December 3, 2019

FaceApp: How Dangerous Is It?

FaceApp: Should I Delete It?


Updated: December 3, 2019

Screenshot From FaceApp.com

You may have seen the slew of "What would I look like as an old person" photos that have been shared to Social Media recently. You may also have seen warnings in the media that this app is "Bad News." Just how bad is it? Should you delete the app and reset your phone? Or is it really as harmful as much of the media is saying?

What is FaceApp?


FaceApp is a photo app available for Android and iPhone.  It basically allows one to apply filters to photos.  You can do things like swap genders, add makeup, add tattoos, and otherwise enhance all of your selfies. The latest app update added the ability to "age" or "de-age" selfies as well.

FaceApp is not a new app. It has been around since 2017. However, it recently became viral, thanks to its ability to age you in selfies, as well as share side-by-side photos to social media.

What Are the Concerns with FaceApp?


FaceApp seeks some pretty sketchy permissions. We'll examine those permissions later in the article. Its privacy policy and terms of service also raise concern.  Basically, the app  calls itself "free," but like many other apps, you are paying with your personal data.  User reviews also stress that you must pay to use a LOT of components of the app, and many popular filters are locked until you pay to upgrade to the Pro version.  Many reviewers complain of decreased photo quality once they upgrade to Pro, as well as many pro features simply not working.

But the biggest criticism appears to be the nationality of the developer.  The app lists a Delaware address for the developers on Google Play.  However, both the privacy policy and the terms of service list a Russian address.  The app, in fact, comes from Russian Developers. This means you are exchanging your personal information with Russians when you choose to use this app.

Additionally, you are granting permission to use your photos however they see fit.  The Terms of Service state:

 You grant FaceApp a perpetual, irrevocable, nonexclusive, royalty-free, worldwide, fully-paid, transferable sub-licensable license to use, reproduce, modify, adapt, publish, translate, create derivative works from, distribute, publicly perform and display your User Content and any name, username or likeness provided in connection with your User Content in all media formats and channels now known or later developed, without compensation to you. When you post or otherwise share User Content on or through our Services, you understand that your User Content and any associated information (such as your [username], location or profile photo) will be visible to the public.


It goes on to state:

You grant FaceApp consent to use the User Content, regardless of whether it includes an individual’s name, likeness, voice or persona, sufficient to indicate the individual’s identity. By using the Services, you agree that the User Content may be used for commercial purposes.

So basically, you are giving Russian Developers permission to use your photos however they choose to, as well as to share them with others and to use them commercially.

The Privacy Policy clearly states that they may share your information with whomever they please. It also states that they may share information obtained through tracking cookies  with affiliates and third parties.  In addition,  they state: " [a] device identifier may be data stored in connection with the device hardware, data stored in connection with the device’s operating system or other software, or data sent to the device by FaceApp."

So in sum, by using the app, you are granting permission for them to track EVERYTHING you do on your mobile phone, as well as to use any pictures however they please.  You are giving up a right to control how photos generated through the app are used.

Facial Recognition


Many folks hate the idea of facial recognition databases.  In the United States, law enforcement often uses facial recognition databases to investigate crimes. My own State has a facial recognition database they've developed using Driver License Photos.  There is no way to opt out of this database.

Some reporters and government officials are worried that FaceApp is just a cover for a Facial Recognition Database collecting effort. They are concerned that the developers are collecting photos, pairing it with the information you have given them permission to collect, and then selling it to third parties.

This paragraph of the Privacy Policy, which is echoed in the Terms of Service, especially concerns The Feds:

FaceApp, its Affiliates, or Service Providers may transfer information that we collect about you, including personal information across borders and from your country or jurisdiction to other countries or jurisdictions around the world. If you are located in the European Union or other regions with laws governing data collection and use that may differ from U.S. law, please note that we may transfer information, including personal information, to a country and jurisdiction that does not have the same data protection laws as your jurisdiction.

