The FaceApp Saga

RapidVPN/ July 25, 2019/ Blog/

FaceApp is the latest viral trend that has everyone doing. The popular free mobile app that instantly alters the appearance of a persons face — adding wrinkles, sun damage, and grey hair — has blown up on social media, shared by hundreds including a long list of celebrities. More than 100 million people have downloaded the app from Google Play. And FaceApp is now the top-ranked app on the iOS App Store in 121 countries, according to App Annie.

When users submit a photo to the app to alter its appearance, it makes its way onto FaceApp’s servers. And it is not entirely clear what is happening when it does. In practice, this implies that the pictures you upload to the app may originally seem private, but may later be used in very public contexts. People have been willingly giving FaceApp the power to use their pictures and names for any purpose it wishes, for as long as it desires.

FaceApp was developed by a small team called Wireless Lab from St. Petersburg, Russia and has not updated its privacy policy since 2017. According to FaceApp’s terms of service people still own their own “user content”, the company owns a never-ending and irrevocable royalty-free license to do anything they want with it.

“You grant FaceApp a perpetual, irrevocable, nonexclusive, royalty-free, worldwide, fully-paid, transferable sub-licensable license to use, reproduce, modify, adapt, publish, translate, create derivative works from, distribute, publicly perform and display your User Content and any name, username or likeness provided in connection with your User Content in all media formats and channels now known or later developed, without compensation to you. When you post or otherwise share User Content on or through our Services, you understand that your User Content and any associated information (such as your [username], location or profile photo) will be visible to the public.” – FaceApp terms of use.

Such terms are fairly standard within such apps, and it is required that such an app will have some access to photos to fulfill its functions. But the fact that so little is known about the app, and that it is made by developers in Russia, has led some to warn that it is best not to use it or to be careful when doing so.

Additionally, FaceApp requires your Facebook login. By using a Facebook federated login, FaceApp receives your name, profile picture, photos, and email address. Like many apps and websites, the Facebook federated login grants FaceApp an enormous amount of data. Your email can be used in combination with other data brokers to find out who you are, where you live, and other demographic information. Granting access to all your photos allows this personal information to be combined with highly accurate facial recognition. Another gray area to be taken in an investigation.

With Internet Research Agency, another Saint Petersburg-based company being connected to the cyber-interference in the 2016 US presidential campaign that saw Donald Trump elected, there’s no telling what could Wireless Lab be up to. Hopefully, that’s all just fear-mongering, but you can never really be too safe on the Internet, especially when it comes to your data. In light of such concerns, Schumer wrote a letter to the FBI and FTC Wednesday, asking that they look into whether the data being provided by Americans is being used by anyone with connections to the Russian government.

Last year, the European Union implemented the General Data Protection Regulation, or GDPR, to establish data privacy standards for companies active in the region. U.S. lawmakers are considering whether to pursue similar regulations.

Elizabeth Potts Weinstein, a Silicon Valley-based lawyer, noted that FaceApp’s privacy policy is “not remotely GDPR compliant.”

In the wake of scathing accusations, FaceApp in a lengthy statement denied that it accesses the photo libraries of its users without permission or sells data to third parties. “Most photos uploaded to FaceApp servers are deleted within 48 hours“, the company added. Also, they commented on one of the most common concerns: “Even though the core of the research and development team is located in Russia, the user data is not transferred to Russia”.

As the FaceApp security saga continues, we suggest to our readers to carefully review the permissions and terms on all apps downloaded onto phones, tablets, and computers. Your face is now a form of copyright where you need to be careful who you give permission to access your biometric data. If you start using that willy nilly, in the future when we’re using our face to access things, like our money and credit cards, then what we’ve done is we’ve handed the keys to others. A good security practice is to only share personal data, including personal photos, when it’s truly necessary.