FaceApp undermines privacy rights - and fake App makes it worse

News by Mia Simpson

FaceApp is granting itself permission to use names, usernames and all likenesses in any media format without compensation whilst an impersonating app attacks users' devices with adware module, MobiDash.

Shockingly FaceApp’s Age Challenge - a filter that allows you to change photos to make people look older - grants itself permission to use names, usernames and all likenesses in any media format without compensation.

This means that if the app uses something from a user, the company will not have to pay them and the user cannot take it down or complain about it. Rick McElroy, head of security strategy at Carbon Black, commented that, "FaceApp serves as an important reminder that free isn't free when it comes to apps. The user is the commodity, whether sold for purposes such as marketing or more nefarious things like identity theft and creation of deep fakes." McElroy went on to suggest that users, "Don't use apps that need access to all your data and be sure to read the EULAs to ensure the app gives users some sort of control and protection based on where the data is stored and processed."

In addition, FaceApp uploads the user’s photos to the cloud instead of on-device processing as is the case with many other apps. Tim Mackey, principal security strategist at the Synopsys CyRC (Cybersecurity Research Center), said, "Users of AI enabled applications like FaceApp likely aren’t aware that the AI actions taken by the app will occur on servers owned and managed by the app authors. This means that whatever data provided will be available to them, for whatever use, for as long as they want." Furthermore, just by downloading the app, you are giving it location data, browser history and other information that can go to third parties. 

However, users aren’t clearly being told this, when the GDPR rights are that EU users must be informed. Ray Walsh, data privacy advocate at ProPrivacy, said, "GDPR applies to all firms that process data about EU citizens which means that the regulations do apply to FaceApp if it controls or processes any data pertaining to EU citizens. In reality, however, it is hard to prove exactly what FaceApp might be doing with consumer data. This makes it difficult to ascertain whether EU (or US) citizen's privacy rights are being broken." Yaroslav Goncharov, FaceApp’s CEO, has claimed that, "Most images are deleted from our servers within 48 hours from the upload date." He went on to say that his company did not share or sell user data with any third parties. However, as Walsh said, "it is hard to prove exactly what FaceApp might be doing with consumer data." 

Even more concerning is a fake application that is impersonating FaceApp, reported by Kaspersky Lab. The fake application attacks users’ devices with adware module, MobiDash. Igor Golovin, security researcher at Kaspersky, described the attack, saying that, "Once the application is downloaded from unofficial sources and installed, it simulates a failure and is subsequently removed. After that, a malicious module in the application rests discreetly on the user’s device, displaying adverts." In the past two days, about 500 different users have come across this dilemma, with the first problems occurring on 7 July. Golovin went on to suggest that, "This means that the activities of the fake version of FaceApp could intensify, especially if we are talking about hundreds of targets in just a few days. We urge users not to download applications from unofficial sources and to install security solutions on their devices to avoid any damage".

FaceApp first became popular in 2017 when it was created by a team in Saint-Petersburg, Russia. The app uses neural networks to edit selfies that the user takes, adding filters to them. 

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews