Security Experts Issue Warning About Viral Russian-Owned FaceApp
Washington, DC – A viral photo filter application that realistically alters users’ appearances to make them look older or younger has raised alarm among privacy experts and government officials.
More than 150 million people have downloaded FaceApp, which is owned by a Russian-based company that uses facial recognition and artificial intelligence to create the altered images, WBBM reported.
When users approve the app, they not only give away access to every photo on their phone, but they also enable the company to use those photos however they want, KDKA reported.
“You grant FaceApp a perpetual, irrevocable, nonexclusive, royalty-free, worldwide, fully-paid, transferable sub-licensable license to use, reproduce, modify, adapt, publish, translate, create derivative works from, distribute, publicly perform and display your User Content and any name, username or likeness provided in connection with your User Content in all media formats and channels now known or later developed, without compensation to you,” FaceApp’s terms read, according to KDKA.
“In practice, providing this level of access to any user’s data could mean that any photos taken with the application could be used publicly or privately in the future without the user’s consent,” Senate Minority Leader Chuck Schumer said in a letter to the Federal Trade Commission (FTC) and the Federal Bureau of Investigation (FBI) on Wednesday, according to BuzzFeed News.
It is unclear how long the application retains users’ data, or how users can ensure that their data has been deleted.
“You are giving it exclusive irrevocable access to who you are,” IT Security Solutions founder and CEO Albert Whale told KDKA.
Illinois Institute of Technology Information Technology Director Louis McHugh said there are essentially no limits on what FaceApp can do with users’ photos.
“They literally own, perpetually, your photos. Forever,” McHugh told WBBM. “They can do whatever they want with it.”
Schumer has urged the FBI and FTC to open an investigation into the application in light of “national security and privacy concerns.”
“These forms of ‘dark patterns,’ which manifest in opaque disclosure and broader user authorizations, can be misleading to consumers and may even constitute a deceptive trade practice,” Schumer wrote. “I have serious concerns regarding both the protection of the data that is being aggregated as well as whether users are aware of who may have access to it.”
Schumer said he is also concerned that FaceApp could provide foreign governments with access to the data they have collected from users.
“It would be deeply troubling if the sensitive personal information of U.S. citizens was provided to a hostile foreign power actively engaged in cyber hostilities against the United States,” he added.
Schumer further urged the FTC to educate the public abut the risks associated with FaceApp and similar applications.
“In the age of facial recognition technology as both a surveillance and security use, it is essential that users have the information they need to ensure their personal and biometric data remains secure, including from hostile foreign nations,” he wrote.
On Wednesday afternoon, the Democratic National Committee sent a security alert to 2020 presidential campaigns, warning them to stay away from FaceApp, CNN reported.
FaceApp claims the “most” of the images uploaded by users are deleted within 48 hours, Tech Crunch reported.
The company also claimed that user data is not “transferred to Russia,” and said it does not “sell of share any user data with any third parties.”
“FaceApp performs most of the photo processing in the cloud. We only upload a photo selected by a user for editing,” the company said in a statement to Tech Crunch. “We accept requests from users for removing all their data from our servers. Our support team is currently overloaded, but these requests have our priority.”
FaceApp claimed that it generally doesn’t have access to any identifying information when users upload photos, because the app’s features don’t require users to log in first.
“As a result, 99% of users don’t log in; therefore, we don’t have access to any data that could identify a person,” the company said.
They also denied allegations that the app accesses user photos that they haven’t uploaded to the app.
“We don’t do that,” FaceApp told Tech Crunch. “We upload only a photo selected for editing. You can quickly check this with any of [the] network sniffing tools available on the internet.”