Shortly after the playful photo-transforming FaceApp went viral Wednesday as the most-downloaded smartphone app in America, a nationwide panic began to set in: Who was this shadowy Russian tech firm everyone had been sending their photos to? And what did they want with millions of people’s faces?
But some of the darkest fears of a Russian connection, researchers and technical experts said Thursday, appeared to have been overblown: The photos are stored on conventional servers run by American companies, and no evidence has surfaced that the company has ties to the Russian government. Technical analyses also found that the app does not, as some rumors stated, swipe a person’s entire cache of photos or open their data to unlimited surveillance.
Still, experts said, the FaceApp anxiety highlighted how quickly public attitudes about the Internet have changed amid a widespread reckoning over data privacy and election interference, with more people beginning to think twice about the personal data they freely give up – and the companies they decide to trust.
FaceApp allows anyone to morph their face into a vision of their future self, and social-media feeds quickly filled with computer-generated portraits marked with wrinkles and graying hair. But the app’s development by a largely unknown Russian firm, and its widely permissive rules for how people’s photos could be used, triggered alarms in Washington and beyond.
The Democratic National Committee on Wednesday sent an alert to 2020 presidential campaigns, state parties and others in the “Democratic ecosystem,” urging everyone to delete the app “immediately,” citing concerns that whatever the photo-morphing app was doing with people’s data wasn’t worth the risk.
Senate Minority Leader Charles Schumer, D-N.Y., followed shortly afterward with a letter to the FBI and the Federal Trade Commission, calling for officials to launch a national-security investigation into the app and potentially to take steps “to mitigate the risk presented by the aggregation of this data.”
“It would be deeply troubling if the sensitive personal information of U.S. citizens was provided to a hostile foreign power actively engaged in cyber hostilities against the United States,” Schumer wrote.
Burned by Russian hackers during the 2016 presidential race, the party has taken an aggressive stance toward cybersecurity, investing in nationwide education and training programs to boost people’s online defenses and prevent a damaging repeat.
But Wednesday’s alerts weren’t based on any intelligence reports of secret dangers, officials said. Instead, they were a reaction to the broader anxiety swirling across social media and news reports – and a proactive, if evidence-light, response over the possibility that another online fad could turn dangerous.
FaceApp’s terms of service grant the company a “perpetual, irrevocable, nonexclusive, royalty-free (and) worldwide” license to use people’s photos, names and likenesses – a wide-open allowance that some worried could erode people’s data privacy or control.
But experts said many other apps, from social-media giants like Facebook to pregnancy-tracking apps, carve out the same perpetual corporate rights to user data.
Joseph Jerome, policy counsel at the Center for Democracy and Technology, described the intense reaction to FaceApp as a “perfect storm” of colliding factors: a general distrust of Russian and Chinese tech companies driven by political turmoil; heightened concerns over the use of facial data; and growing worries over a lack of privacy protections online.
“This is not the exception. This is the rule,” Jerome said of the app’s terms of service. “Privacy policies are not readable. They are broad (and) they don’t actually tell you what companies do and don’t do with your information.”
Neema Singh Guliani, legislative counsel for the American Civil Liberties Union, said the panic around FaceApp reflects a broader frustration from people about how their data can be misused, in large part because federal privacy laws can do little against invasive terms of service or privacy policies.
Elizabeth Potts Weinstein, a small-business law attorney in Silicon Valley, told The Washington Post that she also worried about where that user data would go if the company’s fortunes changed.