Delete apps that you rarely use
  2. Don't allow apps to access your location, or only allow an app to access location services while you're using that app
  3. For apps that you use a lot, like Instagram and Facebook, go into Support and disable options that allow the app to collect and send data back to the company
Scroll down to load more…