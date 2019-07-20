For most people, never going outside is not an option. So laws in the United States and elsewhere need to be tuned up quickly—and not just because of FaceApp.

The suddenly ubiquitous portrait-aging app collects user-submitted photos and other user data and stores some or all of that data in cloud servers. In a response to criticisms of its privacy practices, FaceApp released a statement claiming that “most” photos are deleted within 48 hours. However, there are no legal guarantees for this in the privacy policy. Wireless Lab, which developed the app, also says users can request that their data be deleted, but the process for doing this is not noted in the policy either.

FaceApp is not the only app with weak privacy protections. It’s not even the only photo-editing app with weak privacy protections. Consider China’s Meitu, or even Snapchat and Instagram. Like FaceApp, all three of those apps allow users to submit their own photos and apply an AI-powered filter to transform their image. Apps developed by large American companies, such as Snapchat and Instagram, do generally at least try to comply with existing privacy laws. However, as we saw with the Cambridge Analytica scandal—in which a third-party app developer harvested user data that Facebook had promised to protect, and then used that data to help sway elections—major tech platforms with highly sophisticated engineering capabilities can still fail at privacy on a large scale.

Read: Why privacy policies are so inscrutable

A key difference between FaceApp and Facebook is that a Russian company developed the former. The New York Post published an explosive headline claiming, “Russians Now Own All Your Old Photos.” But falling back into Cold War–style rhetoric can be misleading. Concerns about Russian apps stem from the close relationship between government and industry, and the likelihood that Russian companies will be unable to fight government requests for data. Then again, companies in even the most liberal, democratic nations often have to share data with their government as well. In the United States, tech companies and their users do generally enjoy a higher level of legal protection from government than their counterparts in Russia do. But users of non-Russian apps should still be concerned about where their data will end up.

Regardless of origin, tech companies need to do better to protect the privacy of their consumers. Part of this is simply making users more aware of how data are being used. This is the rationale behind privacy policies. However, many users don’t read those policies. Developers need to go further and build actual privacy protections into their apps. These can include notifications on how data (or photos) are being used, clear internal policies on data retention and deletion, and easy workflows for users to request data correction and deletion. Additionally, app providers and platforms such as Apple, Microsoft, and Facebook should build in more safeguards for third-party apps.