FaceApp's viral run raises question about app access to photos

What you need to know

  • There have been multiple reports about FaceApp's intrusive photo sharing practices.
  • Most have been unsubstantiated, but it does raises the question about the access these apps have.
  • Even when a person has not allowed access to an app, they can still go into your library, though it only sees the photo you select.
  • FaceApp has responded saying it doesn't sell its data to third parties and users can request their data be deleted.

The popular photo editing app FaceApp went viral once again this week creating an onslaught of old people photos on social media. However, it also raised the question about the access apps have a person's library after reports surfaced about the app uploading entire photo libraries.

According to a report from TechCrunch, this has not been substantiated, but there are other items worth considering.

In this current wave of virality, some new questions are floating about FaceApp. The first is whether it uploads your camera roll in the background. We found no evidence of this and neither did security researcher and Guardian App CEO Will Strafach or researcher Baptiste Robert .

Other users questioned why the app had access to their iOS libraries even though they had set access to Never. That seems to stem from an Apple API introduced a few years ago.

While the app does indeed let you pick a single photo without giving it access to your photo library, this is actually 100% allowed by an Apple API introduced in iOS 11 . It allows a developer to let a user pick one single photo from a system dialog to let the app work on. You can view documentation here and here .Because the user has to tap on one photo, this provides something Apple holds dear: user intent. You have explicitly tapped it, so it's ok to send that one photo. This behavior is actually a net good in my opinion. It allows you to give an app/one photo/instead of your entire library. It can't see any of your photos until you tap one. This is far better than committing your entire library to a jokey meme app.

The article goes on to suggest adding an option that acknowledges a person's decision to select Never, and not even a one-time feature should get through this choice.

This issue is bound to come up more as privacy and company access to information becomes an even more pressing issue as we are more immersed in technology and services. And with the countless data hacks, it's something users should be concerned about.

FaceApp did respond to the ongoing issue saying that it does not sell its data to third parties and users can request their data be deleted. Here's its full statement:

We are receiving a lot of inquiries regarding our privacy policy and therefore, would like to provide a few points that explain the basics:

  1. FaceApp performs most of the photo processing in the cloud. We only upload a photo selected by a user for editing. We never transfer any other images from the phone to the cloud.
  2. We might store an uploaded photo in the cloud. The main reason for that is performance and traffic: we want to make sure that the user doesn't upload the photo repeatedly for every edit operation. Most images are deleted from our servers within 48 hours from the upload date.
  3. We accept requests from users for removing all their data from our servers. Our support team is currently overloaded, but these requests have our priority. For the fastest processing, we recommend sending the requests from the FaceApp mobile app using "Settings->Support->Report a bug" with the word "privacy" in the subject line. We are working on the better UI for that.
  4. All FaceApp features are available without logging in, and you can log in only from the settings screen. As a result, 99% of users don't log in; therefore, we don't have access to any data that could identify a person.
  5. We don't sell or share any user data with any third parties.
  6. Even though the core R&D team is located in Russia, the user data is not transferred to Russia.

Additionally, we'd like to comment on one of the most common concerns: all pictures from the gallery are uploaded to our servers after a user grants access to the photos (for example, https://twitter.com/joshuanozzi/status/1150961777548701696). We don't do that. We upload only a photo selected for editing. You can quickly check this with any of network sniffing tools available on the internet.

Danny Zepeda