Identifying Risks and Myths in ‘FaceApp’ Craze

Is a peek into the future worth your privacy in the present? That concern was pushed to the spotlight this week with the resurgence of a smartphone app that uses artificial intelligence to transform your current face into your younger and older selves.

People raised fears on Twitter and other social media sites that on iPhones, FaceApp would be able to see and upload all your photos, including screenshots with sensitive financial or health information or photos of kids with the names of their schools in the background.

That's not actually true, but the scuttle serves as a good reminder to think twice before downloading new apps.

Even large, mainstream apps routinely collect user data. But many trendy-at-the-moment apps are guilty of mining user data as a primary purpose. Some personality quizzes on Facebook and similar services collect user information as a business, opening people up to breaches such as in the Cambridge Analytica scandal.

As for FaceApp, the app grabs a photo only if you specifically select it to see your face change, security researcher and Guardian Firewall CEO Will Strafach said.

The confusion comes from an iPhone feature that shows your photo library within the app. It is an Apple feature that lets you select a specific photo, but doesn't give the app full access to the library, even though it may appear that way.

You have the option of granting access to your entire photo library, but even then, there is no evidence the app is uploading anything other than the photo selected.

"I'm always looking for privacy concerns," said Strafach, who used a network analyzer tool to track what was happening. "When it's not happening, it's not happening."

There's a version of FaceApp for Android, but those phones don't tap photo libraries the same way.

That's not to say the app isn't free of problems, Strafach said.

Among other things, photos get sent to the cloud for processing in both the iPhone and Android versions, exposing them to hacking and other problems. FaceApp does not explicitly tell users that the photos are being sent to the cloud. Some apps try to limit exposure by doing the processing on the devices themselves, not in the cloud.

FaceApp's privacy policy also says it is using data from the app to serve targeted ads and to develop new products and features. It says it does not sell data to third party apps, but lists many exceptions including one that allows it to share data after removing information that identifies users.

Cybersecurity expert Don Vilfer was in charge of the FBI's white-collar and computer crimes unit in Sacramento. He’s now the president of Digital Evidence Ventures.

"You are giving up data and you are giving up information, and the app makes it clear with their agreement as to what you’re giving up. You’re giving up a log file even of activity on your phone that they could access and see your browsing history or cookies from your phone or cookies that they install, and tracking information. That kind of thing," Vilfer said. "But you’re permitting this with the use of a lot of apps."

While Vilfer will not be adding the app to his phone, he doesn't think there's much to worry about if you did.

"It’s probably an innocuous app that’s made for entertainment and to make some money because they have a pro version that you can spend money on to get increased features," he said. "So it's probably innocent enough and they’re not harvesting data off of your phone but you are authorizing them to do that.”

FaceApp, which is developed in Russia by Wireless Lab, has had surges of viral popularity before. The app also allows people to swap their genders or add facial hair or makeup.

Wireless Lab told technology news site TechCrunch that it may store users' photos in the cloud, but "most" are deleted after 48 hours. It said no user data is transferred to Russia.

"It doesn't mean they're necessarily bad people but that they’re subject to Russia as opposed to being subject to the United States," said business law attorney Elizabeth Weinsten.

The company has not responded to questions from The Associated Press. It told TechCrunch that users can request to have their data deleted.

Even with those admissions, Strafach urged people to resist the pull of the app. He said the app should have been upfront and told users it was processing photos in the cloud rather than on phones.

"Bottom line is they were handling sensitive data and they handled it cavalierly and that's just not cool," he said.

Notice: you are using an outdated browser. Microsoft does not recommend using IE as your default browser. Some features on this website, like video and images, might not work properly. For the best experience, please upgrade your browser.