FaceApp, a Russia-based app that applies filters to photos, is having another moment in the spotlight this week. The app first went viral in 2017, but this time it’s catching on because of a filter that makes users look older or younger. As with the last viral moment, however, users have been surprised to learn that the app’s creators are harvesting metadata from their photos.

Christ, I don’t wanna get old pic.twitter.com/uf1oDguvd8 — Tom Warren (@tomwarren) July 16, 2019

Close research suggests FaceApp isn’t doing anything particularly unusual in either its code or its network traffic, so if you’re worried about FaceApp, there are probably a bunch of other apps on your phone doing the same thing. Still, the conversation does bring attention to standard tech practices that might be more invasive than users realize.

To use the app, iOS users select specific photos they want to put filters on, and there’s no evidence of the app downloading a user’s entire photo roll. The company then uploads the specific images to its servers to apply the filter. FaceApp never spells out that it’s downloading the filtered photo, but it’s not unusual, as iOS researcher and CEO of Guardian Firewall Will Strafach noted on Twitter.

HOWEVER: they do appear to upload single images in order to apply the filters server-side. while not as egregious, this is non-obvious and I am sure many folks are not cool with that. — Will Strafach (@chronic) July 17, 2019

Theoretically, FaceApp could process these photos on the device itself, but Yaroslav Goncharov, an ex-Yandex exec and CEO of the Russian company that created the app, previously told The Verge that photos uploaded to the app are stored on the company’s servers to save bandwidth if several filters are applied, and that they get deleted not long after. In a statement to TechCrunch, FaceApp said it accepts requests from users to remove their data from its servers. The team is currently “overloaded,” but users can send the request through Setting>Support>Report a bug with the word “privacy” in the subject line.

Of course, we don’t know if FaceApp actually deletes the photo data, but it’s worth remembering that we upload photos of our faces to companies’ servers all the time. The only difference in this case is that unlike Facebook or Google, FaceApp is Russia-based, and thereby inherits ill will because of Americans’ perception of the country. FaceApp says no user data is transferred to Russia. Researcher Jane Wong also publicized her findings around FaceApp and noted that she wished users could delete their own data, although it now seems they can issue a request.

I am not seeing much fishy in FaceApp



Photos are uploaded to FaceApp's servers on AWS w/ authorization. Not much info is being sent to FaceApp's servers other than user metrics (e.g. ui interactions)



I just wish there's an option for users to delete their photos from the server — Jane Manchun Wong (@wongmjane) July 17, 2019

Another potential privacy issue people have taken note of is that the company’s privacy policy incorporates broad language that allows it to use people’s usernames, names, and likeness for commercial purposes. Lawyer Elizabeth Potts Weinstein also says the policy isn’t GDPR-compliant. Still, while this isn’t great, users often agree to wide-ranging policies that specifically use abstract language (a great way to avoid a lawsuit!). And they have no say in the matter; either they use the service or they don’t. FaceApp says it doesn’t sell user data to third parties.

Their Privacy Policy is not remotely GDPR compliant. It says that your data can be transferred to any location where they have a facility ... which means Russia. — Elizabeth Potts Weinstein (@ElizabethPW) July 17, 2019

FaceApp might not be a major privacy concern, but as with any app, there are always trade-offs. If you want to see what you could look like at 80 years old, you have to forfeit your photo, which includes your face. As some have pointed out, simply basing the app in Russia could expose your photos to the country’s security services. Similar claims could be made for apps based in China or even the US, but it doesn’t make the exposure any less troubling. Still, the FaceApp conversation is a worthy one to have; people should think about how their data is being used before sharing it with an unknown app.

Update 7/17, 2:16 PM ET: Updated to reflect FaceApp’s statement to TechCrunch.