The world has suddenly woken up and is starting to question FaceApp, a mobile app that has been around since 2017, that uses filters and artificial intelligence to edit photos of people and let you swap genders or make someone smile.
The policy says it can also share users' details with third-party partners for targeted advertising. While the agreement notes the app will not rent or sell your information to third parties, the policy does not specify if businesses legally part of the same group of companies as FaceApp, or companies that join the group in the future are considered third parties.
Celebrities such as Miley Cyrus, Mindy Kaling, Kim Kardashian, the Jonas Brothers and Carrie Underwood are posting their aged faces online using the #faceappchallenge tag, and regular folks are doing it, too. And therein lies the problem. They're doing it from home, they're doing it from work, and they're likely doing it from company-owned devices.
Some of the security concerns are how and where the facial images are stored.
FaceApp CEO in a statement said "FaceApp performs most of the photo processing in the cloud. We only upload a photo selected by a user for editing. We never transfer any other images from the phone to the cloud. We might store an uploaded photo in the cloud. The main reason for that is performance and traffic: we want to make sure that the user doesn't upload the photo repeatedly for every edit operation. Most images are deleted from our servers within 48 hours from the upload date."
It also said, "We accept requests from users for removing all their data from our servers. Our support team is currently overloaded, but these requests have our priority. For the fastest processing, we recommend sending the requests from the FaceApp mobile app using 'Settings->Support->Report a bug' with the word 'privacy' in the subject line. We are working on the better UI for that. Even though the core R&D team is located in Russia, the user data is not transferred to Russia.
Apparently, this is one way where organisations now 'bypassed without violating the EU's GDPR laws' using new and different ways to couch data collection in 'fun' or viral-sharing' experiences.