Russia does not have the same government mandated privacy protections that Europe and the US do, and many fear the Russian Government will just "take" any information they want from the developers, and if the developers are already handing it over.  With the Mueller Report recently exposing Russia's many attempts to collect data on and influence Americans, the fear is that FaceApp is just another avenue in which to do so. Whether that fear is true or not is unconfirmed. The developers claim they neither store your information nor hand it over to their government, but the language used in both the Privacy Policy and the Terms of Service seem to contradict this.

Permissions, Privacy Policy, & Terms: Details

This section will look at the "questionable" language included in FaceApp's Privacy Policy and Terms of Service.  It will also list the Permissions you grant when using the app. If you are not interested in the nuts and bolts of this, scroll down to the next section, where we will summarize the "dangers" of using this app.

Permissions:


This app has access to:

  • Storage
     read the contents of your USB storage
     modify or delete the contents of your USB storage

  • Photos/Media/Files
    read the contents of your USB storage
    modify or delete the contents of your USB storage

  • Camera
    take pictures and videos


  • Other
    receive data from Internet
    full network access
    prevent device from sleeping
    read Google service configuration
    view network connections

So basically, you are giving FaceApp permission to access A LOT of content on your phone, as well as to monitor your behaviors when using the phone. It can track what apps you are using as well as what you do on websites and in other apps.  It can also look at basically EVERYTHING you have stored on your phone.

Terms of Service (https://faceapp.com/terms)


The following paragraphs are excerpted from the Terms of Service page itself. It is not the complete terms, but  rather those you may find concerning.

You will need to use your credentials (e.g., username and password) from a third-party online platform to access some or all of our Services. You must maintain the security of your third party account and promptly notify us if you discover or suspect that someone has accessed your account without your permission. If you permit others to use your account credentials, you are responsible for the activities of such users that occur in connection with your account.

You grant FaceApp a perpetual, irrevocable, nonexclusive, royalty-free, worldwide, fully-paid, transferable sub-licensable license to use, reproduce, modify, adapt, publish, translate, create derivative works from, distribute, publicly perform and display your User Content and any name, username or likeness provided in connection with your User Content in all media formats and channels now known or later developed, without compensation to you. When you post or otherwise share User Content on or through our Services, you understand that your User Content and any associated information (such as your [username], location or profile photo) will be visible to the public.


You grant FaceApp consent to use the User Content, regardless of whether it includes an individual’s name, likeness, voice or persona, sufficient to indicate the individual’s identity. By using the Services, you agree that the User Content may be used for commercial purposes. You further acknowledge that FaceApp’s use of the User Content for commercial purposes will not result in any injury to you or to any person you authorized to act on its behalf. You acknowledge that some of the Services are supported by advertising revenue and may display advertisements and promotions, and you hereby agree that FaceApp may place such advertising and promotions on the Services or on, about, or in conjunction with your User Content. The manner, mode and extent of such advertising and promotions are subject to change without specific notice to you. You acknowledge that we may not always identify paid services, sponsored content, or commercial communications as such.

User Content removed from the Services may continue to be stored by FaceApp, including, without limitation, in order to comply with certain legal obligations. FaceApp is not a backup service and you agree that you will not rely on the Services for the purposes of User Content backup or storage. FaceApp will not be liable to you for any modification, suspension, or discontinuation of the Services, or the loss of any User Content.

Any questions, comments, suggestions, ideas, original or creative materials or other information you submit about FaceApp or our products or Services (collectively, “Feedback”), is non-confidential and will become the sole property of FaceApp. We will own exclusive rights, including, without limitation, all intellectual property rights, in and to Feedback and will be entitled to the unrestricted use and dissemination of Feedback for any purpose, commercial or otherwise, without acknowledgment or compensation to you.

We do not control, endorse or take responsibility for any User Content or third-party content available on or linked to by our Services.

 You expressly waive any rights you may have under California Civil Code § 1542 as well as any other statute or common law principles that would otherwise limit the coverage of this release to include only those claims which you may know or suspect to exist in your favor at the time of agreeing to this release.

