FaceApp, the AI-powered selfie-editing app that’s been having another viral moment of late, has now responded to a privacy controversy that we covered earlier here.
We’ve pasted the company’s full statement at the bottom of this post.
The tl;dr here is that concerns had been raised that FaceApp, a Russian startup, uploads users’ photos to the cloud — without making it clear to them that processing is not going on locally on their device.
Another issue raised by FaceApp users was that the iOS app appears to be overriding settings if a user had denied access to their camera roll, after people reported they could still select and upload a photo — i.e. despite the app not having permission to access their photos.
As we reported earlier, the latter is actually allowed behavior in iOS — which gives users the power to choose to block an app from full camera roll access but select individual photos to upload if they so wish.
This isn’t a conspiracy, though Apple could probably come up with a better way of describing the permission, as we suggested earlier.
On the wider matter of cloud processing of what is, after all, facial data, FaceApp confirms that most of the processing needed to power its app’s beautifying/gender-bending/age-accerating/-defying effects are done in the cloud.
Though it claims it only uploads photos users have specifically selected for editing. Security tests have also not found evidence the app uploads a user’s entire camera roll.
FaceApp goes on to specify that it “might” store the photos users have chosen to upload in the cloud for a short period, claiming this is done for “performance and traffic” — such as to make sure that a user doesn’t repeatedly upload the same photo to carry out another edit.
“Most images are deleted from our servers within 48 hours from the upload date,” it adds.
It also claims no user data is “transferred to Russia”, even though its R&D team is based there. So the suggestion is that storage and cloud processing are being performed using infrastructure based outside Russia. (We’ve asked it to confirm where this is done. Update: Founder Yaroslav Goncharov told us it uses AWS and Google Cloud.)
“We don’t sell or share any user data with any third parties,” it adds.
FaceApp also says users can request their data is deleted. Though it doesn’t yet have a very smooth way to do this — instead it asks users to send delete requests via the mobile app using “Settings->Support->Report a bug” with the word “privacy” in the subject line, adding that it’s “working on a better UI for that”.
It also points out that the vast majority of FaceApp users don’t log in — making the point that it’s not able to link photos to identities in most cases.
Here’s its statement in full:
We are receiving a lot of inquiries regarding our privacy policy and therefore, would like to provide a few points that explain the basics:1. FaceApp performs most of the photo processing in the cloud. We only upload a photo selected by a user for editing. We never transfer any other images from the phone to the cloud.2. We might store an uploaded photo in the cloud. The main reason for that is performance and traffic: we want to make sure that the user doesn’t upload the photo repeatedly for every edit operation. Most images are deleted from our servers within 48 hours from the upload date.3. We accept requests from users for removing all their data from our servers. Our support team is currently overloaded, but these requests have our priority. For the fastest processing, we recommend sending the requests from the FaceApp mobile app using “Settings->Support->Report a bug” with the word “privacy” in the subject line. We are working on the better UI for that.4. All FaceApp features are available without logging in, and you can log in only from the settings screen. As a result, 99% of users don’t log in; therefore, we don’t have access to any data that could identify a person.5. We don’t sell or share any user data with any third parties.6. Even though the core R&D team is located in Russia, the user data is not transferred to Russia.
But be warned: FaceApp, which you grant permission to access your photo gallery, also includes in their Terms and Conditions that they have the right to modify, reproduce and publish any of the images you process through its AI.
That means that your face could end up being commercialized — or worse.
UK-based Digitas strategist James Whatley said on Twitter, “You grant FaceApp a perpetual, irrevocable… royalty-free… license to use, adapt, publish, distribute your user content… in all media formats… when you post or otherwise share.”
That means they can also use your real name, your username or “any likeness provided” in any format without notifying, much less paying, you. They can retain that material as long as they want, even after you delete the app, and you won’t be able to stop them. Even those who set their Apple iOS photo permissions to “never,” as Tech Crunch points out, are not protected against the terms.Security expert Ariel Hochstadt told Daily Mail that hackers, who are not infrequently agents of the Russian government, can log the websites visited and “the activities they perform in those websites,” though they might not know the identity of the person being tracked.
