Is FaceApp “stealing” more than just your youth from your photos?
The Russian-based selfie app, known as FaceApp, has been a hot topic for the last week, and not just because of its impressive face-manipulating abilities.
FaceApp takes an image the user has selected and utilizes AI-like techniques in order to create changes to the person’s face in the photo at hand; the app has the ability to make the person in the photo appear older, younger, change their race, and more. As this two-year-old app has one again gained immense popularity over the last week, US authorities are concerned that it is doing more than trading your face in for a younger (or older) you.
In a letter sent last Wednesday by Senate Minority Leader Chuck Schumer, he urged the FBI and Federal Trade Commission to investigate the data-collecting and data-retention mechanisms of the FaceApp. The underlying concern is if “personal data uploaded by millions of Americans onto FaceApp may be finding its way into the hands of the Russian government.”
Headquartered in Saint Petersburg, FaceApp has “opaque disclosures” regarding users’ consent in providing their photos and data, and how this information may be used against the United States, according to Schumer.
According to Homeland Security Research Corp’s (HSRC) market report- “OSINT Market & Technologies – 2019-2022”, an increasing amount of personal data, corporate content, and government databases are now open and accessible to intelligence organizations around the world, leading to a rise in OSINT investments and, by extension, OSINT, WEBINT or SOCMINT budgets.
According to the market report, several types of security organizations are now reportedly investing in Open Source Intelligence Tools to increase their monitoring and research capabilities, in the open web, deep web and Darknet. Social networks such as Facebook, Twitter, LinkedIn, and other local services hold detailed personal data on billions of people and lay the grounds for Social Media Monitoring. Locations, connections, hobbies, and purchasing habits are open for all, which have turned these networks into goldmines for intelligence analysts.
One of the more specific issues raised with this app is that it appears to be overriding settings if a user had denied access to their camera roll, after people reported they could still select and upload a photo , despite the app not having permission to access their photos. In addition, FaceApp claims it only uploads photos users have specifically selected for editing. Security tests have not found evidence the app uploads a user’s entire camera roll.
FaceApp has went on to specify, that it “might” store the photos users have chosen to upload in the cloud for a short period, claiming this is done for “performance and traffic”, such as to ensure a user does not repeatedly upload the same photo to carry out another edit.
When confronted about users’ personal information and data, the creators behind the app have claimed no user data is “transferred to Russia”, even though its R&D team is based there. This may just mean that storage and cloud processing are being performed using infrastructure based outside Russia. Facebook has clearly stated that “We don’t sell or share any user data with any third parties”, although many authorities seem to believe otherwise.
HSRC’s recently published report, “Big Data & Data Analytics – Hardware, Software & Services Market in National Security & Law Enforcement: 2019-2022”, reflects on how the industry is creating new opportunities, not only for data collection and storage, but also for intelligence processing, exploitation, dissemination, and analysis. Big data and data analytics technologies can increase the investigative capabilities of intelligence organizations in many relevant aspects, including war on crime & terror, defense from cyber-attacks, public safety analytics, disaster and mass incident management, and development of predictive capabilities.
The following quotes are excerpted from Schumer’s letter to the FBI and Federal Trade Commission:
“…In order to operate the application, users must provide the company full and irrevocable access to their personal photos and data. According to its privacy policy, users grant FaceApp license to use or publish content shared with the application, including their username or even their real name, without notifying them or providing compensation…”
“…It is unclear how long FaceApp retains a user’s data or how a user may ensure their data is deleted after usage. These forms of “dark patterns,” which manifest in opaque disclosures and broader user authorizations, can be misleading to consumers and may even constitute a deceptive trade practice. Thus, I have serious concerns regarding both the protection of the data that is being aggregated as well as whether users are aware of who may have access to it…”
What are your thoughts? Is FaceApp as innocent as they claim to be, or should we be wary of their intentions?
For more information, contact Naomi Sapir:
naomi@homelandsecurityresearch.com