Everyone's talking about FaceApp, the app that can show you what you look like when you're old. People love the effects, but they're also concerned about how the Russian developer behind the app might use the pictures that are being uploaded.
FaceApp originally didn't tell people it was uploading the pictures to its servers, which raised concerns. But it started to alert users on Thursday.
Here's the latest on what's going on with FaceApp and what you need to know.
People are worried about FaceApp largely because the developer, Yaroslav Goncharov, is based in Russia.
Given Russia's meddling in the 2016 election, people have a right to be concerned about what it might mean if millions of us are uploading our selfies to foreign servers. After all, pictures are often used for fake profiles or for identity theft.
Still, there's no evidence yet that Goncharov is anything more than a Russian developer making a fun app. But, even if there is no ill intent, there are very valid fears that photos uploaded to the servers could be shared with foreign governments.
CNBC spoke with FaceApp on Wednesday. The company said the application only uploads the picture you want to edit, and it only holds most pictures for 48 hours. While there's no proof the photo is actually deleted, security experts like Will Strafach, who goes by Chronic on Twitter, have confirmed that just the picture — and not your whole photo library — is uploaded when you use the app:
Yes, FaceApp owns that photo after you upload it, but other companies, like Snapchat, have similar terms when you post public images and video to its app. But we only have the developer's word to go by, and there's no way for consumers to ask that their pictures be deleted permanently.
And that's what has a lot of people worried.
Sen. Chuck Schumer on Wednesday sent a letter to the FBI and the FTC expressing his concerns with FaceApp, noting that he's worried it would "post national security and privacy risks for millions of U.S. citizens."
"In particular, FaceApp's location in Russia raises questions regarding how and when the company provides access to the data of U.S. citizens to third parties, including potentially foreign governments," Schumer said in the letter. "As FBI Director Wray himself pointed out earlier this year, Russia remains a significant intelligence threat. It would be deeply troubling if the sensitive personal information of U.S. citizens was provided to a hostile foreign power actively engaged in cyber hostilities against the United States."
Schumer has a point. Even if Goncharov just wants to make a fun app, what's to stop the Russian government from asking him to hand the data over, or him providing it willingly?
Schumer said he wants the FBI to "assess whether the personal data uploaded by millions of Americans onto FaceApp may be finding its way into the hands of the Russian government, or entities with ties to the Russian government. If so, I would urge that steps be immediately taken by the FBI to mitigate the risk presented by the aggregation of this data."
He also called on the FTC to make sure there are safeguards in place for Americans and "government personnel and military service members from being compromised" and, if not, the FTC should let Americans know of any risks.
The Democratic National Committee is also concerned.
CNN reported Wednesday that the DNC sent an email to all 2020 presidential campaigns with a warning not to use FaceApp. The committee's national security officer, Bob Lord, reportedly said that "it's not clear at this point what the privacy risks are, but what is clear is that the benefits of avoiding the app outweigh the risks."
"If you or any of your staff have already used the app, we recommend that they delete the app immediately," Lord said, according to CNN, also noting that he and other security experts have "significant concerns about the app having access to your photos."
Russian operators were able to hack into the DNC network ahead of the 2016 election using several techniques, including phishing attempts, which lure people into giving up their passwords by logging into fake sites or servers that look real.
We're all right to be worried about our photos being uploaded to a server, especially since we have no control over deleting them after that happens. And you shouldn't use this app if you're worried that your picture might be saved for any period of time, perhaps longer than 48 hours.
Schumer's fears are also valid. While there's no indication there are ties to the Russian government now, what's to stop the Russian government from asking for this database later? The reality is, when something is "free" there's usually a catch. With apps and the internet, that catch is often your privacy.
Goncharov did not immediately respond to a request for comment on Schumer's and the DNC's concerns.
Disclosure: CNBC parent NBCUniversal is an investor in Snap.