Can You Trust Russian App FaceApp?

Reading Time: 4 minutes.

Security-conscious developers, privacy nuts, and even politicians have warned about the privacy implications of FaceApp. Maybe you heard of FaceApp, but, even if you haven’t, you’ve likely seen photos of your friends aged up a few decades. That’s FaceApp. FaceApp applies filters to your photos, making you look older, younger, male or female, adding a smile, or making you look “better.” That sounds innocent enough, right?

But some security researchers have raised alarms, while others have stated we have nothing to worry about. So who’s right?

What Is FaceApp?

FaceApp uses machine learning to apply filters to your face. It uses models trained with a variety of photos, and improving over time, to figure out what you’d look like if you were older, younger, a different gender, or look at yourself with different hair styles. This machine learning, unlike the kind Apple prefers, is done off device. That means any photos you filter are uploaded to FaceApp’s servers. This is how Google does machine learning though. In fact, Google collects a shocking amount of information about its users through their services, phones, computers, laptops, ans even through your credit card history. If you use anything Google makes, from Android devices to Chrome, your data is tracked, collected, and machine learning is used to profile you, make predictions about you, and advertise to you.

So what makes FaceApp worse? Beyond the usual scrutiny anything that gains viral popularity should receive, it’s also a Russian company with a problematic privacy policy.

Why is Privacy a Concern?

Any time something like this goes viral, I don’t use it. So often these apps spread on Facebook for the sole purpose of data collection. The Cambridge Analytica scandal? That was a right-wing data collection operation. How did it spread? An innocent looking quiz app on Facebook. Those Facebook apps asking you what Disney Princess you are, or what Harry Potter house you should be sorted into? Data collection. The apps that tell you what celebrities you look most like? Have you guessed what they’re actually doing yet?

The data collection is largely to advertise to you, but it’s also for building out a profile on you, your friends, your browsing habits, and other parts of your privacy. That’s data you can sell to businesses for insight, marketing data, and product planning. Typically, these apps are obvious and not useful to consumers, but they’re highly profitable.

But then FaceApp came along. The results looked surprisingly realistic, and the de-aging of some older celebrities revealed photos that looked much like their younger selves. I remember a photo of Mark Hamill from his first Star Wars movie that, when aged up, looks shockingly like the actor does now. So FaceApp is doing what other Facebook scams typically cannot do: it’s providing real results. Is this a cause for concern?

Storing Photos

FaceApp does store the photos, including their metadata. Metadata can include location, with GPS accuracy. Depending on where and how often you use the app, FaceApp’s developers could use this to track your location over time.

FaceApp’s developer claims they delete “most” photos within 48 hours of upload. They do admit to storing photos, but claim this is to only avoid re-processing photos that have already been uploaded. FaceApp’s spokesperson would not say why they retain some photos longer than 48 hours. Users also cannot tell if FaceApp is currently storing their photos.

The Whole Camera Roll?

I also want to clear up something that started with this controversy. FaceApp does not take your entire camera roll, as initial rumors reported. They are only taking the photos you upload. For their version of machine learning, done off-device, this is vital to the operation of the app, and cannot be avoided. However, researchers were able to prove that the app never collects your whole camera roll, only the photos you have given them.

No Rights to Photos

FaceApp is as far as a company can go to be non-GDPR compliant. When you use the service, you give you photos to the company. You sacrifice all rights and all ownership to your original photo and all versions of the photo. FaceApp can save your photos, sell them as stock photos, edit them, use them in marketing, or strip them down for data collection. No part of the photo you upload is yours, and FaceApp can do whatever they want with your photos. If you don’t like that, you can refuse to use the service. However, this won’t stop friends from potentially uploading photos that include you.

Russia

FaceApp is by a Russian company. After the 2016 election, in which Russia hacked DNC members and spread misinformation to help Donald Trump win the presidency, the idea of Russian software developers might sound scary. Apps from China, a country with government-funded spying to extreme levels, face similar scrutiny. However, simply being from a country is not necessarily enough to distrust a company. These privacy concerns are certainly tinged with some xenophobia, but the concerns are not completely unfounded.

Russia is home to many hackers and scammers. Lax enforcement has made the nation a hacker’s paradise. Therefore, hackers could infiltrate and extract information from just about any Russian data center. Some of those hackers will be working for the Kremlin, but many others are just scammers. Russia is mostly interested in what other countries are doing. However, if you’re a U.S. politician using FaceApp, Russian hackers could be very interested to gather your whereabouts through metadata.

 

See more

Their Privacy Policy is not remotely GDPR compliant. It says that your data can be transferred to any location where they have a facility … which means Russia.

— Elizabeth Potts Weinstein (@ElizabethPW) July 17, 2019

 

FaceApp uses Google Cloud and AWS to store their photos. If you are not from Russia, your photos are not, by default, stored in Russia. Doing so would introduce a ridiculous amount of latency. However, because FaceApp owns everything about your photos, including your metadata, they can send them to Russian servers if they choose to do so. Since FaceApp hasn’t said why they may store some photos for more than 48 hours, we don’t know what they’re doing with these photos, or where they’re storing their data.

Should I Use FaceApp?

You know what? Sure. If you’re not a politician or other high-ranking official, its data collection is no worse than Facebook’s, Instagram’s, Amazon’s, or (worst of all) Google’s. If you’re comfortable with those services, and you want to join in on the fun of editing your photos, you shouldn’t be any more suspicious of FaceApp. It’s not secure or private, but if you’re okay with that, it’s not as though they’re going to steal your identity or hack your devices.

See more

I am not seeing much fishy in FaceApp

Photos are uploaded to FaceApp's servers on AWS w/ authorization. Not much info is being sent to FaceApp's servers other than user metrics (e.g. ui interactions)

I just wish there's an option for users to delete their photos from the server

— Jane Manchun Wong (@wongmjane) July 17, 2019

Yes, it could have ties to Russia. That’s why you shouldn’t use it if you’re a politician or U.S. operative. If you’re a high profile person, I hope you have a team managing your social media accounts, strip metadata from any photos, and generally do not share photos live anyway. FaceApp should not be something you use from your own phone if you’re a high-profile person. But neither should Facebook. If you’re not? Go ahead! Its privacy policy is atrocious and I won’t be using it as a result, but if you don’t mind Facebook’s spying, you won’t mind FaceApp’s. If you do take measures to protect your privacy though, one good idea would be to never download this app.

---

Sources:

• Ashley Carman, The Verge
• Seth Fiegerman, CNN Business
• Geoffrey A. Fowler, The Washington Post
• Jen Karner, AndroidCentral
• Natasha Lomas, TechCrunch
• Donie O’Sulivan, CNN
• Kaitlyn Tiffany, Vox