Aging app is all the rage, but beware
Russian developer behind viral tech processes facial images in cloud, raising privacy concerns
Russian company behind FaceApp processes photos in the cloud, raising privacy fears.
ISAN FRANCISCO s a peek into the future worth your privacy in the present? That concern was pushed to the spotlight this week with the resurgence of a smartphone app that uses artificial intelligence to transform your current face into your younger and older selves.
People raised fears on Twitter and other social media sites that on iPhones, FaceApp would be able to see and upload all your photos, including screenshots with sensitive financial or health information or photos of kids with the names of their schools in the background.
That’s not actually true, but the scuttle serves as a good reminder to think twice before downloading new apps.
Even large, mainstream apps routinely collect user data. But many trendy-at-themoment apps are guilty of mining user data as a primary purpose. Some personality quizzes on Facebook and similar services collect user information as a business, opening people up to breaches such as in the Cambridge Analytica scandal.
On Wednesday, the ranking Senate Democrat, Chuck Schumer, wrote in a letter to the FBI and Federal Trade Commission that he’s concerned FaceApp could pose “national security and privacy risks for millions of U.S. citizens.” The New York Democrat is asking the two agencies to assess the situation.
Schumer’s letter came on the same day the Democratic National Committee warned presidential campaigns against using FaceApp, citing the software’s Russian developers. It urged campaign staff to “delete the app immediately.”
The app allows users to upload a photo of their face and have it automatically edited to look like their future self, replete with wrinkles and graying hair — a popular trick that filled the social media feeds of millions of users, including the celebrities such as Drake, LeBron James and the Jonas Brothers.
But concerns over how the photos could potentially be misused by the company, whose developers are headquartered in St. Petersburg, raised alarms among many users as well as DNC officials, who urged 2020 campaign staff and “people in the Democratic ecosystem” not to use the app.
“This novelty is not without risk: FaceApp was developed by Russians,” DNC security chief Bob Lord wrote in the alert to campaigns, which was first reported by CNN. “It’s not clear at this point what the privacy risks are, but what is clear is that the benefits of avoiding the
app outweigh the risks. … If you or any of your staff have already used the app, we recommend that they delete the app immediately.”
The warning also said it applied to “people in the Democratic ecosystem.”
FaceApp grabs a photo only if you specifically select it to see your face change, security researcher and Guardian Firewall CEO Will Strafach said. The confusion comes from an iPhone feature that shows your photo library within the app. It is an Apple feature that lets you select a specific photo, but doesn’t give the app full access to the library, even though it may appear that way.
You have the option of granting access to your entire photo library, but even then, there is no evidence the app is uploading anything other than the photo selected.
“I’m always looking for privacy concerns,” said Strafach, who used a network analyzer tool to track what was happening. “When it’s not happening, it’s not happening.”
There’s a version of FaceApp for Android, but those phones don’t tap photo libraries the same way.
That’s not to say the app isn’t free of problems, Strafach said.
Among other things, photos get sent to the cloud for processing in both the iPhone and Android versions, exposing them to hacking and other problems. FaceApp does not explicitly tell users that the photos are being sent to the cloud. Some apps try to limit exposure by doing the processing on the devices themselves, not in the cloud.
FaceApp’s privacy policy also says it is using data from the app to serve targeted ads and to develop new products and features. It says it does not sell data to third party apps, but lists many exceptions including one that allows it to share data after removing information that identifies users.
FaceApp, which is developed in Russia by Wireless Lab, has had surges of viral popularity before. The app also allows people to swap their genders or add facial hair or makeup.
Wireless Lab told technology news site TechCrunch that it may store users’ photos in the cloud, but “most” are deleted after 48 hours. It said no user data is transferred to Russia.
The company did not respond to questions from the Associated Press. It told TechCrunch users can request to have their data deleted.
Even with those admissions, Strafach urged people to resist the pull of the app. He said the app should have been upfront and told users it was processing photos in the cloud rather than on phones.
“Bottom line is they were handling sensitive data and they handled it cavalierly and that’s just not cool,” he said.
Information from the Washington Post was used in this report.