What you need to know about viral FaceApp's privacy policy

You might want to think twice before you use viral selfie app FaceApp.

The two-year-old app, which lets you alter photos of your face, once again shot to the App Store's top spot this week after celebs and others began sharing doctored photos of themselves. Like some of Snapchat's popular face filters, you can change photos of yourself so you appear older or younger, or "swap" genders.

It's a familiar gimmick at this point – and not one that's new for FaceApp— but the app has gone viral all the same. It's currently one of the most downloaded apps for both iOS and Android, as #faceappchallenge posts have taken over social media.

But with the sudden surge in popularity have come new questions about privacy, and whether FaceApp is doing enough to protect users' data.

Some have questioned why the app, which has been out for years, suddenly went viral all over again seemingly overnight. Others have pointed to the fact that the app requires a data connection, suggesting that might indicate the app is surreptitiously grabbing users' photos. (Multiple security researchers have said there is no evidence that the app is sweeping up entire photo libraries.)

And, in some corners of Twitter, people have pointed to the app's Russian origins -- FaceApp is owned by a company, Wireless Lab, that's based in St. Petersburg -- as a sign of something nefarious.

While there's as yet no evidence to support these claims, some other concerns are less far fetched.

In a post-Cambridge Analytica world, in which thousands of people had their personal data misused because of a seemingly innocuous personality quiz, people are rightfully wary of the numerous ways their data could be accessed or exposed by an app developer.

And we don't need to look far to find examples of photo apps taking their users' photos for purposes far beyond what's required for their own apps.

Earlier this year, NBC reported that Ever, a popular photo storage app, was using its users' photos to train facial recognition software it then sold to law enforcement. IBM was also found to be using Flickr photos to train facial recognition applications without permission from those in the photos. And last year, PopSugar's viral "twinning" app inadvertently leaked data.

FaceApp's privacy policy doesn't exactly offer many assurances, either.

In addition to photos generated via the app, FaceApp's privacy policy states that it also collects location information and information about users' browsing history. "These tools collect information sent by your device or our Service, including the web pages you visit, add-ons, and other information that assists us in improving the Service," the policy says.

And though it states that "we will not rent or sell your information to third parties outside FaceApp," it explicitly says that it shares information with "third-party advertising partners," in order to deliver targeted ads.

FaceApp CEO Yaroslav Goncharov has not yet responded to questions about the company's privacy policy. But this type of privacy policy isn't necessarily unusual, though it is definitely vague. It's also yet another example of how tech companies quietly vacuum up information about their users in ways that aren't immediately clear.

It also doesn't help that FaceApp doesn't exactly have the best track record. The app was widely criticized for "racist" selfie filters that lightened users' skin tones in 2017, soon after it launched. A few months later, the app sparked even more outrage when it unveiled a series of "ethnicity change" filters.

If anything, the latest controversy about the app's privacy practices is a sign that we might finally be starting to learn from Cambridge Analytica and so many other data privacy nightmares. Yes, the viral app of the moment might be irresistible, but there are reasons to think twice before giving up access to your information.

UPDATE: July 17, 2019, 9:35 a.m. PDT FaceApp CEO Yaroslav Goncharov provided the following statement:

1. FaceApp performs most of the photo processing in the cloud. We only upload a photo selected by a user for editing. We never transfer any other images from the phone to the cloud.

2. We might store an uploaded photo in the cloud. The main reason for that is performance and traffic: we want to make sure that the user doesn't upload the photo repeatedly for every edit operation. Most images are deleted from our servers within 48 hours from the upload date.

3. We accept requests from users for removing all their data from our servers. Our support team is currently overloaded, but these requests have our priority. For the fastest processing, we recommend sending the requests from the FaceApp mobile app using "Settings-> Support-> Report a bug" with the word "privacy" in the subject line. We are working on the better UI for that.

4. All FaceApp features are available without logging in, and you can log in only from the settings screen. As a result, 99% of users don't log in; therefore, we don't have access to any data that could identify a person.

5. We don't sell or share any user data with any third parties.

6. Even though the core R&D team is located in Russia, the user data is not transferred to Russia.

Additionally, we'd like to comment on one of the most common concerns: all pictures from the gallery are uploaded to our servers after a user grants access to the photos (for example, https://twitter.com/joshuanozzi/status/1150961777548701696).  We don't do that. We upload only a photo selected for editing. You can quickly check this with any of network sniffing tools available on the internet.