The viral face changing app called FaceApp, which has been becoming viral for the past few days, is not exactly the most privacy-driven product. The app is made by a Russian company that sends photos from your device to its servers and also has the rights to retain the image for as long as it deems necessary.
Many Twitter users have thrown caution in the wind regarding the way FaceApp handles user data. Elliot Alderson, who has earlier given details on a possible data breach of the Aadhaar database, says that FaceApp heavily uses Firebase, Facebook SDK and AccountKit which he says are tools that can be used to track users' online.
" Elliot Alderson (@fs0c131y) July 16, 2019
If you are thinking of using the #FaceApp consider Section 5 of the ToS & that you grant FaceApp a perpetual, irrevocable, nonexclusive, royalty-free, worldwide, fully-paid, transferable sub-licensable licence to use your content (and which may be of your friends or colleagues)
" Privacy Matters (@PrivacyMatters) July 17, 2019
FaceApp's terms of service explicitly states "a perpetual, irrevocable, nonexclusive, royalty-free, worldwide, fully-paid, transferable sub-licensable license to use, reproduce, modify, adapt, publish, translate, create derivative works from, distribute, publicly perform and display your User Content and any name, username or likeness provided in connection with your User Content in all media formats and channels now known or later developed, without compensation to you."
HOWEVER: they do appear to upload single images in order to apply the filters server-side. while not as egregious, this is non-obvious and I am sure many folks are not cool with that.
" Will Strafach (@chronic) July 17, 2019
Many users had said that FaceApp collects your entire camera roll and uploads them to its cloud servers but security researcher Jane Manchun Wong has said that only the photo which is clicked for the purpose of using a filter is uploaded to the cloud. There is, however, no method for users to delete this photo although the company claims that it itself deletes the photos within 48 hours of uploading.
I am not seeing much fishy in FaceApp
Photos are uploaded to FaceApp's servers on AWS w/ authorization. Not much info is being sent to FaceApp's servers other than user metrics (e.g. ui interactions)
I just wish there's an option for users to delete their photos from the server
" Jane Manchun Wong (@wongmjane) July 17, 2019
While the app is certainly Russian based, the servers are located in the US on Amazon's cloud service called AWS. "People give photos to lots of different apps. I think this is probably getting attention because it's Russian developers," said Christine Bannan, consumer protection counsel at the nonprofit Electronic Privacy Information Center