The hysteria about FaceApp privacy is mostly overblown, but the app does some shady things that many other apps do, too.
A while back, I left the vast cesspool of mainstream social media for the weirder and wilder pastures of places like Mastodon (and yes, I’m very smug about it). The downside is that I often don’t hear about new fads unless something goes wrong, which is exactly what happened when everyone had a collective freakout about FaceApp after initially falling in love with it.
FaceApp, in case you were like me and missed it, lets you apply filters to your face to appear aged and frail, perhaps appealing to the much-documented millennial obsession with decay and eventual oblivion. FaceApp was then accused of hijacking people’s personal information and photos and, gasp!, sending them to Russia. An internet poop emoji storm ensued.
This led my colleague Jose to ask a very reasonable question: “If one were to delete an app such as FaceApp, is the damage of granting these apps access to your info already done or are you safe again?”
Security wonks often are snarky and dismissive of real, valuable questions like this. Many take the attitude that people shouldn’t have downloaded the apps in the first place, which is not only unhelpful but further cements the security-wonk reputation for hating fun. Jose’s question is valid: Does delete an app that was snooping on you in any way make you safe again?
The Real Story About FaceApp
First things first: The fears about FaceApp specifically seem overblown. My colleague Michael Kan spoke to several security experts about FaceApp, all of whom said it was not overtly malicious and, in some cases, actually praised the app. Aviran Hazum, a researcher from the antivirus company Check Point, told Kan, “I must say that this app seems to be developed in a good fashion—no greedy permissions, and it does what they claim it does.”
Kan reports that the initial warnings that the app steals all your images without asking were baseless and were eventually retracted. It is true, however, that the app is from a Russian developer, but without any evidence that the specific app or developer has done something wrong, it’s hard to hold that against the app.
While FaceApp may not be the sneaking terror we may have initially thought, it does have some problems. Like many apps and services we sign up for on a whim, it’s not always clear what the app does with your information, how long its kept, or with whom FaceApp shares your news.
It’s Still Not Great
I reached out to Bill Budington, the Senior Staff Technologist at the Electronic Frontier Foundation (EFF), to get a sense of what FaceApp does and what risks it presents. He pointed out that the language of the company’s terms of service paints a grim picture:
You grant FaceApp a perpetual, irrevocable, nonexclusive, royalty-free, worldwide, fully-paid, transferable sub-licensable license to use, reproduce, modify, adapt, publish, translate, create derivative works from, distribute, publicly perform & display your User Content and any name, username or likeness provided in connection with your User Content in all media formats and channels now known or later developed, without compensation to you.
“This gives FaceApp and its parent company Wireless Lab an enormous amount of latitude to do pretty much anything with your data that they’d like,” said Budington in an email. “Unfortunately, privacy policies like this are far too common, and this one, in particular, sounds like it’s using boilerplate language copied from somewhere else.”
We may also share certain information such as cookie data with third-party advertising partners. This information would allow third-party ad networks to, among other things, deliver targeted advertisements that they believe will be of most interest to you.
“In other words,” said Budington, “they work with online trackers, using data you’ve given them to better track you.” Many companies that offer free services are part of a massive ecosystem designed to track you across the web and tailor advertisements to your interests. Companies have long argued that this is a small price to pay for a free service and that targeted ads are more valuable to you since they’re more relevant to you.
Whether you agree with that or not, companies are working hard to learn a lot about you to turn your data into cash. To me, it hardly seems a fair exchange, since that’s probably not foremost on your mind when you download an app to mess with your face.
We may remove parts of data that can identify you and share anonymized data with other parties. We may also combine your information with other information in a way that it is no longer associated with you and share that aggregated information.
Anonymised information, however, isn’t always so anonymous. A report in The New York Times shows that it is possible to connect “anonymised” information to the original person. Moreover, the information might be semi-anonymous, but it’s still being used to serve ads to you. The result for you, the FaceApp user, isn’t so anonymous.
Goncharov also told Mashable, “most images are deleted from our servers within 48 hours from the upload date.” Several responses from the developer in the reviews on Google Play cite a similar 1–3 day time period. Goncharov also said that users could request to have their information removed from FaceApp’s servers.
(Full disclosure: PCMag’s publisher, ZiffMedia Group, owns Mashable, and I can see most Mashable employees from my desk. Hi!)
For Budington, that’s not good enough. “There’s no way of knowing if they’re telling the truth,” he said. “But what’s more concerning is that this assurance is probably the bare minimum they can give, leading one to ask: What do they do with the rest of the photos?”
Let’s put it all together, about Jose’s question. Regarding your photos, FaceApp has access only to the pictures you edit in the app and says it retains those for only a few days. You can request to have your information removed but, as Budington points out, there’s no way for an individual user to verify that this has been done.
It’s Not Just FaceApp
The scrutiny of FaceApp is an unusual confluence of events. It started with an incorrect accusation and was exacerbated by the intense-albeit justified-paranoia related to nefarious online activity from Russia. However, what FaceApp does is not so different from the activities of more native apps like Facebook, Instagram, Snapchat, Twitter, and many, many others.
FaceApp may not be a big bad, but we shouldn’t forget this lesson: Free apps want something. Maybe it’s your face, perhaps it's your excitement on social media, perhaps it's your phone number, it's perhaps “anonymised” personal information, or perhaps it's something evil like stealing you Social Security Number. The level of concern and scrutiny being given to FaceApp should be given to every single app, site, service, and software you use. Ask what it wants, and if it’s not clear what it wants, ask yourself if it’s worth using the app at all.
We are very deep into the surveillance economy, where we are continuously monitored for the benefit of corporations harvesting our data. I’ve been writing about this for years, and after so many data breaches and privacy gaffes from significant players (looking at you, Facebook) it’s hard to imagine that we could ever escape this data harvesting. The response to FaceApp has demonstrated that people aren’t comfortable with how these companies operate-or are perceived to operate-and that gives me hope we can get our privacy back.