But. The company developing FaceApp is based in Russia. And this means that, as per Russian legislation, all data passed to the company, can be accessed by Russian security and military services, if they want to.
Old Kurt Cobain - FaceApp from r/interestingasfuck
Kurt Cobain via FaceApp's ageing filter
So, does the app upload all of your images and data to Russian servers? Apparently, the answer is no. Sure, the app asks for your permission to access your phone's images, but it only accesses the one you select for manipulation.
A security researcher has tested what the app actually sends to the Internet and where the data goes to. The conclusion is that all the uploads are being sent to Google or Amazon -owned cloud servers, located in U.S., Australia or Europe, depending on applied filter and user's own location. The actual image manipulation with filters is being done on servers, which then sends the processed image back to the user's smartphone, once finished.
HOWEVER: they do appear to upload single images in order to apply the filters server-side. while not as egregious, this is non-obvious and I am sure many folks are not cool with that.-- Will Strafach (@chronic) July 17, 2019
Cloud services are being leased by the FaceApp.io, the company who owns the app. Of course, the company could further send the images to its own servers, located in Russia, but that cannot be verified, as the data flow from the phone ends when the data reaches Google or Amazon server.
Why to send the images to servers at all?
Applying filters as good as those used by FaceApp require certain level of computing power. While the current breed of $1000+ phones could probably do the processing directly at the user's phone, majority of currently sold and used phones are simply too slow for this. It wouldn't be a very nice user experience, if applying a filter to a single image would take anywhere between 5 minutes and 4 hours to process.
Thus, the images must be uploaded to servers in order to make the process and smooth as possible, for majority of users.
Forbes has reached out to the FaceApp.io to ask how they handle the sensitive data. According to FaceApp founder, they store the uploaded images for appx. 48 hours on the cloud servers. And they do that storing just to avoid unnecessary uploads: users want to apply various filters to their images and uploading the same image over and over again just to see how it changes with another filter would be bit pointless.
Company also says that if user wants to erase of his/her data, they can do so by contacting the developer via the app's contact form.
So, no, FaceApp wont upload all your images to Russia once you grant the app permission to access your images. It simply uploads the image you selected to upload, processes it in cloud servers (hosted in Western countries) and downloads the result back from the same servers.
But yes, if Russian authorities would want to get the data you have uploaded, they most likely would have the means to do so.
Then again, people share their photos en masse via Instagram et al, where anyone - including the bad guys - could simply download them and build a database based on those images.
FaceApp is a free app available for both, Android and iOS.
Written by: Petteri Pyyny @ 18 Jul 2019 8:41