FaceApp: Is The Russian Face-Aging App A Danger To Your Privacy?

DOS_patos · Jul 17, 2019

No, FaceApp isn’t taking photos of your face and taking them back to Russia for some nefarious project. At least that’s what current evidence suggests.

After going viral in 2017, and amassing more than 80 million active users, it’s blowing up again thanks to the so-called FaceApp Challenge, in which celebs (and everyone else) have been adding years to their visage with the app’s old-age filter. The app uses artificial intelligence to create a rendering of what you might look like in a few decades on your iPhone or Android device.

But one tweet set off a minor internet panic this week, when a developer warned that the app could be taking all the photos from your phone and uploading them to its servers without any obvious permission from the user.

The tweeter, Joshua Nozzi, said later he was trying to raise a flag about FaceApp having access to all photos, even if it wasn’t uploading them to a server owned by the Russian company.

Storm in an internet teacup?

This all turns out to be another of the Web’s many storm-in-teacup moments. A security researcher who goes by the pseudonym Elliot Alderson (real name Baptiste Robert) downloaded the app and checked where it was sending users’ faces. The French cyber expert found FaceApp only took submitted photos—those that you want the software to transform—back up to company servers.

And where are those servers based? Mostly America, not Russia. A cursory look at hosting records confirmed to Forbes that this was true: The servers for FaceApp.io were based in Amazon data centers in the U.S. The company told Forbes that some servers were hosted by Google too, across other countries, including Ireland and Singapore. And, as noted by Alderson, the app also uses third-party code, and so will reach out to their servers, but again these are based in the U.S. and Australia.

FaceApp uses Amazon data centres in America

FaceApp uses Amazon servers based in the U.S.

THOMAS BREWSTER
Of course, given the developer company is based in St. Petersburg, the faces will be viewed and processed in Russia. The data in those Amazon data centers could be mirrored back to computers in Russia. It’s unclear how much access FaceApp employees have to those images, and Forbes hadn’t received comment from the company at the time of publication about just what it does with uploaded faces.

So while Russian intelligence or police agencies could demand FaceApp hand over data if they believed it was lawful, they’d have a considerably harder time getting that information from Amazon in the U.S.

Permission to land on your phone

So is there a privacy concern? FaceApp could operate differently. It could, for instance, process the images on your device, rather than take submitted photos to an outside server. As iOS security researcher Will Strafach said: “I am sure many folks are not cool with that.”

It’s unclear how well FaceApp’s AI would process photos on the device rather than more powerful servers. FaceApp improves its face-changing algorithms by learning from the photos people submit. This could be done on the device, rather than the server, as machine learning features are available on Android and iOS, but FaceApp may want to stick to using its own computers to train its AI.

Users who are (understandably) concerned about the app having permission to access any photos at all might want to look at all the tools they have on their smartphone. It’s likely many have access to photos and an awful lot more. Your every move via location tracking, for instance. To change permissions, either delete the app, or go to app settings on your iPhone or Android and change what data tools are allowed to access.

FaceApp responds

Forbes contacted FaceApp founder Yaroslav Goncahrov, who provided a statement Wednesday morning. He said that user data is not transferred to Russia and that "most of the photo processing in the cloud."

"We only upload a photo selected by a user for editing. We never transfer any other images from the phone to the cloud," Goncharov added.

"We might store an uploaded photo in the cloud. The main reason for that is performance and traffic: we want to make sure that the user doesn't upload the photo repeatedly for every edit operation. Most images are deleted from our servers within 48 hours from the upload date."

He said that users can also request that all user data be deleted. And users can do this by going to settings, then support and opt to report a bug, using the word "privacy" in the subject line message. Goncahrov said this should help speed up the process.

And he added: "We don't sell or share any user data with any third parties."

DOS_patos · Jul 17, 2019

@konceptjones
stop lying to the people.

lol

StringerBell · Jul 17, 2019

Photo editor FaceApp goes viral again, prompting security concerns

"In general, this app is not asking a lot of data from the user," Baptiste Robert, a security researcher, told NBC News.

www.nbcnews.com

"In general, this app is not asking a lot of data from the user," Baptiste Robert, a security researcher, told NBC News.

