You’ve Just Downloaded FaceApp, But Are You Safe?
Jul 19, 2019 • Meryl Medel
Jul 19, 2019 • Meryl Medel
You’re probably seeing a timeline full of faces transformed to what they’re supposed to look like in old age. From famous personalities to your own friends, almost everyone has posted photos of them now and years in the future. Heck, you’ve probably tried doing this yourself, whether with your own face, a friend’s, or a celebrity’s.
Developed by Wireless Lab based in St. Petersburg, Russia, viral photo editor FaceApp allows you to transform a face to make it smile, change ethnicity (for which it has already faced backlash and gone viral before in 2017), change gender, and most recently, look older. Well, this feature was already available during its first year, but the app has since developed its program to make the result more realistic. Thus, the virality. But much like it did in 2017, FaceApp, particularly its policies, are raising red flags.
Everyone’s jumping on the bandwagon, but do you actually know what you’re getting into? Here are some things you should know about the viral app you’re probably already using.
I can see why FaceApp choose to upload user’s photo to their server and process them in their server:
From a business perspective, hiding the photo processing code in their server makes it hard for potential competitors from copying. It also makes piracy harder
— Jane Manchun Wong (@wongmjane) July 17, 2019
It’s actually processed in the cloud.
But what does that mean? Simply that whatever photo you upload on FaceApp goes to their servers, where they do their magic on your photo to make you look older. Well, it’s not for nothing.
The quite plausible reason behind this move is that the processing power needed to add years to your face realistically requires more than the power you have on your device. While more recent Android phones and iPhones have machine learning installed in their hardware, older versions of smartphones don’t have this yet, thus there’s a need for a more powerful server. And of course, FaceApp probably wants to protect its trade secrets, and it’s much easier to protect those secrets when they have it on their servers instead of the millions of devices of its users.
Earlier this year, Facebook was similarly accused over the viral “2009 vs 2019” or “10-Year Challenge” meme when a Wired article argued that Facebook was using this meme to create a data set for machine learning. The internet was quick to react, but this argument was debunked when New York Magazine said that the social media giant doesn’t need more photos of its users when it already has tons, with each one having a timestamp. Though that doesn’t really bring much comfort.
Another thing you need to know about any app you use, especially when you submit any sort of data, is where that submitted data is stored. FaceApp revealed in a statement that its servers are actually located mostly in the US using Amazon Web Services (AWS) and Google Cloud.
However, even if their servers are located in the US, FaceApp’s developers are actually based in Russia, which makes it possible for the Russian intelligence to demand data from FaceApp if deemed legal. Though that doesn’t mean they can easily extract the data from its servers in AWS.
HOWEVER: they do appear to upload single images in order to apply the filters server-side. while not as egregious, this is non-obvious and I am sure many folks are not cool with that.
— Will Strafach (@chronic) July 17, 2019
It’s only the photos you select to upload.
And French cyber-security researcher Elliot Alderson (a pseudonym) did a quick sweep of the app and found out that no, the app doesn’t upload your photos to their servers in bulk.
FaceApp also states that it saves uploaded photos in its servers to improve performance and lessen traffic and that they delete these photos within 48 hours. This makes sense in a way, but we’re sure not all users are comfortable with this, especially since the app doesn’t actually make clear to its users that it’s sending the photos to a server, as Guardian App CEO Will Strafach points out in a tweet.
Similarly, Snapchat went under fire in 2015 when it updated its terms of service, scaring a lot of people with terms like “perpetual right” and “your likeness” into thinking that Snapchat will own all photos uploaded into the app. Snapchat’s developers were quick to shut this down, but of course, users of any app should still be wary of whatever they upload.
