FaceApp scares point to larger data collection problems

FaceApp scares point to larger data collection problems

Last week, if you thumbed your way through Facebook, Instagram, and Twitter, you likely saw altered photos of your friends with a few extra decades written onto their faces—wrinkles added, skin sagged, hair bereft of color.

Has 2019 really been that long? Not really.

The photos are the work of FaceApp, the wildly popular, AI-powered app that lets users “age” pictures of themselves, change their hairstyles, put on glasses, and present a different gender.

Then, seemingly overnight, users, media reports, and members of Congress turned FaceApp into the latest privacy parable: If you care about your online privacy, avoid this app at all costs, they said.  

It’s operated by the Russian government, suggested the investigative outlet Forensic News.

It’s a coverup to train advanced facial recognition software, theorized multiple Twitter users.

It’s worthy of an FBI investigation, said Senator Chuck Schumer of New York.

The truth is less salacious. Here’s what we do know.

FaceApp’s engineers work out of St. Petersburg, Russia, which is not by any means a mark against the company. FaceApp does not, as previously claimed, upload a user’s entire photo roll to servers anywhere in the world. FaceApp’s Terms of Service agreement does not claim to transfer the ownership of a user’s photos to the company, and FaceApp’s CEO said the company would soon update its agreement to more accurately describe that the company does not utilize user content for “commercial purposes.”

Finally, the blowback against FaceApp—for what the company could collect, per its privacy policy, and how it could use that data—is a bit skewed. Countless American companies allow themselves to do the same exact thing today.

“The language you quoted to me, I recommend you look at the terms on Facebook or any other sort of user-generated service, like YouTube,” said Mitch Stoltz, senior staff attorney at Electronic Frontier Foundation, when we read FaceApp’s agreement to him over the phone.  

“It’s almost word-for-word,” Stoltz said. “All that verbiage, in a vacuum, sounds broad, but if you think about it, those are the terms used by almost any website that allows users to upload photos.”

But the takeaway from this week of near-hysteria should not be complacency. Instead, the story of FaceApp should serve as yet another example supporting the always-relevant, sometimes-boring guideline for online privacy: Ask questions first, download later (if at all).

FaceApp’s terms of service agreement

When users download and use FaceApp, they are required to agree to the parent company’s broad Terms of Service agreement. Those terms are extensive:

“You grant FaceApp a perpetual, irrevocable, nonexclusive, royalty-free, worldwide, fully-paid, transferable sub-licensable license to use, reproduce, modify, adapt, publish, translate, create derivative works from, distribute, publicly perform and display your User Content and any name, username or likeness provided in connection with your User Content in all media formats and channels now known or later developed, without compensation to you.”

Further, users are told through the Terms of Service agreement that “by using the Services, you agree that the User Content may be used for commercial purposes.”

This covers, to put it lightly, a lot. But it is far from unique, Stoltz said.  

“Any website that allows anyone in the world to post photos is going to have a clause like that—‘by uploading photos you give us permissions to do anything with it,’” Stoltz said. “It protects them against all manner of users trying to bring legal claims, where, oh, they only wanted four copies of a photo, not 10 copies. The possibilities are endless.”

Several years ago, CNN dug through some of the most dictatorial terms of service agreements for popular social media platforms, Internet services, and companies, and found that, for example, LinkedIn claimed it could profit from users’ ideas.

Relatedly, Terms of Service, Didn’t Read, which evaluates companies’ user agreements, currently shows that Google and Facebook can use users’ identities in advertisements shown to other users, and that the two companies can also track your online activity across other websites.

Stoltz also clarified that FaceApp’s Terms of Service agreement does not claim to take the copyright of a photo away from whoever took that photo—a process that would be difficult to do in a contract.

“It’s been tried—it’s something the courts don’t like,” Stoltz said.

