Welcome Your IET account
Diverse collection of faces

‘FaceApp challenge’ hype raises smorgasbord of privacy concerns

Image credit: Dreamstime

Lawmakers have raised concerns about possible mishandling of data uploaded to FaceApp, although expert opinion leans toward the conclusion that the app’s privacy policy is no more nefarious than those of other popular apps.

The app, which was developed by St Petersburg-based company Wireless Lab, uses machine learning to transform photographs of faces in realistic detail. The app uses photographs previously submitted to refine its sophisticated neural networks.

It has been used to switch gender, ethnicity, and to add smiles and makeup to photographs. It is enjoying another spike in popularity thanks to the not-particularly-challenging ‘FaceApp Challenge’, which involves sharing realistic aged-up photographs created by the app. The app’s return to the headlines has sparked fresh privacy concerns.

In the US, Senate Minority Leader Chuck Schumer has written to the FBI and Federal Trade Commission requesting they investigate the app’s handling of user data. Schumer says there is uncertainty about how user data is used; that its privacy policy requires users to give FaceApp permission to use their content without notification or compensation; and its Russian origin “raises questions” about how American user data could be shared with third parties, including foreign governments. According to CNN, the Democratic National Committee has urged all 2020 campaigns not to use the app, noting it was “developed by Russians” and that, while it was not clear what the privacy risks could be, the organisation has serious concerns about it.

Meanwhile, in the UK, the Information Commissioner’s Office told BBC News it was aware of privacy concerns regarding FaceApp, and it would be giving them consideration.

FaceApp first attracted privacy concerns in 2017: the year of its launch. In July 2017, FaceApp founder and CEO Yaroslav Goncharov stated that user data – including uploaded photographs – was processed on Google Cloud and Amazon Web Services servers (in the US, Ireland, and Singapore) rather than being transferred to Russia, as some had suspected. Uploading photographs to the cloud allows for much faster processing than if they were retained on users’ handsets using the basic machine-learning features available in Android and iOS.

The latest concerns were raised by a developer, Joshua Nozzi, tweeting a warning that the app could be used to collect all photographs from the user’s phone, which could in turn be uploaded to servers without the user’s explicit permission. This sparked fears that huge amounts of user data could be stored on Russian servers. This is not an entirely irrational concern, given that the developer is based in St Petersburg, and FaceApp user data stored on Russian servers could be seized by government authorities. This enormous collection of photographs would – if accessible – be extremely valuable for various purposes, including training facial recognition software.

However, a high-profile French security researcher who goes by the name Elliot Alderson checked where the app was really sending photographs by downloading the app himself. He found that FaceApp stored photographs on servers that were mostly based in US, but only photographs explicitly selected by the user.

Goncharov confirmed that some images are stored on servers to prevent users from having to upload the same photograph repeatedly for multiple edits, but these are deleted within 48 hours of upload. He told BBC News the photographs are not used for facial recognition training, only for improving its neural networks.

Nozzi later acknowledged he had made a mistake, stating in a blog post that: “I was wrong to have posted the accusation without testing it first”, although “legitimate concerns remain”, such as the app not warning users about their photographs being sent to the cloud for processing, and the app requesting an unnecessary level of access without explanation.

According to small business lawyer Elizabeth Potts Weinstein, FaceApp’s privacy policy is “not remotely GDPR” compliant, allowing for data to be transferred to any location where the company has a facility. Other experts compared the app’s invasive privacy policy to those of other popular apps, such as Twitter and Snapchat.

While FaceApp’s privacy policies may be generic, the episode could serve as a warning that standard app privacy policies may well be more insensitive and exploitative than the user may realise.

Sign up to the E&T News e-mail to get great stories like this delivered to your inbox every day.

Recent articles

Info Message

We use cookies to give you the best online experience. Please let us know if you agree to all of these cookies.

Learn more about IET cookies and how to control them