The Data Protection Commission has issued advice in response to privacy concerns over face-ageing photo app, FaceApp.

The app, which can run on iPhone and Android devices, allows users to place a filter that ages photos of users' faces.

It's popularity has surged in recent days as a host of celebrities posted their images online. 

A spokesperson for the Data Protection Commission said it advises people who are signing up to any app to check what happens to their personal data.

The commission advised users, "to make sure that they do not provide any personal information until they understand and are satisfied with how this information will be used."

The Russian company behind FaceApp has denied storing the photo libraries of users without their permission.

In a statement to RTÉ News, company founder, Yaroslav Goncharov, said while photos are stored on a remote server, "most images are deleted from our servers within 48 hours from the upload date".

Mr Goncharov said the app only uploads photos selected by users.

"The main reason for that is performance and traffic: we want to make sure that the user doesn't upload the photo repeatedly for every edit operation."

The company also insisted it does not transfer any other images from the phone to the cloud and denied storing images at its offices in St Petersburg.

"Even though the core R&D team is located in Russia, the user data is not transferred to Russia."

Ronan Lupton, Barrister and Chair of the Association of Licensed Telecommunications Operators, warned that users could be putting their biometric information at risk.

"They might be taken up by the craic of sharing information online, but the reality is they may be compromising themselves in the future depending on how that information is stored."

He said the FaceApp privacy policy dates back to 2017 and some areas are not compliant with GDPR requirements.

"Facial recognition is now being used for security systems so having information stored with third parties is something people should be very cautious about doing.

"Biometric data is given a special status under GDPR and should be treated with kid gloves," Mr Lupton added.

US calls for probe into app

Meanwhile, US Senate minority leader Chuck Schumer has called on the FBI and the Federal Trade Commission to conduct a national security and privacy investigation into FaceApp.

FaceApp requires "full and irrevocable access to their personal photos and data", which could pose "national security and privacy risks for millions of US citizens," Mr Schumer said in a letter to FBI Director Christopher Wray and FTC Chairman Joe Simons.

The Democatic National Committee also sent out an alert to the party's 2020 presidential candidates yesterday warning them against using the app, pointing to its Russian provenance.

In the email, seen by Reuters and first reported by CNN, DNC security chief Bob Lord also urged Democratic presidential campaigns to delete the app immediately if they or their staff had already used it.

There is no evidence that FaceApp provides user data to the Russian government.

Democrats have invested heavily in bolstering party cyber defences after US intelligence agencies determined that Russia used hacking as part of an effort to boost support for US President Donald Trump's 2016 election campaign.

Russia has repeatedly denied those claims.  

FaceApp, which was developed by Wireless Lab, a company based in St Petersburg, says on its website that it has more than 80 million active users.

Its CEO, Yaroslav Goncharov, used to be an executive at Yandex, widely known as "Russia's Google".

The app, which was launched in 2017, made headlines in 2018 when it removed its 'ethnicity filters' after users condemned them as racist.

More recently, it has faced scrutiny from the public over issues such as not clearly communicating that the app uploads images to the cloud rather than processing them locally on a user's device.

Chuck Schumer

It is not clear how the artificial intelligence application retains the data of users or how users may ensure the deletion of their data after usage, Mr Schumer said in the letter.

Mr Schumer said the photo editing app's location in Russia raises questions about how FaceApp lets third parties, including foreign governments, have access to the data of American citizens. 

In a statement cited by media outlets, FaceApp has denied selling or sharing user data with third parties.

"99% of users don't log in; therefore, we don't have access to any data that could identify a person," the company said in a statement cited by TechCrunch, adding that most images are deleted from its servers within 48 hours of the upload date.

While the company's research and development team is located in Russia, the user data is not transferred to Russia, according to the statement.