Stoltz also said that, while consumers do have the option to bring a legal challenge against a contract they allege is unfair, such successful challenges are rare. Stoltz gave one example of where that worked, though: a judge sided with a rental car customer who challenged a company’s extra charge every time the driver sped past the speed limit.

“The court said nuh-uh, you can’t bury that in a contract and expect people to fully understand that,” Stolz said.

As to how FaceApp will actually use user-generated photos, FaceApp CEO Yaroslav Goncharov told Malwarebytes Labs in an email that the company plans to update its terms to better reflect that it does not use any users’ images for “commercial purposes.”

“Even though our policy reserves potential ‘commercial use,’ we don’t use it for any commercial purposes,” Goncharov said. “We are planning to update our privacy policy and TC to reflect this fact.”

Dispelling the rumors

On July 17, United States Sen. Schumer asked the FBI and the Federal Trade Commission to investigate FaceApp because of the app’s popularity, the location of its parent company, and its alleged potential link to foreign intelligence operations in Russia.

The next day, Sen. Schumer spoke directly to consumers in a video shared on Twitter, hammering on the same points:

“The risk that your facial data could also fall into the hands of something like Russian intelligence, or the Russian military apparatus, is disturbing,” Schumer said.

But, according to FaceApp’s CEO, that isn’t true. In responding to questions from The Washington Post, Goncharov said the Russian government has no access to user photos, and, further, that unless a user actually lives in Russia, user data is not located in the country.

Goncharov also told The Washington Post that user photos processed by FaceApp are stored on servers run by Google and Amazon.

In responding to questions from Malwarebytes Labs, Goncharov clarified that the company removes photos from those servers based on a timer, but that sometimes, if there is a large quantity of photos, the removal process can actually take longer than the chosen time limit itself.

“You can set a policy for an [Amazon Simple Storage] bucket that says ‘delete all files that are older than one day.’ In this case, almost all photos may be deleted in 25 hours or so. However, if you have too many incoming photos it can take longer than one hour (or even 24 hours) to delete all photos that are older than 24 hours,” Goncharov said. “[Amazon Web Services] doesn’t provide a guarantee that it takes less than a day to complete a bucket policy. We have a similar situation with Google Cloud.”

Another concern that some users raised about FaceApp was the possibility that the app was accessing and downloading every photo locally stored on a user’s device.

But, again, the rumors proved to be overblown. Cybersecurity researchers and an investigation by Buzzfeed News revealed that the network traffic between FaceApp and its servers did not show any nefarious hoovering of user data.

“We didn’t see any suspicious increase in the size of outbound traffic that would indicate a leak of data beyond permitted uploads,” Buzzfeed News wrote. “We uploaded four pictures to FaceApp, which corresponds with the four spikes in the graphic, with some noise at the end after the fourth upload.”

Finally, despite the many distressed comments on Twitter, Goncharov also told The Washington Post that his company is not using its technology for any facial recognition purposes.

What you should do

We get it—FaceApp is fun. Sadly, for many, online privacy is less so. (We disagree.) But that does not make online privacy any less important.

For those of you who have already downloaded and used FaceApp, the company recently described an ad-hoc method for removing your data from their servers:

“We accept requests from users for removing all their data from our servers. Our support team is currently overloaded, but these requests have our priority. For the fastest processing, we recommend sending the requests from the FaceApp mobile app using ‘Settings->Support->Report a bug’ with the word ‘privacy’ in the subject line. We are working on the better UI for that.”

For those of you who want to avoid these types of problems in the future, there’s a simple rule: Read an app’s terms of service agreement and privacy policy before you download and use it. If the agreements and policies are too long to read through—or too filled with jargon to parse—you can always avoid downloading the app altogether.

Always remember, the fear of missing out on the latest online craze should be weighed against the fear of having your online privacy potentially invaded.


David Ruiz

Pro-privacy, pro-security writer. Former journalist turned advocate turned cybersecurity defender. Still a little bit of each. Failing book club member.