FaceApp, the Russian-based app that allows users to alter their face through the use of AI, recently resurfaced with a new ability to change the age on a photo. Unsurprisingly, the app’s creators were discovered to be harvesting the metadata created by these photos, just as they did the last time the app went viral.
As scary that may sound, fret not. Several security researchers point out that the app is not collecting seemingly aged looks and sending them back to Russia for some dastardly or scary cloning project. For a start, a French researcher found that the FaceApp only took photos you want to be transformed, and sent them to the company’s servers.
Following up with that last point, those servers are based not in Russia, but in the US. To be clear, FaceApp uses servers based in Amazon data centres, which again, are based in the US. The company also has other servers hosted by Google, but even those are located in countries such as Ireland and Singapore.
The rub of FaceApp’s face altering technology lies in how the app could simply process the image on your device, rather than actually perform the action on an outside server. A point that one researcher says that “many folks are not cool with that”.
There’s also the issue over how FaceApp requiring the permission to access any photos on a user’s phone. But to be fair, so do the majority of apps on both iOS and Android devices. Further, because FaceApp’s privacy policy is GDPR compliant, the company reserves the right to transfer data obtained from the app to any location where it has a facility.
Their Privacy Policy is not remotely GDPR compliant. It says that your data can be transferred to any location where they have a facility … which means Russia.
— Elizabeth Potts Weinstein (@ElizabethPW) July 17, 2019
In response to security fears, FaceApp’s founder, Yaroslav Goncahrov, said that the user data obtained from the photos do not get transferred to Russia. He says that his company only uploads a photo “selected by a user for editing” and that they “never transfer any other images from the phone to the cloud”. He also allayed fears, saying that most of the images in the company’s servers are deleted within 48 hours from the upload date.
(Source: Forbes, The Verge, TechCrunch)
