Pin It
Lil Nas X uses FaceApp
Via Instagram @lilnasx

Is FaceApp actually stealing your data?

The newly popular software – which lets you turn yourself into a pensioner – has come under fire for its unusual privacy policy

So you just used FaceApp to make yourself look old and everyone had a good laugh – Lil Nas X did it, Billie Eilish joined the hype, even Gordon Ramsay managed to fit more wrinkles on his forehead. Fun and games, right? Well, maybe not as it turns out the AI photo editing app has a strange privacy policy.

FaceApp uses artificial intelligence to alter photos you upload to the app, enabling you to swap genders, age yourself, or – bafflingly – turn yourself into a hitman (it just makes you bald). Peaking in popularity this week, questions have been raised about what the Russian-owned app is actually doing with the photos uploaded.

Here, we break down FaceApp’s privacy policy, and explore whether you should be worried about what’s going to happen to your (now elderly) face.

WHAT DOES THE PRIVACY POLICY SAY?

First launched in 2017, FaceApp’s newfound viral fame has been ignited by the #FaceAppChallenge, picked up by numerous celebrities. However, many Twitter users have delved into the app’s terms and conditions and found a section that’s particularly troubling. 

The policy reads: “You grant FaceApp a perpetual, irrevocable, nonexclusive, royalty-free, worldwide, fully-paid, transferable sub-licensable license to use, reproduce, modify, adapt, publish, translate, create derivative works from, distribute, publicly perform and display your User Content and any name, username or likeness provided in connection with your User Content in all media formats and channels now known or later developed, without compensation to you.” 

This effectively means that any photos you upload to the app could be used publicly by FaceApp, both in original and modified forms. You also give the app permission to use your name and username, and waive your rights to be paid if your information is “used for commercial purposes”.

What the privacy policy doesn’t make clear to users is that FaceApp uploads all photos to the cloud, unlike many apps which carry out on-device processing. This raises questions about whether FaceApp retains people’s photos even after they delete the app from their phone.

CAN THE APP OVERRIDE IPHONE PERMISSIONS?

Some users have pointed out that the app seemingly allows them to upload photos from their camera roll despite access being denied in iOS. While this initially seems concerning, TechCrunch reports that it’s actually a standard feature introduced in Apple’s iOS 11 software, which enables users to block an app from accessing their full camera roll, but still select individual photos to upload. This means if you have photo permission set to ‘never’, you can still go through your camera roll on the app, but it can’t see any images until you specifically tap one.

WHY ARE PEOPLE SO CONCERNED?

Users are rightly worried about their faces being used in marketing campaigns without their permission, and with no compensation. Though this is reportedly a fairly standard condition of these kinds of apps, the fact that FaceApp is created by developers in Russia is sparking even more concern about what the data might be used for, particularly given the country’s alleged controversial interference in the 2016 US elections. Then again, plenty of non-Russian apps on your phone have invasive surveillance methods, meaning FaceApp isn’t alone in its dubious conditions.

Further anxiety stems from whether FaceApp has access to users’ entire camera roll (if permission is granted to the app) – given people regularly screenshot private information, this could be a huge data breach. However, several sources found no evidence that the app gets access to photos not uploaded by the user, so unless you’ve tried to age your bank details, you’ll probably be OK on that front.

HOW HAS FACEAPP RESPONDED?

In a statement given to TechCrunch, FaceApp has shone more light on its privacy policy. The app confirmed that photo processing does in fact take place in the cloud, but that only images specifically selected by the user are uploaded, not the whole camera roll. 

When it comes to storing photos, the app explained: “We might store an uploaded photo in the cloud. The main reason for that is performance and traffic: we want to make sure that the user doesn’t upload the photo repeatedly for every edit operation. Most images are deleted from our servers within 48 hours from the upload date.” This may not squash concerns though, given the app states “most” – not all – of the images uploaded are deleted.

The statement goes on to explain that FaceApp does accept requests if users want their data removed from the app’s servers. “Our support team is currently overloaded,” it reads, “but these requests have our priority.” The method of getting your data removed is pretty convoluted, with users having to go into the app’s settings, clicking ‘support’ then ‘report a bug’, and include ‘privacy’ in the subject line (“we are working on the better UI for that”).

Given FaceApp’s services are available without logging in, the app says it doesn’t have access to any data that could identify a person if they don’t log in.

Finally, addressing data sharing concerns, the app states: “We don’t sell or share any user data with any third parties. Even though the core R&D team is located in Russia, the user data is not transferred to Russia.”

WHAT SHOULD WE TAKE AWAY FROM THIS ORDEAL?

FaceApp’s privacy policy is not unusual, so you should always be vigilant when uploading content to apps. It’s also worth weighing up priorities in your mind before downloading an app; is five minutes of debatable fun worth signing away the rights to your face? Besides, you’ll figure out in 40 years that you don’t age well – no point rushing it IMO.