FaceApp — the photo-transforming smartphone app that recently went viral after Drake, LeBron James, the Stranger Things cast, and many more shared AI-aged selfies on social media — has had a hell of a week.
On Wednesday, the Democratic National Committee sent a notice to 2020 presidential campaigns, urging them to delete the app “immediately” over concerns that there was no way to know what FaceApp was doing with the data. Senate Minority Leader Chuck Schumer wrote a letter to the FBI and the Federal Trade Commission, asking for an investigation. FaceApp “could pose national security and privacy risks for millions of U.S. citizens,” he cautioned. And moms the world over texted their kids to delete the app, just in case.
To be sure, FaceApp’s terms of service are incredibly broad. Its permissions explicitly claim a right to a “perpetual, irrevocable, nonexclusive, royalty-free, worldwide, fully-paid” license once users upload their photos to the app. Adding to the public anxiety, FaceApp is based in St. Petersburg — and Russia is a country many folks automatically associate with US election interference.
In the days since the app took off, however, the consensus emerging from security researchers has been that the app’s permissions are not out of step with the practices of most tech firms. They also have concluded that the heightened panic was not based on the evidence, but rather anxiety after multiple cataclysmic data breaches in recent years that have made people proactively — and reflexively — protective of their privacy.
According to FaceApp CEO Yaroslav Goncharov, the app’s terms of service and permissions are nothing to panic over, because the company isn’t doing anything nefarious with your data.
“We only upload a photo selected for editing,” Goncharov told BuzzFeed News. “You can quickly check this with any of the network-sniffing tools available on the internet.”
We took Goncharov’s claim and ran the tests. Now we’re publishing the results so that you can see for yourself.
The tests pointed to the same conclusion — no indication that users are giving up data amounting to more than a single photo of one face at a time.
We installed FaceApp on two phones — one running Google’s Android operating system and the other running Apple’s iOS — and used the open-source packet analysis tool Wireshark to “listen” to the traffic while the app was in use. We tested it both without permissions to access photos, and with permission to access photos.
The result: We didn’t see any suspicious increase in the size of outbound traffic that would indicate a leak of data beyond permitted uploads. (The above graphic is from our Android phone test, but the iOS test produced a similar outcome.)
We uploaded four pictures to FaceApp, which corresponds with the four spikes in the graphic, with some noise at the end after the fourth upload. The graphic also shows that each upload takes about the same amount of time to transfer data.
Theoretically, FaceApp could send your photos slowly without drawing attention, so we also checked to see what the app was doing while running in the background in iOS. With FaceApp running in the background, the outbound traffic on our iPhone was negligible — 5 MB in 10 minutes. After about an hour, our iPhone had pushed just 43 MB of data. This amount is what would be expected if FaceApp weren’t uploading users’ camera rolls in the background, but would include outbound data from apps that weren’t just FaceApp, like background refreshes from Twitter, Gmail, and others.
Two security researchers with whom we shared this information said our results were consistent with their own tests. Will Strafach, an iOS researcher and the CEO of Guardian Firewall, told BuzzFeed News that he had done his own experiment after the knee-jerk warnings that FaceApp was uploading its users’ entire camera rolls went viral. Still, it’s prudent to be vigilant, he said, especially if it leads to someone checking the how the app uses the data. “Even if the initial claim was wrong, it started with someone asking about it,” he said. “I think a good takeaway is that [we shouldn’t] be afraid to ask questions of these apps.”
“People freaked out because the company behind FaceApp is Russian,” French security researcher Baptiste Robert said. “What I’m trying to say is: It’s fine to be suspicious, but don’t accuse without any proof, and here we don’t have the technical proof to be yelling about a scandal.”
FaceApp claims that photos are stored on servers run by Amazon and Google, and that no user data goes back to its research and development team in St. Petersburg. The servers we were able to see were from Amazon Web Services and Google Cloud Platform, located in Ohio; Portland, Oregon; Mountain View, California; and Singapore — although there is a possibility that some data is hosted on Russian servers beyond what we can observe. (Fun fact: Whoever set up the subdomains at FaceApp is a big Game of Thrones fan, naming them after the characters Tyrion, Arya, Bran, and Jaime, among others.)
There’s one big caveat to add: There’s nothing that would stop FaceApp from changing its behavior later. It is possible that FaceApp could add data snooping in the future, given its broad terms of service.
For the most part, though, the viral story of FaceApp tells us that we all should be more aware of what permissions we give applications. We’re far too quick to jump into something fun without thinking about the implications of giving up our data.
But, best we can tell, there is nothing to indicate you are giving up more than a single photo of your face at a time to a company that we know very little about. ●