Privacy warning over FaceApp craze

The AI powered FaceApp has taken social media by storm over the past couple of days.

Facebook, Twitter and Instagram feeds have been bombarded with altered photos of people, showing how they would look as an oldie by the selfie-editing app.

Users can use one of the filters on the app to digitally ‘age’ their face.

There are several features of the app that can make you look not just older, but younger and even change expressions.

This is done with the help of artificial intelligence (AI). An algorithm takes the input picture of your face and adjusts it based on other imagery.

The app has been around for a couple of years, but has had a sudden resurgence on social media, thanks to a host of celebrities jumping on the bandwagon.

However, questions are now being asked whether the insanely clever app is merely being used to amuse family and friends or a dastardly plot by ‘the Russians’ to gather up your personal data?

The mild panic over the use of the viral app has done nothing to stem the constant stream of pictures – many using the #facechallenge hashtag.


Celebrities, including Gordon Ramsay and Drake have been rushing to upload their images and now more than 150 million people are owned by a Russian-based company. They are now free to use the data in whatever way they so wish.

The Russian company who own FaceApp, Wireless Lab, is based in St Petersburg and uploads users’ photos to the cloud — without making it clear to them that processing is not going on locally on their device.

Ariel Hochstadt, Security Expert from vpnMentor blog and Ex-Gmail marketing manager for Google told MailOnline that he warned people about apps like these before. 

He said: “Hackers many times are able to record the websites that people visit, and the activities they perform in those websites, but they don’t always know who those users are,’ he said.

“Imagine now they used the phone’s camera to secretly record a young gay person, that visits gay sites, but didn’t yet go public with that, and they connect his face with the websites he is using. 

They also know who this image is, with the huge DB they created of FB accounts and faces, and the data they have on that person is both private and accurate to the name, city and other details found on FB.”

The Russian government doesn’t even need to own the database it screens against the database from the app. 

Adding: “With so many breaches, they can get information and hack cameras that are out there and be able to create a database of people all over the world, with information these people didn’t imagine is collected on them.”


Illinois Institute of Technology Director of Information Technology, Louis McHugh, told CBS: Chicago: “You’re essentially giving away your fingerprint. “It could be leveraged to identity theft.”

He added: “By uploading your photos to this company, they literally own, perpetually, your photos. Forever.

 “If the Russian government came and said, ‘Give us all these three million people who uploaded their photos,’ they would comply with said demands and that would be the good start of a facial recognition software program.”

When you download the FaceApp onto your iOS device, a message pops up which says: “Cloud Photo Processing. Each photo you select for editing will be uploaded to our servers for image processing and face transformation”

Worryingly, the iOS app appears to be overriding settings if a user had denied access to their camera roll, after people reported they could still select and upload a photo — i.e. despite the app not having permission to access their photos.

There are concerns that data gathered from user photos to train facial recognition algorithms.

Even after the photos themselves are deleted this is possible because measurements of features on a person’s face can be extracted.

However, the app firm’s chief executive Yaroslav Goncharov said: “No, we don’t use photos for facial recognition training.

“Only for editing pictures.”


FaceApp is not new. It first hit the headlines a couple of years ago with its “ethnicity filters”.

These purported to transform faces of one ethnicity into another. This feature did not go down well with then public and fell out of favour.

The app doesn’t just ‘age’ people. It has a range of filters that can change a sad face into a smiling face and change your make-up.

People have raised concerns over its terms and conditions.

They argue that the company takes a cavalier approach to users’ data.

FaceApp maintains that most images were deleted from its servers within 48 hours of being uploaded.

The company also said it only ever uploaded photos that users selected for editing and not additional images.

App developer Joshua Nozzi tweeted that FaceApp was uploading troves of photos from people’s smartphones without asking permission.

However, a French cyber-security researcher found that no such bulk uploading was going on – FaceApp was only taking the specific photos users decided to submit.

FaceApp confirmed to the BBC that only the user-submitted photo is uploaded.


They have since issued this statement:

We are receiving a lot of inquiries regarding our privacy policy and therefore, would like to provide a few points that explain the basics:

1. FaceApp performs most of the photo processing in the cloud. We only upload a photo selected by a user for editing. We never transfer any other images from the phone to the cloud.

2. We might store an uploaded photo in the cloud. The main reason for that is performance and traffic: we want to make sure that the user doesn’t upload the photo repeatedly for every edit operation. Most images are deleted from our servers within 48 hours from the upload date.

3. We accept requests from users for removing all their data from our servers. Our support team is currently overloaded, but these requests have our priority. For the fastest processing, we recommend sending the requests from the FaceApp mobile app using “Settings->Support->Report a bug” with the word “privacy” in the subject line. We are working on the better UI for that.

4. All FaceApp features are available without logging in, and you can log in only from the settings screen. As a result, 99% of users don’t log in; therefore, we don’t have access to any data that could identify a person.

5. We don’t sell or share any user data with any third parties.

6. Even though the core R&D team is in Russia, the user data is not transferred to Russia.”

Thousands of people are sharing the results of their own experiments with the app on social media.

But since the face-editing tool went viral in the last few days, some have raised concerns over its terms and conditions.

They argue that the company takes a cavalier approach to users’ data – but FaceApp said in a statement most images were deleted from its servers within 48 hours of being uploaded.

The company also said it only ever uploaded photos that users selected for editing and not additional images.

Scroll to Top