The “oldie“ selfie posts by people have been crowding social media platforms since the last week. Celebrities are in the game too, dishing out the “#faceappchallenge“! The app behind this sensation is FaceApp from Russia. Despite its cool AI tricks, FaceApp has somehow drawn the ire of a bunch of people and the skepticism of some security researches. Sit back and read on, while we tell you the entire story.
What is FaceApp?
Despite of the viral sensation it has become since last week, FaceApp is not a new thing. FaceApp was started two years back in 2017 by a Russian startup, Wireless Labs. The app uses artificial intelligence to alter and apply filters to selfies uploaded by its users. The app uses neural networks to achieve its AI based transformations.
The app can change your style (by adding or removing your beard and altering your hairstyle) and add smile to your selfies. But, its the “old age” filter that has taken the social media by storm. Celebrities such as Kevin Hart, Miley Cyrus, Carrie Underwood and the Jonas Brothers are posting their aged faces online and regular folks are following in their stride.
The recent spike in traffic to FaceApp has also given way to memes about certain famous faces who never seem to age, like the actors Paul Rudd and John Stamos.
— UPROXX (@UPROXX) July 17, 2019
What Led to the Privacy Concerns?
The hubris relating to privacy on using FaceApp started when Joshua Nozzi, a software developer began warning in his tweets, “BE CAREFUL WITH FACEAPP. It immediately uploads your photos without asking whether you choose one or not”. His claims though not subtantiated at the time, created a domino effect of media stories weighing in the privacy risks with FaceApp. “Russians now own all your old photos”, claimed a headline in The New York Post.
The cause of these concerns can be attributed to the questionable terms of service of FaceApp, which declares the following :
You grant FaceApp a perpetual, irrevocable, nonexclusive, royalty-free, worldwide, fully-paid, transferable sub-licensable license to use, reproduce, modify, adapt, publish, translate, create derivative works from, distribute, publicly perform and display your User Content and any name, username or likeness provided in connection with your User Content in all media formats and channels now known or later developed, without compensation to you.
We would like to send you a wise reminder here that terms like these aren’t written for your benefit. They are written to cover potential legal liabilities while sharing as little as possible about what a company is actually doing with your data – you can find similar catchcalls in the terms and conditions for apps and services like Facebook, Instagram and Snapchat. If you click accept without reading, the company can conveniently say, “It’s not our fault, you were warned”.
People are aware of the troubling possibilities of facial recognition and how deepfake technology can use it to create stunningly realistic videos of a person using nothing more than a single image of their face.
Pankaj Srivastava, COO of privacy-first company FigLeaf advises about the risks of using apps like FaceApp. He says, “Clever companies are finding new and different ways to couch data collection in ‘fun’ or viral-sharing’ experiences. It may seem fun to manipulate your photos but what you’re really doing is giving way your entire photo album to a company with no traceable address, location or history. Oddly, users don’t have to opt-in to use the app which seems a violation of the European Union’s GDPR laws.”
What Security Researchers Say?
Owing to the concerns about privacy, several security researches have analysed the product since. While most of them agree that the company has no malicious intent at the time, they refrained from calling it completely risk free.
Baptiste Robert, a French security researcher who also goes by Elliot Anderson, fact-checked concerns about the app’s uploading of photos by looking at the backend of the app and concluding that the only image the app was uploading was the modified “aged” image.
“I found that FaceApp is not uploading the full gallery of the user. Only the photo the user is modifying is uploaded to their server in order to apply filters”, says Robert. “In general, this app is not asking a lot of data from the user.” Robert informs that FaceApp only asks for information such as the phone model the person is using and service identification information. FaceApp relies heavily on third-party services through U.S. based companies like Facebook, he adds.
Robert hopes that people will be wary of uploading any imformation to any app that they are not familiar with. “People should know that giving a photo of their face to a random app is a very bad idea and has a lot of privacy issues,” he says. “They have no idea how their photo can be used.”
Nozzi has since deleted his original tweets warning about FaceApp. “I was wrong. I was wrong about what I thought the app was doing (uploading all pics once granted access), and I was wrong to have posted the accusation without testing it first. Full stop,” he writes in a blog post. “What I don’t regret in the slightest is having called attention to the privacy concerns surrounding the app.”
However, Nozzi believes there are still legitimate concerns with the app. He points to how the product neglects to warn users that edited photos will be uploaded to the company’s server. FaceApp’s terms and conditions also allow it to use your uploaded photos for commercial purposes.
Justin Brookman, director of privacy and tech policy at Consumer Reports opines that the responsibility should not be on consumers to read privacy policies to know what the risk of each app is. Still, he said that although he doubts FaceApp is doing anything seriously shady, he urged users to remember that they’re giving up control of their image when they upload pictures to the app.
What the FaceApp’s CEO Assures?
FaceApp denies collecting information on user’s identities or selling their images. FaceApp clarifies in a statement, “99 percent of users don’t log in; therefore we don’t have access to any data that could identify a person,” emphasising that they “don’t sell or share any user data with any third parties.”
Yaroslav Goncharov, CEO of FaceApp addresses the privacy concerns in a lengthy statement to TechCrunch, “FaceApp performs most of the photo processing in the cloud. We only upload a photo selected by a user for editing. We never transfer any other images from the phone to the cloud. We might store an uploaded photo in the cloud. The main reason for that is perfomance anf traffic : we want to make sure that the user doesn’t upload the phot repeatedly for every edit operation. Most images are deleted from our servers within 48 hours from the upload date.”
Goncharov also adds, ” Even though the core R&D team is located in Russia, the user data is not transferred to Russia.”
Your Privacy in Your Own Hands
Pankaj Srivastava says, “If consumers are going to own privacy or take back control of privacy, they are going to have to start reading the fine print, like FaceApp’s terms and conditions. That is something individuals have to own and this is a part of online privacy that they should be responsible for.”
Goncharov declares, “We accept requests from users for removing all their data form our servers. Our support team is currently overloaded, but these requests have our priority. For the fastest processing, we recommend sending the requests from the FaceApp mobile app using –
‘Settings -> Support -> Report a bug’ with the word ‘privacy’ in the subject line.”
He promises a better UI for addressing such requests.
“Users want more control and transparency over how their personal information is being used by applications, and expect Android, as the platform, to do more to provide that control and transparency,” Sameer Samat, VP of Product Management, Android & Google Play, wrote in a recent blog post. “This responsibility to users is something we have always taken seriously, and that’s why we are taking a comprehensive look at how our platform and policies reflect that commitment.”
“We have strict policies on how app developers can handle user data,” a Google spokesperson adds, pointing out that when a violation is found, the company takes action.
To better protect your privacy, you as an individual need to decide whether the functionality provided by the app improves your quality of life to a degree that it is worth sharing information with the app developer.
Let us know your views in the comments below. Don’t forget to subscribe and share.