FaceApp privacy panic: Be careful which apps you use

The privacy panic over FaceApp, the selfie-editing mobile app that makes photo subjects younger, older or turns them into members of the opposite sex, has been overblown.

The (overblown) issue

FaceApp is an iOS and Android app developed by Russian company Wireless Lab and is not without past controversy (e.g., lightening skin color to make users “hot”).

In this latest bout of massive popularity, the app makers were “accused” of siphoning pictures from users’ mobile photo rolls to servers in Russia.

But, as it turned out, that particular claim was unfounded: FaceApp only collects the photos you select for editing and sends them to servers running in Google Cloud and Amazon Web Services.

“We might store an uploaded photo in the cloud. The main reason for that is performance and traffic: we want to make sure that the user doesn’t upload the photo repeatedly for every edit operation. Most images are deleted from our servers within 48 hours from the upload date,” Wireless Lab explained.

They also pointed out that users can request their data being removed from their servers but, also, that most users don’t log in when using the app, so they “don’t have access to any data that could identify a person.”

Finally, they noted that they don’t sell or share any user data with any third parties.

Things you should consider before using such an app

Reading the app’s privacy policy and terms of service (ToS) should be a must. In FaceApp’s, it says that:

You grant FaceApp a perpetual, irrevocable, nonexclusive, royalty-free, worldwide, fully-paid, transferable sub-licensable license to use, reproduce, modify, adapt, publish, translate, create derivative works from, distribute, publicly perform and display your User Content and any name, username or likeness provided in connection with your User Content in all media formats and channels now known or later developed, without compensation to you.

Also:

You grant FaceApp consent to use the User Content, regardless of whether it includes an individual’s name, likeness, voice or persona, sufficient to indicate the individual’s identity. By using the Services, you agree that the User Content may be used for commercial purposes. You further acknowledge that FaceApp’s use of the User Content for commercial purposes will not result in any injury to you or to any person you authorized to act on its behalf. You acknowledge that some of the Services are supported by advertising revenue and may display advertisements and promotions, and you hereby agree that FaceApp may place such advertising and promotions on the Services or on, about, or in conjunction with your User Content. The manner, mode and extent of such advertising and promotions are subject to change without specific notice to you.

While this sounds alarming, chances are you have already used many mobile apps that have similar ToS. Privacy-wise, there are many apps that collect much, much more user information. So, while the situation is not good, it’s also not unusual.

As Brian Barrett pointed out, this latest privacy commotion is partly due to the current geopolitical situation and partly due to the increased awareness we have about data protection and the perils of facial recognition.

“You should ask questions about FaceApp. You should be extremely cautious about what data you choose to share with it, especially something as personal as a photo of your face,” he noted. “But the idea that FaceApp is somehow exceptionally dangerous threatens to obscure the real point: All apps deserve this level of scrutiny—including, and especially, the ones you use the most.”

It is known that most people don’t bother with reading apps’ and services’ terms of service and privacy policies, but hopefully this “incident” will spur some to do so in the future.

Also, it is known that malicious individuals often take advantage of the immense popularity of some apps to offer clones or fake apps that might collect a lot of user information, show malicious adds, propagate scams, or steal login credentials.

Think about the potential consequences of data sharing

“Users are often enticed with a flashy new app or tool that do new or unique things; especially those that all of their friends and family are using, and the viral nature of apps like this mean people don’t think about the potential consequences of sharing intimate data with a third party,” says Richard Henderson, Head of Global Threat Intelligence at Lastline.

“Large datasets of people’s photographs are undoubtedly going to be used for all sorts of purposes: some nefarious, some not. Could your photo be cross-referenced with other massive photograph datasets someone has collected in order for their systems to better identify you as you walk past a camera on the street? We know such systems already exist for both commercial and government uses… it doesn’t take a huge jump of logic to see the authors of this app using this data for that purpose,” he adds.

“There’s another angle here as well: the AI-processing being used to turn your photo into a younger or older version of yourself appears to work remarkably well. While this is certainly a testament to the power of AI technology, perhaps these younger versions of you are being cross-referenced against historical photograph databases to find images of people that don’t have a name attached. On the flip side, storing potential ‘aged’ photos of you may help automated systems in the future continue to keep tabs on you as the years progress. All of this data is of substantial value to organizations both malicious and non-malicious.”