By accessing or using our Services, you consent to the processing, transfer and storage of information about you in and to the United States and other countries, where you may not have the same rights and protections as you do under local law.

You and FaceApp agree that any dispute arising out of or related to these Terms or our Services is personal to you and FaceApp and that any dispute will be resolved solely through individual arbitration and will not be brought as a class arbitration, class action or any other type of representative proceeding.

Privacy Policy (https://www.faceapp.com/privacy)


The following text is excerpted from FaceApp's Privacy Policy, and contains some of the most distressing parts.

Device identifiers:

When you use a mobile device like a tablet or phone to access our Service, we may access, collect, monitor, store on your device, and/or remotely store one or more “device identifiers.” Device identifiers are small data files or similar data structures stored on or associated with your mobile device, which uniquely identify your mobile device. A device identifier may be data stored in connection with the device hardware, data stored in connection with the device’s operating system or other software, or data sent to the device by FaceApp.

A device identifier may deliver information to us or to a third party partner about how you browse and use the Service and may help us or others provide reports or personalized content and ads. Some features of the Service may not function properly if use or availability of device identifiers is impaired or disabled.

Parties with whom we may share your information:

We may share User Content and your information (including but not limited to, information from cookies, log files, device identifiers, location data, and usage data) with businesses that are legally part of the same group of companies that FaceApp is part of, or that become part of that group (“Affiliates”). Affiliates may use this information to help provide, understand, and improve the Service (including by providing analytics) and Affiliates’ own services (including by providing you with better and more relevant experiences). But these Affiliates will honor the choices you make about who can see your photos.

We also may share your information as well as information from tools like cookies, log files, and device identifiers and location data, with third-party organizations that help us provide the Service to you (“Service Providers”). Our Service Providers will be given access to your information as is reasonably necessary to provide the Service under reasonable confidentiality terms.

We may also share certain information such as cookie data with third-party advertising partners. This information would allow third-party ad networks to, among other things, deliver targeted advertisements that they believe will be of most interest to you.

FaceApp, its Affiliates, or Service Providers may transfer information that we collect about you, including personal information across borders and from your country or jurisdiction to other countries or jurisdictions around the world. If you are located in the European Union or other regions with laws governing data collection and use that may differ from U.S. law, please note that we may transfer information, including personal information, to a country and jurisdiction that does not have the same data protection laws as your jurisdiction.

Contact:


You may contact the developers at:
Wireless Lab OOO
16 Avtovskaya 401
Saint-Petersburg, 198096, Russia

Is FaceApp Really WORSE Than Other Free Apps?




What you probably came here to learn is how bad FaceApp is in comparison to other Free Apps.  Sadly, remove the Russian affiliation, and FaceApp really asks for no more than many other free apps and web services. They ask for no more than Facebook and Instagram ask.  Google tracks your activities in a similar fashion. The biggest difference is how these various companies use the  data they collect, as well as the potential for misuse.

The FaceApp developers claim they do not invoke many parts  of what they make you agree to currently, and that they have no definitive plans to do so.  They claim they do not keep the images you upload for very long, and that they do not "steal" every photo on your phone, despite the fact you have given them permission to do so.  How truthful that is, we do not know.  

The fact is that they have been doing whatever they are doing for several years now. The caution comes now NOT because we discovered they were doing something nefarious, but rather, because the app seemed to go viral overnight.  They have already collected several million photos, so there is not a lot we can do if, in fact, their real intent is to build a photo database, complete with personal information you gave them permission to obtain.

Personally, I think the threat is being overblown right now, and that FaceApp is no worse than thousands of other apps freely available and being used by millions. There are a lot of more dangerous apps in use on millions of smartphones and tablets. Many of these have far worse privacy policies and terms of service than FaceApp.

What concerns me the most about FaceApp is its lack of transparency. Unless you investigate beyond the app page itself on the App Store, you will never know you are using a Russia-based program. The app listing page claims a Delaware address, and even its Terms of Service discuss California legal policies.  Most folks would assume they are working with a California-based app maker who is incorporated in Delaware.  The fact the app hides its Russian affiliations concerns me.

