FaceApp is the most popular free app on Google Play and Apple's App Store thanks to an age filter that makes people in photos look much older. But while countless photos of aged celebrities and casual FaceApp users have been shared online in the past week, there are mounting concerns with how FaceApp handles user data.
FaceApp first became popular in 2017; the app uses artificial intelligence to alter people's faces with a variety of filters. Photos added to FaceApp are uploaded to a server for processing before being sent back to the user.
Understanding FaceApp's policy on paper
FaceApp's terms of service give the company licence to use photos and other information uploaded by users for commercial purposes, including their names, likenesses, and voices. The terms of service also say that FaceApp may continue to store user data after it's deleted from the app.
The company said the data could be retained to comply with "certain legal obligations," but there is no limitation on how long the data can be kept.
Furthermore, FaceApp's privacy policy says that all information collected by the app can be stored and transferred to whichever countries FaceApp and its affiliates operate from. This means user photos and app data can be stored in Russia, the country where the app's development team is based.
TechCrunch reported that FaceApp is using Google and Amazon-owned servers in the US.
FaceApp did not immediately respond to a request for comment.
FaceApp issued a statement to address privacy concerns
FaceApp provided TechCrunch with an itemized statement to clarify its policy amid the privacy concerns. Though the terms of service suggest that data can still be transferred to the Russian development team, the company says user data remains on the server side.
FaceApp says photos stored on the server are kept to make the editing process more efficient for its users and that the photos are usually deleted within two days.
The company said it also accepted user requests to remove all personal data from their servers. However, FaceApp said the support team was backlogged with those requests. FaceApp also says 99 percent of users choose not to log in, so they don't have much in the way of identifying information.
Russian tech companies face increased scepticism
Last year, the former special counsel Robert Mueller's office charged more than a dozen Russian citizens with crimes related to a vast social-media campaign meant to influence the 2016 presidential election. The St. Petersburg, Russia-based Internet Research Agency used false identities on Facebook, Twitter, and other social-media platforms to spread fake news and propaganda.
While the actions of some bad actors in Russia should not condemn every Russian-based company, some FaceApp users and critics are reasonably concerned that their names and photos uploaded to FaceApp could end up being misused or leaked to the wrong company. FaceApp's statement said they wouldn't sell data to third-party companies and that data was not being transferred to Russia.
There are some additional security concerns with the iOS version of FaceApp because of the way iPhones handle photo security. While users can block FaceApp and other apps from viewing their full photo libraries through the iPhone's settings, TechCrunch reported on a loophole in iOS 11 that gives apps permission to access one photo at a time if the user grants permission.
So far, security experts have not detected any unusual practices with the current version of FaceApp, but as with all apps, users should be mindful of their lack of control when sharing photos and other personal data.
This article was originally published by Business Insider.
More from Business Insider: