What's the deal with FaceApp? The data-hungry Russian photo editor

If you’re curious about what you’ll look like when you’re older the chances are you’ve already downloaded and tried out Face App, the iOS and Android app that takes photographs of your face and applies filters that age them.

Photos produced by the app have swept through social media in the last few weeks, but Face App itself was first released back in 2017. However, the app’s resurgence in popularity has thrown up questions: headlines about security concerns have spread across social media almost as quickly as the aged images generated by the app.

The alarm was first raised by developer Joshua Nozzi, who said that the app was uploading all photos contained on a user’s phone on Twitter. But are the concerns actually based in fact, or is Face App no worse than any other company created by a tech firm (which can be pretty bad)?

The main concern that Nozzi raised, that Face App accessed the full camera roll of any phone it was installed on, couldn’t be replicated by Will Strafach, the founder of a popular firewall app for iOS. Strafach did identify that Face App uploads single images to its server in order to apply the filters, though.

That was also confirmed by another researcher. “They only upload the current photo to apply filters to it,” says Robert Baptiste, a French security researcher who has also investigated how Face App interacts with users’ phones. “They also send a register device request with the phone’s basic info, but they are quite reasonable in terms of data consumption.”

However, Baptiste and others can’t know what happens to the individual photos once they’re uploaded to Face App’s servers, nor how long they’re stored there. In 2017, its chief executive, Yaroslav Goncharov, told The Verge that photos are uploaded to the app’s servers to save on bandwidth, but are deleted “not long after”.

That’s a concern for some, who point out that tech companies are collecting massive databases of facial photographs to train artificial intelligence to recognise faces. Last month, Microsoft deleted a database of 10 million images of celebrities it had gathered to train systems thought to be used by police forces. IBM has previously trained facial recognition services using photos taken from Flickr.

But nothing else the app does would indicate that it’s being used for nefarious purposes. It uses three third-party packages: Google’s Firebase set of services, which allows apps to send crash reports, analytics and push notifications; Facebook’s SDK (normally used for analytics); and Account Kit, a Facebook-made password-less account creation tool.

In a statement, Yaroslav Goncharov said Face App “never” transfers images other than the ones being edited from the phone to the cloud. “Most images are deleted from our servers within 48 hours from the upload date,” Goncharov said.

Experts have also raised concerns about the app’s terms of service, which tracks users’ browsing history. Something that doesn't seem necessary for an image manipulation piece of software. They’re also worried about its privacy policy, which provides Face App with a huge potential trove of rights.

Using the app allows “a perpetual, irrevocable, nonexclusive, royalty-free, worldwide, fully-paid, transferable sub-licensable license to use, reproduce, modify, adapt, publish, translate, create derivative works from, distribute, publicly perform and display your User Content and any name, username or likeness provided in connection with your User Content in all media formats and channels now known or later developed, without compensation to you”. In addition you're allowing it to allow ad-related tracking and use of user content for commercial advertising purposes.

“That clause means you give away rights to the content you create using their tool,” says Pat Walshe, a data protection and privacy expert.

However, many apps have similar terms. “If we're being brutally honest, the terms of use regarding FaceApp are no different to any of the multiple social media platforms billions of people use every day,” says James Whatley, strategy partner at experience marketing agency Digitas UK, who has compared Face App’s policy to Instagram’s.

“The difference is those platforms have an opt-out [on data created by the app],” he says. “Delete your content and the Facebooks and Instagrams of this world won't use it. That element of decency seems to be missing from this service – a service that, and let's be clear about this, is positioned as just a bit of fun (while quietly taking the irrevocable licensing rights to your actual face).”

Goncharov said in a statement that “we accept requests from users for removing all their data from our servers.” Currently the support team is overloaded, he added, but data removal requests have been prioritised. He added that 99 per cent of Face App users don’t log in when using the app.

Whatley is also concerned that Goncharov’s comments about images being deleted from Face App servers shortly after being used aren’t codified in the app’s terms. The notion that irrevocable rights to any content produced by users is commonplace among such services worries Walshe.

“You asked if the concerns are any different or greater than any other app out there,” he says. “The question indicates how normalised surveillance capitalism has become that we ask that question rather than, is it ethical to bury important consequences in the shadows of a TOS and privacy policy rather than elevate them into the light of the user experience?

“How on earth are individuals expected to understand the consequences for their privacy when so much is hidden or not explained. For example, precisely what data is shared with advertisers and what advertisers and what do those advertisers do with the data?”

More worryingly, Walshe believes the app doesn’t adhere to GDPR rules around adverts. “From my review and install of the application, it seems to me no consent is sought for the in-app ad-related tracking as per the ePrivacy Directive (and such consent must be the standard under the GDPR). Walshe also worries Face App does not meet the standards and requirements set out by the UK Information Commissioner’s Office in their recent guidance on cookies and similar technologies, nor the ICO’s guidance on privacy in mobile apps.

Another concern seems to come from the provenance of the developers of Face App. Wireless Lab OOO is located in St Petersburg, Russia – a country known for its willingness to bend the rules of democracy. For many, Russia appears too close politically to China, where massive databases of facial recognition software are being built to help the country roll out its “social credit” mantra, which has seen 13.5 million people deemed as “untrustworthy” by the country’s ruling party. More than 20m attempts to buy plane tickets by those individuals in China were declined as a result. However, Goncharov confirmed that although Face App’s development team is based in Russia, data is not transferred there.

But many of the worries people raise are “just a rumour”, says Baptiste, who would happily use the app. “This is the craziness of social media,” he explains. “People want to find conspiracies everywhere, and here we have everything: photos, Russians and a well-known app.”

🕵🏿 It's time you ditched Chrome for a privacy-first web browser

🎉 A vaccine for Alzheimer's is on the verge of reality

🤦🏽 Reddit’s ‘Am I the Asshole’ is your new guilty pleasure

📧 Get the best tech deals and gadget news in your inbox

Source: Wired.co.uk

Powered by NewsAPI.org

Keywords:

IOS • Android (operating system) • Photograph • Photographic filter • Photograph • Social media • Social media • Image • Mobile app • Mobile app • Photograph • Mobile phone • Twitter • Mobile app • Technology • Business • Mobile app • Camera • Mobile phone • Firewall (computing) • Mobile app • IOS • Mobile app • Upload • Image • Server (computing) • Content-control software • Upload • Photograph • Content-control software • Computer security • Application software • User (computing) • Telephone • Computer hardware • BASIC • Data • Mobile app • Server (computing) • The Verge • Mobile app • Server (computing) • Bandwidth (computing) • Database • Artificial intelligence • Microsoft • Database • Systems thinking • IBM • Facial recognition system • Flickr • Mobile app • Package manager • Google+ • Firebase • Web service • Mobile app • Push technology • Facebook • Software development kit • Analytics • Facebook • Password • Programming tool • Mobile app • Image • Mobile phone • Cloud computing • Server (computing) • Mobile app • Terms of service • User (computing) • Software • Privacy policy • Application software • Royalty payment • License • Publishing • Derivative work • User (computing) • Content (media) • User (computing) • User (computing) • Content (media) • Mass media • Television advertisement • Copyright • Pat Walshe • Privacy • Privacy • Mobile app • Terms of service • Social media • Marketing • Digitas • Mobile app • Instagram • License • Server (computing) • Application software • User (computing) • Application software • Image • Application software • Server (computing) • Application software • Standard score • Surveillance capitalism • Terms of service • Privacy policy • Advertising • Advertising • Advertising • General Data Protection Regulation • Advertising • Advertising • General Data Protection Regulation • Application software • Information Commissioner's Office • HTTP cookie • Technology • Information Commissioner's Office • Privacy • Mobile app • Radio • Saint Petersburg • Democracy • China • Facial recognition system • Social Credit Party (New Zealand) • Mantra • China • Ruslan Honcharov • Russia • Social media • Mobile app • Google Chrome • Privacy • Web browser • Vaccine • The Verge • Reddit • Guilty pleasure • Technology • Gadget • Email •