What Do We Need to Learn From This?

Regular readers know that I use few of these apps personally, because of their potential for misuse. Nothing is ever truly free on the Internet, and that is especially true for smartphone apps.  You are paying for these apps and services with your personal information, and it is being sold to many different parties for many different reasons.  We ALL need to be more judicious in what we trade our information for.

What we need to learn is to scrutinize permissions and to read policies carefully. How many people actually read the terms of service BEFORE they start using an app, especially if reading those terms requires a visit to a website outside the app itself? How many folks actually seek out and read Privacy Policies to see what they can potentially do with the information they are continuously harvesting?

Techlaurels examined the dangers of using Internet Quiz Apps and Facebook Apps years ago.  Nametests continues to rebrand itself under labels like "OMG," and folks continue to use these apps, despite the dangers. We also talked about the dangers of breaches associated with such apps, and how their loose stewardships often cause ripple effects far beyond the app itself.  We can warn all of y'all over and over again, but you persist in dangerous behaviors, like using apps without fully investigating what you are giving up in doing so.

Only you can decide if it worth trading all that you are trading for a chance to use a few photo filters. For me, the risks outweigh the benefits.

Should I Delete FaceApp?

The longer you have been using FaceApp, the deeper it has potentially reached into the guts of your device.  And according to the terms to which you agreed, deleting the app  may or may not eliminate the many mechanisms it has planted throughout your device. The only certain way to scrub your device clean is to do a Factory Reset. Remember, it may have planted components that will be restored with a backup, so you'd really need to start from scratch after resetting your phone.  You can send a letter to the developers in Russia demanding they scrub all traces of your data after deleting the app, but I am not well versed enough in Russian laws to confirm they will have to comply.  It is already too late to get back the data they have shared with others.

If you have not already downloaded FaceApp, I would recommend that you stay away.  We have found too many backdoors in both Russian and Chinese software years after the fact to warrant Federal bans on using such apps on Government devices.  For this reason, I am wary of installing any apps from these countries to begin with, especially when there are safer alternatives.

But so far, FaceApp has not done anything more nefarious than data mining that we know of.  We really have neither confirmed nor denied the inherent dangers of using the app.  Were it me, I certainly might delete the app, now that I am hyper-aware of the associated risks. But to truly combat these issues, we must be smart enough NOT to install these apps to begin with.

Update:


Right after this post was published, we became aware of a call by Chuck Schumer to start a Federal investigation of FaceApp.




We will update this article again should an investigation actually commence.

Update: December 3, 2019

Page 1 of the response from the FBI.

Chuck Schumer posted the above letter today on Twitter, along with the following verbiage:
Chuck Schumer
@SenSchumer
A warning to share with your family & friends:
This year when millions were downloading #FaceApp, I asked the FBI if the app was safe.
Well, the FBI just responded.
And they told me any app or product developed in Russia like FaceApp is a potential counterintelligence threat.
(Reference: https://twitter.com/SenSchumer/status/1201607736900964353)

In other words, the FBI thinks the app's connection to Russia "is a potential counterintelligence threat based on the product data it collects, its privacy and terms of use policies, and the legal mechanisms available to the Government of Russia that permit access to data within Russia's borders."

The letter says "If the FBI assesses that elected officials, candidates, political campaigns, or political parties are targets of foreign influence operations involving FaceApp, the FBI would coordinate notifications, investigate, and engage the Foreign Influence Task Force, as appropriate."

In light of the FBI's warning, Techlaurels  strengthens  our recommendation NOT to use this app, and to delete it if you have previously downloaded it. This app remains too sketchy for us to like it at all.

No comments:

Post a Comment

Thank you for contributing to the discussion! Your feedback is valued! (Unless you are a sunglasses or work at home spammer, in which case, your comment will be promptly deleted. :D) The Mods are reviewing it, to keep those types away! ;)