Your social media feed has likely been jammed with a fresh new fad called FaceApp, a seemingly innocuous little smartphone game where you take a picture of yourself and Artificial Intelligence then shows what you’d look like as an old person. But security experts around the world are sounding the sirens about some very serious privacy problems about this app developed and operated by a Russian tech company.
That old face app everyone’s using? FYI, when you click OK, @faceapp_ai accesses every photo on your device in unencrypted form. That means access to metadata, including the time/date/location of every photo, w no restriction on what the Russian-owned app can do w that info 🤷🏻♂️ pic.twitter.com/EYsXwHijdv
— imperfect produce 🍃 (@LeeHepner) July 17, 2019
Let’s start with the big one: FaceApp will access your entire photo library, and as noted above, that means location data and the time the image was taken, too. The company says in a response to TechCrunch that “We only upload a photo selected by a user for editing” and “We never transfer any other images from the phone to the cloud.”
Re: FaceApp, can’t speak to it “uploading” photos but the app is definitely able to access my library even though I have Photos permission set to “never” 🤔 pic.twitter.com/jDMkqu5nML
— Karissa Bell (@karissabe) July 16, 2019
Users are finding this answer to be kind of an evasion. While FaceApp only uploads the photo you select to their cloud server, they still have access to your entire camera roll, and every piece of metadata associated with it. As TechCrunch also addressed, FaceApp is not uploading your entire camera roll to their cloud servers, but they can access even photos even if you’ve set your permission to not allow this.
FaceApp's terms of service page is a DOOZY.
— James Whatley (@Whatleydude) July 17, 2019
More trouble lies in the FaceApp’s terms of service, which are far more invasive than the industry standard. How trustworthy do these words sound?
“You grant FaceApp a perpetual, irrevocable, nonexclusive, royalty-free, worldwide, fully-paid, transferable sub-licensable license to use, reproduce, modify, adapt, publish, translate, create derivative works from, distribute, publicly perform and display your User Content and any name, username or likeness provided in connection with your User Content in all media formats and channels now known or later developed, without compensation to you,” the terms say.
This doesn’t means FaceApp owns your photos, it just means they have permission to do literally anything they want them. So don’t be surprised when you see your face in a Donald Trump 2020 ad.
PSA: TikTok is Chinese and FaceApp is Russian. Safe to assume those governments can readily access your data if you use these apps.
— David Carroll 🦅 (@profcarroll) July 17, 2019
And it is not unreasonable to be suspicious since FaceApp is a Russian creation based in St. Petersburg. Forbes confirmed the company’s servers are not in Russia, but instead in the U.S. and Australia. Still, Russian employees and staffers can access anything on those servers. And the Kremlin has unusual control over Russian tech companies as they increasingly try to infiltrate U.S. tech firms.
I could care less about your face, I wanna see what that ass looks like in 40 years
— mike cella 🌼 (@mikeVcella) July 17, 2019
Tech types will inevitably make the argument that all apps collect your data, so we should just abandon any form of caution and blindly tolerate and trust any app. But remember the Cambridge Analytica scandal, the Facebook breach of 30 million accounts, and the Ashley Madison hack. Even the top tech firms allow our data to fall into the wrong hands. Some people are digging on the new app that shows you what you look like in 40 years, but reminding people the security risks of these things is getting old.