Old-age selfies are fun, but should you be concerned about Russian-made FaceApp?

SINGAPORE: First it was Snapchat’s gender-bending feature, and now FaceApp is taking social media by storm, with users having fun transforming their faces into younger or older versions of themselves.

FaceApp, which was launched by Russian publisher Wireless Lab in 2017, uses artificial intelligence to modify users’ photos, changing their hair colour, adding wrinkles or subtracting years from their faces.

It is currently the most downloaded free application on Google Play, with more than 100 million users, after its new aging filter attracted interest from celebrities including music superstar Drake and NBA champion Steph Curry.  

However, as social media users populate their feeds with these entertaining selfies, is there a cause for concern about how their data is being used?

READ: Why cybercriminals are stalking your social media accounts

WHAT ARE THE CONCERNS OVER FACEAPP?

Concerns over the app and its data privacy have gained traction over the past week.

On Monday, software developer Joshua Nozzi’s tweeted his concerns about the app, which were picked up by several news publications.

In a now-deleted tweet, Mr Nozzi said that FaceApp “immediately uploads” users’ photos without their permission. He has since clarified in a blog post that he was wrong about the accusation.

A screengrab from Joshua Nozzi’s blog about his tweet that was circulated. 

However, concerns over the terms and conditions of the app remain.

Screengrab of FaceApp’s terms. 

Clauses in the app’s terms and conditions include granting FaceApp permission to use the photos for commercial purposes.

“While it may initially seem private, the terms of service from some of these apps may raise some concern around privacy since they do not make entirely clear on what is happening behind the scenes,” Mr Shashwat Khandelwal, McAfee’s head of Southeast Asia consumer business, told CNA in an email interview.

“When users grant certain permissions through the app, the company may use the data for their own benefit,” he added.

FaceApp CEO Yaroslav Goncharov, however, has told the Washington Post that the app only uploads photos selected by a user for editing and that most photos are deleted from its servers within 48 hours.

Government authorities in Russia do not have any access to the photos, he told the Post, adding that the company does not “sell or share any user data with any third parties”.

Mr Goncharov was also cited in BBC as saying that the terms in FaceApp’s privacy policy are generic and that the company does not share the data for ad-targeting purposes.

Instead, the app makes its money through paid subscriptions for premium features, he said.

Still, Mr Shashwat noted, the app stores data on a cloud and “the fact remains that FaceApp gains access to the user’s photographs by the user’s own will”.

“Once the photograph is with FaceApp, it is up to them how they choose to handle that content”, he said.

Additionally, photographs uploaded to the cloud are at risk of being targeted by hackers who may use them for running facial identification to compromise individuals and companies, said Mr Alvin Rodrigues, senior director and security strategist at Forcepoint Asia Pacific & Japan.

“The face is your personal copyright. From a security perspective, you are giving away your ability to use your face as a password to log files or to lock your devices,” he said.

WHY ARE GOVERNMENTS SPEAKING OUT?

Authorities from Singapore to the United States and Europe have raised their concerns about the app, with some calling for investigations into its potential threat to national security.

Singapore Prime Minister Lee Hsien Loong on Friday (Jul 19) cautioned that people should be careful with what apps they download.

“Many are having a bit of fun sharing the modified photos, of themselves or others. There’s nothing wrong with that, but most likely many don’t know (or don’t care) how much personal data such apps get access to when they are downloaded and used,” he said in a Facebook post.

“The tech world moves so fast that it is difficult to screen every new app that comes out. That shouldn’t stop us from trying out new things, but do be careful with what apps you download and use,” he said.

FaceApp has also come under fire in the United States, with one senator urging a Federal Bureau of Investigation (FBI) probe, reported AFP.

“FaceApp’s location in Russia raises questions regarding how and when the company provides access to the data of US citizens to third parties, including potentially foreign governments,” Senate Minority Leader Chuck Schumer said in a letter to the FBI.

“It would be deeply troubling if the sensitive personal information of US citizens was provided to a hostile foreign power actively engaged in cyber hostilities against the United States,” he added.

Poland and Lithuania have also said they are looking into the potential security risks of the app.

Poland’s digital affairs ministry said it was “analysing” the security risks posed by FaceApp to the personal data of its users, despite assurances by its designers that the app is safe.

“Various experts point to possible risks related to inadequate protection of users’ privacy,” the ministry said in a statement on its website.

Cybersecurity authorities in EU neighbour Lithuania are also investigating potential threats to users’ personal data, deputy defence minister Edvinas Kerza told AFP.

Mr Kerza added that the makers of FaceApp have cooperated with other Russian Internet companies that may not comply with EU data use regulations.

WHAT ABOUT OTHER SIMILAR APPS?

FaceApp is not the first app where users upload pictures of themselves. Popular apps such as Instagram and Facebook all make use of similar features and contain user data. According to the editor-in-chief of tech site Lifewire, Twitter also has similar clauses within its terms and conditions.

“Indeed, while the spotlight for the past week has been on FaceApp’s privacy policies on the back of its virality across social media, it’s important that we remember that similar policies are in place across all major social media networks – FaceApp’s policies don’t go against the grain,” Mr Shashwat said.

READ: Cambridge Analytica: Firm at the heart of Facebook scandal

SHOULD USERS BE RESPONSIBLE FOR THEIR OWN DATA?

Sixty-three per cent of consumers do not read license agreements and 43 per cent just tick all privacy permissions when they are installing new apps, said Kasperky’s general manager for Southeast Asia, Mr Yeo Siang Tiong, referring to a study done three years ago.

He added that “there is no harm in joining online challenges or installing new apps”, but “the danger lies when users just grant these apps limitless permissions into their contacts, photos, private messages, and more”.

Users should do some research and look out for any red flags that have been raised around apps’ security, Mr Shashwat added.

“Make sure you always read the privacy terms and conditions when signing up to ensure that your personal data isn’t shared with anyone you don’t know or trust.

“It’s also important to be aware of how your data could be used and accessed by third party sites and apps,” he added.

When it comes to deciphering the chunk of text found within the terms and conditions, Mr Shashwat suggested that consumers look out for the following – personal data, ranging from names or usernames to pictures, location data and browsing habits.

“The privacy policy of any app should dictate how the data that was acquired from the user is handled from start to end. This includes how the data is meant to be used, storage and transfer policies, the duration the data will be kept by the app, policies around how the user can ask for the data to be removed, and whether the data is accessed by any additional third parties,” he said.

“Overall, it’s a good security habit for all consumers to only share personal data when it’s absolutely necessary.”

READ: Commentary: What those ‘updates to our privacy policy’ mean for Singapore

Additional reporting by Kevin Kwang.

Channel News Asia: