‘FaceApp challenge’ hype raises smorgasbord of privacy concerns
Image credit: Dreamstime
The app, which was developed by St Petersburg-based company Wireless Lab, uses machine learning to transform photographs of faces in realistic detail. The app uses photographs previously submitted to refine its sophisticated neural networks.
It has been used to switch gender, ethnicity, and to add smiles and makeup to photographs. It is enjoying another spike in popularity thanks to the not-particularly-challenging ‘FaceApp Challenge’, which involves sharing realistic aged-up photographs created by the app. The app’s return to the headlines has sparked fresh privacy concerns.
Meanwhile, in the UK, the Information Commissioner’s Office told BBC News it was aware of privacy concerns regarding FaceApp, and it would be giving them consideration.
FaceApp first attracted privacy concerns in 2017: the year of its launch. In July 2017, FaceApp founder and CEO Yaroslav Goncharov stated that user data – including uploaded photographs – was processed on Google Cloud and Amazon Web Services servers (in the US, Ireland, and Singapore) rather than being transferred to Russia, as some had suspected. Uploading photographs to the cloud allows for much faster processing than if they were retained on users’ handsets using the basic machine-learning features available in Android and iOS.
The latest concerns were raised by a developer, Joshua Nozzi, tweeting a warning that the app could be used to collect all photographs from the user’s phone, which could in turn be uploaded to servers without the user’s explicit permission. This sparked fears that huge amounts of user data could be stored on Russian servers. This is not an entirely irrational concern, given that the developer is based in St Petersburg, and FaceApp user data stored on Russian servers could be seized by government authorities. This enormous collection of photographs would – if accessible – be extremely valuable for various purposes, including training facial recognition software.
However, a high-profile French security researcher who goes by the name Elliot Alderson checked where the app was really sending photographs by downloading the app himself. He found that FaceApp stored photographs on servers that were mostly based in US, but only photographs explicitly selected by the user.
Goncharov confirmed that some images are stored on servers to prevent users from having to upload the same photograph repeatedly for multiple edits, but these are deleted within 48 hours of upload. He told BBC News the photographs are not used for facial recognition training, only for improving its neural networks.
Nozzi later acknowledged he had made a mistake, stating in a blog post that: “I was wrong to have posted the accusation without testing it first”, although “legitimate concerns remain”, such as the app not warning users about their photographs being sent to the cloud for processing, and the app requesting an unnecessary level of access without explanation.
While FaceApp’s privacy policies may be generic, the episode could serve as a warning that standard app privacy policies may well be more insensitive and exploitative than the user may realise.
Sign up to the E&T News e-mail to get great stories like this delivered to your inbox every day.