There’s no such thing as a free lunch, cybersecurity experts warn, when it comes to services on the internet. Your money may not be what shady companies are after—the data you inadvertently give them might be just as valuable. Malicious software, Facebook games and digital advertisements all can, and have, harvested data from their users without their knowledge.
And, of course, smartphone apps are vulnerable to exploitation, as well. Take the viral spread of FaceApp, a mobile photo editor dedicated to modifying people’s faces. FaceApp allows you to edit a beard onto your face or change your hair color with a few taps on the screen, all supposedly powered by “AI.” The app gained some early notice thanks to its ability to digitally manipulate even the grimmest face into a wide smile, but only became a viral sensation earlier this week thanks to a social media campaign on Twitter called the #AgeChallenge. The hashtag encouraged FaceApp users to post photos altered with a filter that allowed users to age-up (or conversely, de-age) people’s faces.
To use this filter, all you had to do was download FaceApp, agree to its terms and conditions, and grant the app access to your entire photo library. But eagle-eyed users soon discovered that the terms and conditions contained a paragraph with some disturbing implications.
The suspicious part read:
You grant FaceApp a perpetual, irrevocable, nonexclusive, royalty-free, worldwide, fully-paid, transferable sub-licensable license to use, reproduce, modify, adapt, publish, translate, create derivative works from, distribute, publicly perform and display your User Content and any name, username or likeness provided in connection with your User Content in all media formats and channels now known or later developed, without compensation to you.
Essentially, by editing selfies with the app, you were signing away the rights to your face forever. FaceApp could use your mug in an advertising campaign without paying you or asking for your consent, with no real recourse to object besides not using the app in the first place.
There’s also the matter of the filters themselves. None of the photos are edited in-device; instead, FaceApp uploads them into “the cloud,” meaning that they are stored in the company’s databases.
Predictably, in a political climate wary of Russian interference (FaceApp is run out of St. Petersburg), all these dubious features caused a panic. The Democratic National Party’s Security Chief, Bob Lord, even went as far as to advise presidential candidates and their staff to “delete the app immediately.”
#Warning: Every few years, the #FaceApp comes around.It’s fun.It draws a lot of people in.But, it also captures your face along with some of your private data.It doesn’t tell us what it does with that data.Be careful.— scott budman (@scottbudman) July 17, 2019
However, one cybersecurity expert found that the danger FaceApp currently poses is limited:
using a network traffic analyzer, I tried to replicate the thing people are talking about with FaceApp allegedly uploading your full camera roll to remote servers, but I did not see the reported activity occur.here is marlo stanfiekd with a beard though pic.twitter.com/6wy8cHLNuA— Will Strafach (@chronic) July 17, 2019
Vox even called the panic xenophobic, noting that just because the app was Russian didn’t mean it was doing anything particularly egregious with your data that American companies like Snapchat or Ever weren’t already doing.
In a statement to TechCrunch, a spokesperson for FaceApp responded to some of the accusations. Parts of the statement read:
1. FaceApp performs most of the photo processing in the cloud. We only upload a photo selected by a user for editing. We never transfer any other images from the phone to the cloud.
2. We might store an uploaded photo in the cloud. The main reason for that is performance and traffic: we want to make sure that the user doesn’t upload the photo repeatedly for every edit operation. Most images are deleted from our servers within 48 hours from the upload date.
3. We accept requests from users for removing all their data from our servers. Our support team is currently overloaded, but these requests have our priority. For the fastest processing, we recommend sending the requests from the FaceApp mobile app using “Settings->Support->Report a bug” with the word “privacy” in the subject line. We are working on the better UI for that.
4. All FaceApp features are available without logging in, and you can log in only from the settings screen. As a result, 99% of users don’t log in; therefore, we don’t have access to any data that could identify a person.
5. We don’t sell or share any user data with any third parties.
6. Even though the core R&D team is located in Russia, the user data is not transferred to Russia.
Regardless of whether the suspicions swirling around FaceApp have any merit, there’s nothing wrong with thinking twice about what you’re giving up to get a silly filtered photo of your own artificially aged face.