If you use #FaceApp you are giving them a license to use your photos, your name, your username, and your likeness for any purpose including commercial purposes (like on a billboard or internet ad) — see their Terms: https://t.co/e0sTgzowoN pic.twitter.com/XzYxRdXZ9q
— Elizabeth Potts Weinstein (@ElizabethPW) July 17, 2019
Much of the concern (in addition to the xenophobic remarks about the developers being Russian) probably stems from FaceApp using very broad language in its terms of service. Which means they have a lot of room to work with.
“You grant FaceApp a perpetual, irrevocable, nonexclusive, royalty-free, worldwide, fully-paid, transferable sub-licensable license to use, reproduce, modify, adapt, publish, translate, create derivative works from, distribute, publicly perform and display your User Content and any name, username or likeness provided in connection with your User Content in all media formats and channels now known or later developed, without compensation to you. When you post or otherwise share User Content on or through our Services, you understand that your User Content and any associated information (such as your [username], location or profile photo) will be visible to the public.” [emphasis added]
This means that while you own the “user content” (i.e. your face), FaceApp has the license to do whatever they want to do with that “user content,” which is presumably improving the app’s algorithm, as this PhoneArena article speculates.
간만에 디오니소스나 춤춰볼까? pic.twitter.com/i3nS6DCjzb
— 방탄소년단 (@BTS_twt) July 17, 2019
Since your photo goes up in a server, you don’t really know what kind of magic it goes through while there. It’s most likely that the app is improving its face-changing algorithms by learning from the photos people submit, which means it’s not using just stock photos available on the internet. It’s really the users’ photos.
Which the app actually indicates in its privacy policy: “[W]e may use information that we receive to . . . provide, improve, test, and monitor the effectiveness of our Service.”
Well, if they use your photos to improve their algorithm, what else can you do when you’ve already given them permission to use it when you clicked that upload button?
But FaceApp’s chief executive Yaroslav Goncharov disputes this in an interview with BBC News. “No, we don’t use photos for facial recognition training. Only for editing pictures.” I think we can breathe a bit now.
I deleted FaceApp because of all the creepy stuff reported about it, but it definitely did not have access to my Facebook account. I didn’t ever have to log in at all. I just used the app. https://t.co/4R59F7OalU
— Doug (@moonwalkmcfly) July 17, 2019
In their statement, FaceApp’s team says that they “don’t have access to any data that could identify a person,” since the app’s features are accessible without logging in, so 99% of its users don’t actually send them identifying information. Of course, your face is still with them if you upload any photo, but they don’t actually have a name attached to it.
This means there’s actually little cause for concern.
Google software engineer Ivan Rodriguez tells The New York Times that FaceApp collects minimum identifiable data beyond the photos that users upload. “I mean, I definitely don’t have the resources the F.B.I. or even the F.T.C. have, but so far I haven’t found anything that’s alarming or that shows this app trying to hide functionality that can be harmful,” Rodriguez says.
If you do log in, you can always change your privacy settings, especially if you used your Facebook credentials to register to the app. This is nothing new, but many netizens forget to properly manage their privacy settings and end up panicking once the internet points out security concerns.
While we’re all dragging FaceApp for taking our photos as their own, probably worth rereading Twitter’s Terms of Service: pic.twitter.com/OJ0p9SLc4A
— Lance Ulanoff (@LanceUlanoff) July 17, 2019
If you’re really just paranoid, FaceApp says that users can contact the developers and request that their data be deleted from its servers. Just submit your request through the mobile app “using ‘Settings->Support->Report a bug’ with the word ‘privacy’ in the subject line.”
While the current evidence suggests that there’s no reason to worry, it’s better to start protecting yourself, especially online. The best thing to do is to be wary of the app, or any photo apps.
Or actually, just be wary of the internet in general.
Make sure your information is processed locally in your device. Know where your data is stored. Turn off your location. Reduce third party app permissions. Manage your privacy settings. Read whatever agreement you’re entering when you click that “I Agree” button (I know barely anyone does this, but at least try).
And maybe just limit what you share online.
Have you taken steps to protect yourself online? Let us know how below!
Input your search keywords and press Enter.