But when we also give them access to our phone’s camera, they can “secretly record” someone — who could be a targeted or prosecuted member of society, says Hochstadt, such as “a young gay person.” Now the hackers (and Russian government by proxy) can cross-reference your face and phone information with the websites you’re using.
Hochstadt continues, “They also know who this image is, with the huge database they created of Facebook accounts and faces, and the data they have on that person is both private and accurate to the name, city and other details found on Facebook.”
Even if hackers aren’t exactly working with the Russian government, says Hochstadt, “With so many breaches, they can get information and hack cameras that are out there, and be able to create a database of people all over the world, with information these people didn’t imagine is collected on them.”
Eventually, technology expert Steve Sammartino believes, your face will also be used to access even more critical private information, such as banking credentials.
“Your face is now a form of copyright where you need to be really careful who you give permission to access your biometric data,” he tells journalist Ben Fordham. “If you start using that willy-nilly, in the future when we’re using our face to access things, like our money and credit cards, then what we’ve done is we’ve handed the keys to others.”
One cybersecurity expert, however, is warning these fun apps can come with consequences.
David Shipley with Beauceron Security said that while the product may be advertised as ‘free’, it’s your information that’s the real price. He noted that even a picture of your face can do plenty of damage.
“It can be used to identify you and unlock things like your smartphone or other things and you want to make sure you protect your identity.”
Shipley said that some hackers will go to extreme lengths to steal personal information.
“We’ve seen hacks in the last two years of Android phones that use facial ID, that if someone can get enough photos of your face and can actually 3D print a head and unlock your phone.”
He said the best way to ensure your data is to check the user agreement before downloading these kinds of apps.
Shipley warns other nefarious activities hackers can do include selling your search history and your location to other companies.
“A lot of companies trade data, almost like trading baseball cards like kids, and because they can sell it, they didn’t violate the spirit or terms of your agreement, but it certainly wasn’t what a lot of people thought was going to happen with their data.”
Overall, issues like this can pose serious problems in the future.
“People’s photos being used to create fake social media profiles that look more real and authentic or to make a copy of your very own social media profile to then target your friends and family with a variety of different scams and attacks.”
I really like your writing style, great date, thank you for posting.
ReplyDeletehttps://360digitmg.com/course/project-management-professional-pmp
There's been a lot of discussion about FaceApp recently because many users have been downloading it and changing their photo for a funny new look before discovering they have shared access to everything. This opens up a huge risk to cyber security so be very careful when downloading an app, especially when it comes to your information
ReplyDeleteThis information is so useful and informative which you have shared here. It is beneficial for beginners to develop their knowledge. It is very gainful information. Thanks for sharing Backup disaster Recovery solutions in Houston.
ReplyDeleteThe context of this content is really good. Thank you for sharing this type of awareness with us. In this article, you shared much informative knowledge on multiplication activities. Take look at this toowhite label identity theft . Thanks!
ReplyDeleteYou are doing a great job by writing such informative article. Interesting at the same time. Also check this out Cyber Security Trends 2022 Gartner. Thank you.
ReplyDeleteI wanna thanks to a great extent for providing such informative and qualitative material therefore often.
ReplyDeletebranding agency
This comment has been removed by the author.
ReplyDeleteThis comment has been removed by the author.
ReplyDeleteThis comment has been removed by the author.
ReplyDeleteYou composed this post with extraordinary consideration and scrupulousness in regards to this issue. Your article gave me helpful data. It's very useful to me as well as others. Much obliged to you for proceeding to share this sort of data. QRadar Security Intelligence Solution in USA
ReplyDeleteYour meticulous approach to this topic is evident, and I greatly appreciate the effort you put into this faceapp Post. The information provided is incredibly useful, not just to me but to many others as well. Thank you for continuing to share such valuable insights!
ReplyDelete