(WNCN) – There’s an old app generating a new worry on social media.
The FaceApp that turns you into an old person has some security people concerned, because the Russian owned app has terms and conditions that allow it to keep your data—and do anything they want with it forever.
The FaceApp is receiving renewed interest as a result of the “FaceApp Challenge” racing across social media where people are posting before and after photos of themselves once they’ve aged them.
That’s where people turn themselves into an older version of themselves. Although it looks like a fun thing, security experts warn there’s another side to that face.
“With the FaceApp you are granting permissions to use all the photos on your phone,” said computer security expert Craig Petronella.
He says many people don’t realize when they install the app, “they’re opening the door saying, ‘Hey you can take all my pictures.’”
The app debuted in 2017 and went viral again recently when it added an artificial intelligence filter to allow you to age yourself.
But since the app does its transformation on servers and not on your phone, that’s where the problems begin.
“You don’t know what happens after you do that,” said Petronella. “You make the change for fun, but you don’t know what happens behind the scenes.”
He says users don’t know where in the world is the server that holds the photo is located. And he says they have no idea how secure that server may or may not be.
He says users don’t know who has control over what is being done to the data sent to it by your phone.
The app is the creation of Wireless Lab, which is a company based in St. Petersburg, Russia.
According to its lengthy terms and conditions, you give the company rights to use your data in unexpected ways.
Among other permissions included in that agreement, are you granting the company perpetual, irrevocable, royalty free worldwide license…to display your user content…in all media formats and channels now known or later developed…without compensation to you.
“We need to be really cautious and even paranoid about how we control the privacy of our biometrics,” said Petronella.
All those photos and the metadata attached to those pictures goes somewhere, and what happens if hackers access it?
“In this case, if someone steals your face or your fingerprint how do you fight to get it back?” asks Petronella. “To what lengths do you have to go to prove you are you? Do you give a blood sample?”
FaceApp is responding to the controversy:
We are receiving a lot of inquiries regarding our privacy policy and therefore, would like to provide a few points that explain the basics:
1. FaceApp performs most of the photo processing in the cloud. We only upload a photo selected by a user for editing. We never transfer any other images from the phone to the cloud.
2. We might store an uploaded photo in the cloud. The main reason for that is performance and traffic: we want to make sure that the user doesn’t upload the photo repeatedly for every edit operation. Most images are deleted from our servers within 48 hours from the upload date.
3. We accept requests from users for removing all their data from our servers. Our support team is currently overloaded, but these requests have our priority. For the fastest processing, we recommend sending the requests from the FaceApp mobile app using “Settings->Support->Report a bug” with the word “privacy” in the subject line. We are working on the better UI for that.
4. All FaceApp features are available without logging in, and you can log in only from the settings screen. As a result, 99% of users don’t log in; therefore, we don’t have access to any data that could identify a person.
5. We don’t sell or share any user data with any third parties.
6. Even though the core R&D team is located in Russia, the user data is not transferred to Russia.
Additionally, we’d like to comment on one of the most common concerns: all pictures from the gallery are uploaded to our servers after a user grants access to the photos. We don’t do that. We upload only a photo selected for editing. You can quickly check this with any of network sniffing tools available on the internet.
The company makes a point of saying, “Even though the core R&D team is located in Russia, the user data is not transferred to Russia.”
Petronella says it doesn’t really matter if the server is in Russia or not.
“If they have access to it, it doesn’t matter where it lives, because they can do what they want with it.”
So what’s the fix for the FaceApp?
Petronella suggests people not use it in its present form.
“Use your voice, and say ‘I like this application but I’m not willing to grant you full access to all my photos’,” said Petronella. Tell the company, “I want restrictions.”
He says users should demand the company, “build a new version of this where I am in control of when, where and how you access my data.”
We already use our faces to access some things like the latest generation of smartphones and soon, you may use your face to do things like gain access to your bank accounts and other sensitive aspects of your life,
Your face is in effect, your copyright—and you want to be careful who gets access to your face in any database.
