Viral FaceApp Reignites Data Privacy Discussion

July 18, 2019

By Rebecca Heilweil

The online proliferation of FaceApp — which supports the popular AI-powered tool artificially aging faces in photos — has sparked another discussion over how users approach their privacy.

After FaceApp was pushed by a slew of celebrities, including the Jonas Brothers and Drake, the app began to draw criticism for its privacy protections — or, critics say — lack thereof. Those concerns include the app failing to notify users photos were being uploaded to the cloud, confusion as to how long the app stores images of users' faces, and its development origins in Russia.

"When you start to look through their end user license agreement, essentially, the data that's collected can be sent anywhere around the world, regardless of whether or not you have things like [the European Union's General Data Protection Regulation] that govern data privacy or the California Data Privacy Act," Rick McElroy, the head of security for Carbon Black, told Cheddar. "So yeah, it's a little concerning based on their language."

McElroy said we need "this movement towards clear language for consumers. Show me where my data goes. Show me where it stays."

He added that regulations might be necessary to force companies to be more transparent. "Consumers are going to have to demand that this occurs," McElroy said. "Most people out there don't have time to be a full privacy expert, or a full information security expert, and these companies aren't helping that cause."

Washington has certainly taken note of the criticisms facing the app.

On Thursday, Sen. Charles Schumer (D-N.Y.) sent a letter to both the FBI and the Federal Trade Commission asking the agencies to investigate the app. A day earlier, the Democratic National Committee reportedly warned the 2020 campaigns to encourage their staff not to use the app.

Cheddar reached out to the Republican National Committee asking whether it had issued a similar warning to its staff. The DNC also did not respond to a request for comment.

According to CNN reporting, DNC chief security officer Bob Lord told staffers in an email that "[t]his app allows users to perform different transformations on photos of people, such as aging the person in the picture. Unfortunately, this novelty is not without risk: FaceApp was developed by Russians."

Lord reportedly wrote that he recommended "campaign staff and people in the Democratic ecosystem" not use the tool.

Following backlash, the company behind FaceApp shared a statement with TechCrunch explaining that the company only uploads the single photo selected by users to the cloud and that user data is not transferred to Russia, among other privacy assurances.

Its CEO also said most of the images it collects are deleted in 48 hours, but McElroy said the company's statement isn't enough.

"It's about trust and verification. Show me that that process exists. Show me the code that automatically deletes that data," said McElroy. "Technology companies need to more transparent, not less, with this stuff."