The Washington PostDemocracy Dies in Darkness

Schumer calls for investigation into FaceApp over security concerns and Russia ties

FaceApp has drawn swift scrutiny for how it accesses and stores users' data. (Kirill Kudryavtsev/AFP/Getty Images)

Warning of national security and privacy risks for millions of Americans, Senate Minority Leader Charles E. Schumer (D-N.Y.) urged the FBI and the Federal Trade Commission to investigate FaceApp, the viral age-defying photo program that has raised fresh concerns about facial recognition and data protection.

In a Wednesday letter, Schumer called on the FBI to assess whether personal data uploaded into FaceApp “may be finding its way into the hands of the Russian government” or groups associated with Moscow. FaceApp’s developers are headquartered in St. Petersburg, and on Wednesday, the Democratic National Committee warned presidential campaigns against using FaceApp because of its Russia roots.

Schumer said that FaceApp’s origins “raise questions regarding how and when the company provides access to the data of U.S. citizens to third parties, including potentially foreign governments.”

“It would be deeply troubling if the sensitive personal information of U.S. citizens was provided to a hostile foreign power actively engaged in cyber hostilities against the United States.”

(Both the FBI and the FTC declined to comment on the letter.)

You downloaded FaceApp. Here’s what you’ve just done to your privacy.

FaceApp lets users upload photos of their faces and automatically edit them to look older. Celebrities such as Drake, LeBron James and the Jonas Brothers all posted edited snapshots on social media showing their graying hair and wrinkling skin, as did millions of other users across the country. Since it was launched in 2017, more than 80 million people have edited their photos through FaceApp.

But beyond its superficial entertainment, FaceApp drew questions about how it collects and stores users’ headshots. FaceApp uploads photos to the “cloud” of servers run by Amazon and Google. And deleting the app doesn’t make much of a difference for how the data is used. The app’s terms of service say users grant the company a “perpetual, irrevocable ... (and) worldwide” license to use a user’s photos, name or likeness.

The Post's Geoffrey Fowler has five questions you ought to ask about any app or service, including FaceApp, that wants something as personal as your face. (Video: The Washington Post)

Schumer wrote that he was concerned both about the security of the data FaceApp aggregates and users’ awareness about who could it. Schumer warned that it isn’t clear how long FaceApp retains a user’s data or how users can make sure their data is deleted.

In an interview with The Washington Post on Tuesday, FaceApp CEO Yaroslav Goncharov said FaceApp deletes “most” of the photos from its servers after 48 hours. Goncharov described a complicated process for how people can request that their data be deleted from FaceApp’s servers and told The Post that FaceApp is “planning to make some improvements” about posting the information to its website.

FaceApp went viral with age-defying photos. Now Democratic leaders are warning campaigns to delete the Russian-created app ‘immediately’

Schumer also asked the FTC to consider whether there are sufficient safeguards in place to prevent Americans’ privacy from being compromised. If not, Schumer suggested that the public be alerted to the “risks associated with the use of this application.”

“In the age of facial recognition technology as both a surveillance and security use, it is essential that users have the information they need to ensure their personal and biometric data remains secure, including from hostile foreign nations,” Schumer wrote.