FaceApp had barely shot to the top of the charts before serious questions regarding the app’s privacy policies and any connections to the Russian government began to arise. As we reported yesterday, the app, which uses artificial intelligence to digitally age the person in a selfie that is uploaded via the app, began attracting privacy concerns due to its vague privacy policy and a terms of service that appears to suggest any photo you upload via the app becomes the property of FaceApp and the company can do whatever they want with your photo or your own likeness.

While many photomorphing apps like FaceApp appear to be a free service offered for fun, such apps are usually a way for artificial intelligence companies to gather huge, free datasets from the app’s users to better train their AI. It is that AI and its datasets which holds the actual value for the company, not the app itself.

This fact, along with the fact that FaceApp is a Russian-based company and that in late 2018 it moved to the Skolkovo Innovation Center, which is run by the Russian government, led to those initial privacy concerns growing into national security concerns yesterday.

NEW: Late in 2018, #FaceApp moved to the Skolkovo Innovation Center run by the Russian government. pic.twitter.com/u8LBsHpGbQ

— Forensic News (@forensicnewsnet) July 17, 2019

Yesterday Senate Minority Leader Chuck Schumer called on the FBI and FTC to investigate any potential national security and privacy risks the app opens up. From Schumer’s letter calling for a probe:

Furthermore, it is unclear how long FaceApp retains a user’s data or how a user may ensure their data is deleted after usage. These forms of “dark patterns,” which manifest in opaque disclosures and broader user authorizations, can be misleading to consumers and may even constitute a deceptive trade practices. Thus, I have serious concerns regarding both the protection of the data that is being aggregated as well as whether users are aware of who may have access to it.

In particular, FaceApp’s location in Russia raises questions regarding how and when the company provides access to the data of U.S. citizens to third parties, including potentially foreign governments.

BIG: Share if you used #FaceApp:

The @FBI & @FTC must look into the national security & privacy risks now

Because millions of Americans have used it

It’s owned by a Russia-based company

And users are required to provide full, irrevocable access to their personal photos & data pic.twitter.com/cejLLwBQcr

— Chuck Schumer (@SenSchumer) July 18, 2019

In response to the increasing alarm over its privacy policies and associations, FaceApp told TechCrunch that no user data is “transferred to Russia” even though its R&D team is based there. The company says it uses AWS and Google Cloud to process and host uploaded photos.

The company also says that “Most images are deleted from our servers within 48 hours from the upload date,” without specifying how many images they retain after the 48-hour mark. They also say they do have a process in place for users to ask that all their data is deleted from FaceApp’s servers, though that process is in dire need of streamlining. You can see FaceApp’s full statement below:

We are receiving a lot of inquiries regarding our privacy policy and therefore, would like to provide a few points that explain the basics:

1. FaceApp performs most of the photo processing in the cloud. We only upload a photo selected by a user for editing. We never transfer any other images from the phone to the cloud.

2. We might store an uploaded photo in the cloud. The main reason for that is performance and traffic: we want to make sure that the user doesn’t upload the photo repeatedly for every edit operation. Most images are deleted from our servers within 48 hours from the upload date.

3. We accept requests from users for removing all their data from our servers. Our support team is currently overloaded, but these requests have our priority. For the fastest processing, we recommend sending the requests from the FaceApp mobile app using “Settings->Support->Report a bug” with the word “privacy” in the subject line. We are working on the better UI for that.

4. All FaceApp features are available without logging in, and you can log in only from the settings screen. As a result, 99% of users don’t log in; therefore, we don’t have access to any data that could identify a person.

5. We don’t sell or share any user data with any third parties.

6. Even though the core R&D team is located in Russia, the user data is not transferred to Russia.

Additionally, we’d like to comment on one of the most common concerns: all pictures from the gallery are uploaded to our servers after a user grants access to the photos (for example, https://twitter.com/joshuanozzi/status/1150961777548701696).  We don’t do that. We upload only a photo selected for editing. You can quickly check this with any of network sniffing tools available on the internet.