Privacy concerns dominate as FaceApp crosses 100 million installations
19 July 2019
A large number of users and security experts from across the world have expressed concern over the privacy policies of AI face editor app FaceApp even as the app’s new age filter has made it go viral across the world, registering over 100 million installations and counting.
A couple of years ago, a new messaging app suddenly appeared out of nowhere and gained sudden and widespread popularity, so much so that it gained over 20 million users in less than two months across the world. And why not? The app offered people the anonymity they needed to come clean with their thoughts about others without facing the risk of being discovered.
Sarahah offered users the ability to express their thoughts and feeling while maintaining their anonymity, a concept immediately embraced by millions of smartphone users. However, security experts discovered shortly thereafter that the app’s developers weren’t as privacy-conscious as its users may have believed.
Security researcher Zach Julian revealed that the app contained a functionality ‘to send every phone number, email address, and associated names on a device to Sarahah’s servers’. While iOS users received notifications asking for their permission so that Sarahah could access contacts, only those using Android phones with Android 6.0 Marshmallow OS received such notifications.
“Sarahah, on both Android and iOS, does not provide users enough information on how their phone’s contact details will be used. While this functionality is claimed to be part of a future release, and that “the Sarahah database doesn’t currently hold a single contact”, unfortunately all we have is the company’s word,’ he added.
FaceApp claims complete ownership over users’ photos
A similar phenomenon is occurring again nowadays, with smartphone users across the world taking to a photo editing app named FaceApp that allows them, among other things, to use its age filter to generate older versions of their selves and share such images on popular social media platforms.
As per recent reports, the two-year old FaceApp now has over 160 million users across the world. However, it also hasn’t taken long for the app to test rough waters as security experts and smartphone users across the world are now expressing concern about its privacy policies.
The app reportedly informs Android and iOS users that FaceApp reserves the right to keep their images uploaded to the app indefinitely and also reserves the right to use those images in any manner. Basically, users have no say on how their photos will be used by the app and will not have the right to request the deletion of their photos by the developers.
“We may share User Content and your information (including but not limited to, information from cookies, log files, device identifiers, location data, and usage data) with businesses that are legally part of the same group of companies that FaceApp is part of, or that become part of that group (“Affiliates”). Affiliates may use this information to help provide, understand, and improve the Service (including by providing analytics) and Affiliates’ own services (including by providing you with better and more relevant experiences). But these Affiliates will honor the choices you make about who can see your photos.
“We also may share your information as well as information from tools like cookies, log files, and device identifiers and location data, with third-party organizations that help us provide the Service to you (“Service Providers”). Our Service Providers will be given access to your information as is reasonably necessary to provide the Service under reasonable confidentiality terms.
“We may access, preserve and share your information in response to a legal request (like a search warrant, court order or subpoena) if we have a good faith belief that the law requires us to do so. This may include responding to legal requests from jurisdictions outside of the United States where we have a good faith belief that the response is required by law in that jurisdiction, affects users in that jurisdiction, and is consistent with internationally recognized standards.”
“Users of AI enabled applications like FaceApp likely aren’t aware that the AI actions taken by the app will occur on servers owned and managed by the app authors. This means that whatever data provided will be available to them, for whatever use, for as long as they want,” says Tim Mackey, Principal Security Strategist at the Synopsys CyRC.
“All of this should raise alarms whenever a free service is acting on sensitive information like images – the revenue to pay for the service is coming from somewhere and it’s likely the sale of data related to what the service provides,” he adds.
“Overreaching terms of service are not a new phenomenon. In most cases, they’re written by lawyers who are tasked with protecting the company, not the consumer. It’s no surprise that terms of service are heavily skewed toward that end,” says Tim Erlin, VP at Tripwire.
“The percentage of people who make a decision not to use an app because of the terms of service is very small. There’s no downside for an app publisher to be overly aggressive in what rights they claim in their terms. Until the terms become relevant to the app’s adoption, we can expect more of the same,” he adds.
FaceApp doesn’t keep photos for longer than 48 hours
Geoffrey Fowler, a technology columnist for The Washington Post who spoke to the CEO of FaceApp, said in an interview with NPR that the CEO told him that FaceApp only uploads one photo at a time from a device based on a users’ choice and does not gain access to a user’s camera roll.
At the same time, FaceApp also deletes a majority of photos uploaded to the app within 48 hours and does not use the photos uploaded by users for any purpose but for using AI tools to create images that represent older version of their selves.
The firm also insisted that there is a way users can get inside FaceApp and make a privacy request and the firm honours the same by deleting images of users that are stored in its server.