Senate Minority Leader Chuck Schumer (D-N.Y.) has called for a federal investigation into FaceApp, saying the Russian-operated mobile application "could pose national security and privacy risks for millions of US citizens."

FaceApp for iOS and Android has been around since 2017 but just recently went viral as celebrities and many other people used it to alter photographs to make themselves look 20 years older. This has raised privacy concerns, as Americans are uploading photographs and device-related data to a service operated by a company based in Russia. The image alterations performed by FaceApp—which calls itself an "AI Face Editor"—are done on the company's servers instead of on user devices.

The app now warns users that "Each photo you select for editing will be uploaded to our servers for image processing and face transformation."

That prominent warning apparently didn't exist until an update to the app this week. FaceApp did already warn users about the photo uploading in its terms of use, which also say that users "grant FaceApp a perpetual, irrevocable, nonexclusive, royalty-free, worldwide, fully-paid, transferable sub-licensable license to use" their data.

Sen. Schumer called for an investigation yesterday in a letter to the FBI and Federal Trade Commission. Schumer wrote:

FaceApp uses artificial intelligence to alter a user's photos to look younger or older or possess a different gender. However, in order to operate the application, users must provide the company full and irrevocable access to their personal photos and data. According to its privacy policy, users grant FaceApp license to use or publish content shared with the application, including their username or even their real name, without notifying them or providing compensation. ... In particular, FaceApp's location in Russia raises questions regarding how and when the company provides access to the data of US citizens to third parties, including potentially foreign governments... Given the growing popularity of FaceApp and these national security and privacy concerns, I ask that the FBI assess whether the personal data uploaded by millions of Americans onto FaceApp may be finding its way into the hands of the Russian government or entities with ties to the Russian government. If so, I would urge that steps be immediately taken by the FBI to mitigate the risk presented by the aggregation of this data.

Schumer further asked the FTC to "consider whether there are adequate safeguards in place to prevent the privacy of Americans using this application, including government personnel and military service members, from being compromised." If there aren't adequate safeguards, Schumer said the FTC should warn the public "of the risks associated with the use of this application or others similar to it."

FaceApp has gotten high ratings from users on both the iPhone and Android app stores. It's free, but there's a premium version for $4 a month or $20 a year that provides extra filters and eliminates ads and watermarks.

FaceApp: No storage in Russia

Wireless Lab, which operates FaceApp, denies that it stores user data in Russia.

"Even though the core R&D team is located in Russia, the user data is not transferred to Russia," the company said in a lengthy statement to TechCrunch. The company said it uses servers hosted on the Amazon and Google cloud services.

FaceApp also told TechCrunch that it does not "sell or share any user data with any third parties," that its app only uploads photos that are selected by users for editing, and that "most images are deleted from our servers within 48 hours from the upload date." FaceApp said it stores photos temporarily to optimize "performance and traffic," specifically to ensure "that the user doesn't upload the photo repeatedly for every edit operation."

The company also said it honors requests from users to delete all their data but noted that its "support team is currently overloaded."

"For the fastest processing, we recommend sending the requests from the FaceApp mobile app using 'Settings->Support->Report a bug' with the word 'privacy' in the subject line," the company said.

Ars contacted FaceApp and will update this story if we get any additional response.

If FaceApp's statement to TechCrunch is all true, the privacy risks it poses may not be much different from those raised by many other apps, or by Americans' extensive use of Facebook. But FaceApp should have made it clearer to users right away that it was uploading pictures, instead of waiting for controversy to issue a prominent warning. Ideally, the controversy would remind smartphone users that they shouldn't join in on every viral craze that requires handing over data to an app maker they've never heard of.

Update: FaceApp responded to Ars, saying that "the AI technology we use in our filters requires advanced calculations on a server, which makes [it] impossible to edit a picture on a smartphone." FaceApp also said that uploaded images "are totally anonymous and stored encrypted," and that "they are processed automatically by computers only."