But at least some of those concerns are overblown, according to several security researchers.
"The info sent by the application was only my device model, my device ID and Android version, which is very limited information and is quite common for an application," said Baptiste Robert, a French security researcher who specialises in smartphone apps that abuse user data.
Robert did find one other piece of data uploaded to FaceApp servers without user consent, though: the photograph that a user wanted to manipulate.
The program says that its three age filters — two for younger-looking images, one for older — use "artificial intelligence" to produce plausible alterations to existing photos. Celebrities who have shared such manipulated images of themselves include Drake, Gordon Ramsay, the Jonas Brothers and Dwyane Wade.
The company did not respond to multiple requests for comment, but it explained how the software works in a lengthy statement published Wednesday by TechCrunch. When a user of the app selects a photograph to alter, that image — and only that image — is uploaded to FaceApp servers for processing, it said.
"We might store an uploaded photo in the cloud," the statement read. "The main reason for that is performance and traffic: We want to make sure that the user doesn't upload the photo repeatedly for every edit operation. Most images are deleted from our servers within 48 hours from the upload date."
FaceApp does not sell or share user data with third parties, the company said, though it reserves the right to share some information as outlined in its privacy policy. According to that agreement, the app uses "third-party analytics tools to help us measure traffic and usage trends."
Even though its research-and-development team is based in Russia, the company said that user data was not transferred there. Photo processing is performed on servers operated by Amazon and Google, FaceApp's founder, Yaroslav Goncharov, told TechCrunch.
In a letter Wednesday, Senator Chuck Schumer, D-N.Y., asked both the FBI and the Federal Trade Commission to investigate the app, citing "serious concerns" about security, data retention and transparency.
"It would be deeply troubling if the sensitive personal information of US citizens was provided to a hostile foreign power actively engaged in cyber hostilities against the United States," he wrote.
But Ivan Rodriguez, a software engineer at Google who in his free time investigates suspicious iOS apps, including FaceApp, said he found little cause for concern. Like Robert, he found that the app collected little identifiable data beyond the photos users chose to alter.
"I don't understand where these 'fears' come from, other than the parent company being based in Russia," he said in a Twitter exchange. "I mean, I definitely don't have the resources the FBI or even the FTC have, but so far I haven't found anything that's alarming or that shows this app trying to hide functionality that can be harmful."
Like many other applications, FaceApp uses services provided to developers by Facebook and Google, known as Application Programming Interfaces, according to Robert. And although he was disappointed by the rapid spread of misinformation about what the program collected, he said, he was pleased by the impulse behind it.
"I'm quite happy, to be honest, because people are starting to be interested by this kind of question," Robert said, "and they start to understand that, OK, maybe there are some privacy concerns."
Still, he noted, such concerns often take a back seat to novelty. "The cool factor is working a lot," he said.
Robert and two other researchers who investigated the issue all said they had found no evidence on Apple or Android phones that FaceApp was secretly uploading entire photo galleries. But each voiced concern that the app, like many others, failed to alert users that their data was being uploaded to remote servers.
"If they don't take privacy seriously, how seriously do they take security?" asked Will Strafach, the founder and chief executive of Guardian Firewall, a tool coming soon for iOS that aims to give users more control over their data. "If they don't take security seriously, what's the risk of either an insider threat or their company being breached?"
Others online raised concerns about FaceApp's privacy policy and terms and conditions, citing, among other things, a clause that grants FaceApp extensive rights to user photographs. But Jeremy Gillula, tech projects director at the Electronic Frontier Foundation, a nonprofit civil liberties group, said it was similar to those of other apps.
"We always have concerns," he said. "The fact that a lot of apps and services usually contain this catchall clause that says you grant us worldwide license to reproduce, modify, adapt, create derivative works from, distribute, publicly perform and display your user content always seems a little over the top to me."
Written by: Niraj Chokshi
© 2019 THE NEW YORK TIMES