Your photo isn’t processed locally in your device.

I can see why FaceApp choose to upload user’s photo to their server and process them in their server:

From a business perspective, hiding the photo processing code in their server makes it hard for potential competitors from copying. It also makes piracy harder

— Jane Manchun Wong (@wongmjane) July 17, 2019

It’s actually processed in the cloud. 

But what does that mean? Simply that whatever photo you upload on FaceApp goes to their servers, where they do their magic on your photo to make you look older. Well, it’s not for nothing. 

The quite plausible reason behind this move is that the processing power needed to add years to your face realistically requires more than the power you have on your device. While more recent Android phones and iPhones have machine learning installed in their hardware, older versions of smartphones don’t have this yet, thus there’s a need for a more powerful server. And of course, FaceApp probably wants to protect its trade secrets, and it’s much easier to protect those secrets when they have it on their servers instead of the millions of devices of its users.

Earlier this year, Facebook was similarly accused over the viral “2009 vs 2019” or “10-Year Challenge” meme when a Wired article argued that Facebook was using this meme to create a data set for machine learning. The internet was quick to react, but this argument was debunked when New York Magazine said that the social media giant doesn’t need more photos of its users when it already has tons, with each one having a timestamp. Though that doesn’t really bring much comfort.

It uses servers in Amazon and Google.

Another thing you need to know about any app you use, especially when you submit any sort of data, is where that submitted data is stored. FaceApp revealed in a statement that its servers are actually located mostly in the US using Amazon Web Services (AWS) and Google Cloud. 

However, even if their servers are located in the US, FaceApp’s developers are actually based in Russia, which makes it possible for the Russian intelligence to demand data from FaceApp if deemed legal. Though that doesn’t mean they can easily extract the data from its servers in AWS.

It doesn’t actually store all your photos.

HOWEVER: they do appear to upload single images in order to apply the filters server-side. while not as egregious, this is non-obvious and I am sure many folks are not cool with that.

— Will Strafach (@chronic) July 17, 2019

It’s only the photos you select to upload.

And French cyber-security researcher Elliot Alderson (a pseudonym) did a quick sweep of the app and found out that no, the app doesn’t upload your photos to their servers in bulk.

FaceApp also states that it saves uploaded photos in its servers to improve performance and lessen traffic and that they delete these photos within 48 hours. This makes sense in a way, but we’re sure not all users are comfortable with this, especially since the app doesn’t actually make clear to its users that it’s sending the photos to a server, as Guardian App CEO Will Strafach points out in a tweet.

Similarly, Snapchat went under fire in 2015 when it updated its terms of service, scaring a lot of people with terms like “perpetual right” and “your likeness” into thinking that Snapchat will own all photos uploaded into the app. Snapchat’s developers were quick to shut this down, but of course, users of any app should still be wary of whatever they upload.

Its terms of service uses broad language.

If you use #FaceApp you are giving them a license to use your photos, your name, your username, and your likeness for any purpose including commercial purposes (like on a billboard or internet ad) — see their Terms: https://t.co/e0sTgzowoN pic.twitter.com/XzYxRdXZ9q

— Elizabeth Potts Weinstein (@ElizabethPW) July 17, 2019

Much of the concern (in addition to the xenophobic remarks about the developers being Russian) probably stems from FaceApp using very broad language in its terms of service. Which means they have a lot of room to work with.

“You grant FaceApp a perpetual, irrevocable, nonexclusive, royalty-free, worldwide, fully-paid, transferable sub-licensable license to use, reproduce, modify, adapt, publish, translate, create derivative works from, distribute, publicly perform and display your User Content and any name, username or likeness provided in connection with your User Content in all media formats and channels now known or later developed, without compensation to you. When you post or otherwise share User Content on or through our Services, you understand that your User Content and any associated information (such as your [username], location or profile photo) will be visible to the public.” [emphasis added]

This means that while you own the “user content” (i.e. your face), FaceApp has the license to do whatever they want to do with that “user content,” which is presumably improving the app’s algorithm, as this PhoneArena article speculates.

Your photo is probably being used to improve its algorithm.

간만에 디오니소스나 춤춰볼까? pic.twitter.com/i3nS6DCjzb

— 방탄소년단 (@BTS_twt) July 17, 2019

Since your photo goes up in a server, you don’t really know what kind of magic it goes through while there. It’s most likely that the app is improving its face-changing algorithms by learning from the photos people submit, which means it’s not using just stock photos available on the internet. It’s really the users’ photos.

Which the app actually indicates in its privacy policy: “[W]e may use information that we receive to . . . provide, improve, test, and monitor the effectiveness of our Service.”

Well, if they use your photos to improve their algorithm, what else can you do when you’ve already given them permission to use it when you clicked that upload button?

But FaceApp’s chief executive Yaroslav Goncharov disputes this in an interview with BBC News. “No, we don’t use photos for facial recognition training. Only for editing pictures.” I think we can breathe a bit now.

If you don’t log in, FaceApp doesn’t actually have identifying information on you.

I deleted FaceApp because of all the creepy stuff reported about it, but it definitely did not have access to my Facebook account. I didn’t ever have to log in at all. I just used the app. https://t.co/4R59F7OalU

— Doug (@moonwalkmcfly) July 17, 2019

In their statement, FaceApp’s team says that they “don’t have access to any data that could identify a person,” since the app’s features are accessible without logging in, so 99% of its users don’t actually send them identifying information. Of course, your face is still with them if you upload any photo, but they don’t actually have a name attached to it.

This means there’s actually little cause for concern.

Google software engineer Ivan Rodriguez tells The New York Times that FaceApp collects minimum identifiable data beyond the photos that users upload. “I mean, I definitely don’t have the resources the F.B.I. or even the F.T.C. have, but so far I haven’t found anything that’s alarming or that shows this app trying to hide functionality that can be harmful,” Rodriguez says.

Users can change their privacy settings.

If you do log in, you can always change your privacy settings, especially if you used your Facebook credentials to register to the app. This is nothing new, but many netizens forget to properly manage their privacy settings and end up panicking once the internet points out security concerns.

Users can request to remove their data from its servers.

While we’re all dragging FaceApp for taking our photos as their own, probably worth rereading Twitter’s Terms of Service: pic.twitter.com/OJ0p9SLc4A

— Lance Ulanoff (@LanceUlanoff) July 17, 2019

If you’re really just paranoid, FaceApp says that users can contact the developers and request that their data be deleted from its servers. Just submit your request through the mobile app “using ‘Settings->Support->Report a bug’ with the word ‘privacy’ in the subject line.”

While the current evidence suggests that there’s no reason to worry, it’s better to start protecting yourself, especially online. The best thing to do is to be wary of the app, or any photo apps. 

Or actually, just be wary of the internet in general. 

Make sure your information is processed locally in your device. Know where your data is stored. Turn off your location. Reduce third party app permissions. Manage your privacy settings. Read whatever agreement you’re entering when you click that “I Agree” button (I know barely anyone does this, but at least try).

And maybe just limit what you share online.

Have you taken steps to protect yourself online? Let us know how below!