A photo editing app has introduced a few new wrinkles to the faces of celebrities — and to the ongoing discussion around personal digital security.

FaceApp, a more than 2-year-old app created by a Russia-based developer, has seen a recent spike in use due to some celebrities and influencers taking part in the "FaceApp Challenge."

The app has a host of image-altering features such as adding a smile or appearing to change a person's gender. Those taking part in the challenge are using the app to make themselves appear elderly, giving fans a preview of what their favorite athletes or celebrities would look like once they become senior citizens.

The recent spike in traffic to FaceApp has also given way to memes about certain famous faces who never seem to age, like the actors Paul Rudd and John Stamos.

But the sudden popularity of the app has also triggered growing concerns about how apps use the data and images supplied by users, particularly those that are owned or operated outside the U.S. One such concern for FaceApp centered on whether the app could access user photos without permission. Researchers found that those concerns were unfounded.

Despite the exoneration, security experts have mixed feelings about the app. They said it isn't likely the app is stealing entire camera rolls of photos from its users, but added FaceApp is not completely risk free.

The Democratic National Committee felt the app posed enough of a risk to send an alert to its party's presidential campaigns on Wednesday, warning against using the app that was "developed by Russians," according to a source familiar with the alert who was not authorized to speak publicly. The warning was first reported by CNN.

Senate Minority Leader Chuck Schumer, D-N.Y., also sent a letter to the Federal Trade Commission and the Federal Bureau of Investigation, asking the agencies to investigate the app.

Schumer wrote that he has "serious concerns regarding both the protection of the data that is being aggregated as well as whether users are aware of who may have access to it."

Justin Brookman, director of privacy and tech policy at Consumer Reports, said the app's user agreement should concern its fans.

"I would be cautious about uploading sensitive data to this company that does not take privacy very seriously, but also reserves broad rights to do whatever they want with your pictures," said Brookman, a former policy director for the Federal Trade Commission's Office of Technology Research and Investigation.

Brookman said that FaceApp's privacy policy allows the company to do whatever it pleases with photos uploaded to its server, and the app's terms of use gives the company broad license to use the photos as it sees fit.

"They could turn them into stock photos or advertisements in Russia," Brookman said. "But I don't know how much the Russianness is concerning, although Russia has been known to use personal information in the past."

FaceApp denies collecting information on user's identities or selling their images.

In a statement, FaceApp said that "99 percent of users don't log in; therefore, we don't have access to any data that could identify a person," and added that they "don't sell or share any user data with any third parties."

FaceApp said most of their photo editing is done off of a user's device in remove servers, and the image that is uploaded must be selected by the user. Additionally, most photos are held on remote servers for approximately 48 hours before being deleted, the statement read.

"We accept requests from users for removing all their data from our servers," FaceApp's statement said. "Our support team is currently overloaded, but these requests have our priority."

During his research, Robert said he found that FaceApp was asking only for information such as what type of phone model a person is using and service identification information. He added that FaceApp relies heavily on third-party services through U.S.-based companies like Facebook.

In general, Robert said he hopes people will be wary of uploading any information to any app they're not familiar with.

"People should know that giving a photo of their face to a random app is a very bad idea and has a lot of privacy issues," Robert said. "They have no idea how their photo can be used."

Brookman said he feels that people have become more skeptical about technology.

"People are starting to worry in ways maybe they didn’t when social networking first rolled out," Brookman said.

He added that the responsibility should not be on consumers to read privacy policies to know what the risk of each app is. Still, he said that although he doubts FaceApp is doing anything seriously shady, he urged users to remember that they're giving up control of their image when they upload pictures to the app.

"I wouldn’t download it. It looks kind of cool, but even then I wouldn’t feel comfortable turning over my photos and saying you can do whatever you want with these in order to find out what I'll look like in 10 years," Brookman said. "I think I’ll wait 10 years."

TonyDubbz · Jul 17, 2019