FaceApp Trends Again, Poses Fresh Threat to User Data

INDIA - 2019/07/17: In this photo illustration a photo editing application Like Faceapp logo seen displayed on a smartphone. (Photo Illustration by Avishek Das/SOPA Images/LightRocket via Getty Images)

Over the past few days there has been a surfeit of pictures posted on social platforms, especially Facebook, of their mugshots– from the present and how they would look in the future. In fact, one of the images that went viral over WhatsApp was a meme of the Indian cricket team in 2050, with the likes of Virat Kohli and MS Dhoni still playing.

For the uninitiated, the app which went viral again on the iOS platform after having done so two years ago, provides users with the power to change their facial expressions, looks and see how they are likely to age in the future. Which explains the sudden flurry of activity over social platforms with users twisting the features of global leaders.

The app, developed in St. Petersburg, Russia, using a photo-realistic face-morphing technology built around neural networks, has once again raised questions over the security of data residing in Apple phones with US Senator Chuck Schumer calling on the FBI to investigate amidst reports that it has access to data from 150 million people across the world.

Users in the United States are questioning the legitimacy of the app, given that it requires users to login via Facebook, collects data related to the name, profile pictures, photographs and email details, with the company ambiguously stating that such data could be shared with its “affiliates”.

The immediate threat relates to all user photos getting uploaded on to the app, though security researcher and Guardian App CEO Will Strafach refuted this claim. However Geoffrey A. Fowler, technology editor at the Washington Post, believes that the app does in fact share data with other applications.

In his article, Fowler says that the app shared data from his phone with Facebook and Google AdMob, which probably helps it place ads and check their performance. “The most unsettling part was how much data FaceApp was sending to its own servers, after which… who knows what happens.”

Both the App Store and Play Store gave the go-ahead for the app, despite the fact that their terms of use are far from clear. Sample this:

“You grant FaceApp a perpetual, irrevocable, nonexclusive, royalty-free, worldwide, fully-paid, transferable sub-licensable license to use, reproduce, modify, adapt, publish, translate, create derivative works from, distribute, publicly perform and display your User Content and any name, username or likeness provided in connection with your User Content in all media formats and channels now known or later developed, without compensation to you…”

So, be warned that photos shared via FaceApp may find their way into some other servers, and eventually onto a pornsite, or maybe a billboard in some other country.

The app has a history of launching features and then removing them. Two years ago, it allowed ethnicity filters allowing users to change their faces and check how you’d look if they were black, Caucasian, Chinese or Indian. Of course, the developers removed this filter after user protests and media outrage, after which the app disappeared.

Now that it has resurfaced, FaceApp gets users to give it permission to access user photos, besides possibly gaining access to Siri and Search on the iPhone. There is also the possibility that it is refreshing itself in the background which means that it is using your data even when you aren’t actually using it.

In the iOS version, there is a minor saving grace whereby if iPhone users have set Photo Access status to Never, the app wouldn’t be able to get to the photo library. Users would then need to give permit the app by choosing a specific photograph.

What continues to be unclear is whether this photo gets processed in the cloud and whether the app retains the image on their servers.

There is also the possibility that the app doesn’t do anything nefarious today but is silently capturing all sorts of data- including screenshots of bank account data on the user’s most personal device.