The Democratic National Committee on Wednesday warned presidential campaigns against using the viral face-transforming app FaceApp, citing the software’s Russian developers. It urged campaign staff to “delete the app immediately.”
The app allows users to upload a photo of their face and have it automatically edited to look like their future self, replete with wrinkles and graying hair – a popular trick that filled the social media feeds of millions of users, including the celebrities such as Drake, LeBron James and the Jonas Brothers.
But concerns over how the photos could potentially be misused by the company, whose developers are headquartered in St. Petersburg, raised alarms among many users as well as DNC officials, who urged 2020 campaign staff and “people in the Democratic ecosystem” not to use the app.
“This novelty is not without risk: FaceApp was developed by Russians,” DNC security chief Bob Lord wrote in the alert to campaigns, which was first reported by CNN. “It’s not clear at this point what the privacy risks are, but what is clear is that the benefits of avoiding the app outweigh the risks. . . . If you or any of your staff have already used the app, we recommend that they delete the app immediately.”
The warning also said it applied to “people in the Democratic ecosystem.”
FaceApp has altered photos for more than 80 million users since its 2017 release, and allows smartphone users to change a facial photo’s age, gender or hairstyle, often with convincing results. Like similar photo-editing features in Instagram and Snapchat, the app uses artificial-intelligence software to automatically edit the photos in seconds.
The app is owned by Wireless Lab, though it has set the state or federal courts in Santa Clara County, California, as the jurisdiction for the settlement of any legal disputes, according to its terms of service.
Founder and CEO Yaroslav Goncharov said in a statement to TechCrunch that FaceApp’s research-and-development team is based in Russia, but that no user data is transferred into the country, and that “most images” are deleted from company servers within 48 hours.
DNC officials were targeted by Russian hackers during the 2016 race and have invested heavily in cybersecurity measures to prevent a similar attack.
The app uploads people’s photos to the “cloud” of servers run by Amazon and Google, the company said, meaning deleting the app would likely make no difference on how the photos are used. In its privacy terms, the company said it can collect any of a user’s uploaded photos as well as data on the user’s visited websites and other information.
If a user deletes content from the app, FaceApp can still store and use it, according to its privacy terms. FaceApp also says it can’t guarantee your data or information is secure, and that the company can share user information with other companies and third-party advertisers, which aren’t disclosed in the privacy terms.
The company said in its statement that users who want to remove their data from FaceApp can make the request through the app by clicking “Settings,” then “Support,” then “Report a bug” with “privacy” in the subject line. “Our support team is currently overloaded, but these requests have our priority,” the company’s statement read.
FaceApp’s terms of service say it can share information with a government agency if a subpoena, court order or search warrant is issued and that the company has “a good faith belief that the law requires” it to do so. This information can also be shared with any country that FaceApp maintains facilities in, including Russia.
People who use the app also “consent to the processing, transfer and storage of information about you in and to the United States and other countries, where you may not have the same rights and protections as you do under local law.”
Baptiste Robert, a French security researcher who uses the pseudonym Elliot Alderson, said he looked into the traffic between FaceApp on his phone and the Internet to understand how the network operates for users.
He found that only photos that are uploaded and modified are saved to the server, not the user’s entire camera roll. But he also said he didn’t think the app was compliant with the European Union’s new privacy rule, the General Data Protection Regulation (GDPR).
“When you upload your photo, you have no idea how your photo is used,” Robert said, noting that the app’s terms and conditions are vague. “Don’t rush to use this application, because you don’t know how your data is used after that.”
Kate O’Neill, a tech consultant, said FaceApp’s privacy terms are still murky, despite the company’s clarification.
“People should be savvy about when apps and memes and games are encouraging everyone to engage in the same way,” she said. “It puts the data in a vulnerable state that becomes something that can train facial recognition and other kinds of systems that may not be intended the way people are using it.”