FaceApp has gone viral thanks to an Age Challenge which involves using the app to augment your face to look like an old person. It uses artificial intelligence to edit a picture in your phone gallery and transforms the image into someone double or triple your age. And whilst the AI-influenced makeovers are funny and eerily correct, using the FaceApp means you might be giving away more than you thought.
FaceApp is allowed to use your name, username or any likeness provided in any media format it likes without compensation, meaning you will not be paid for it, or have any ability to take it down or complain about it. This is also because FaceApp uploads your photo to the cloud for processing, it doesn’t carry out on-device processing like many apps do. After doing so, it retains the image long after you’ve deleted the app and moved on to the next viral sensation. People using the app are not made aware of this.
Here's what you need to know before using the popular FaceApp that can make you look older- and has access to your entire photo library. https://t.co/pOBkSY2Img
— WJZ | CBS Baltimore (@wjz) July 17, 2019
Experts Comments:
Tim Mackey, Principal Security Strategist at the Synopsys CyRC (Cybersecurity Research Center):
“Users of AI enabled applications like FaceApp likely aren’t aware that the AI actions taken by the app will occur on servers owned and managed by the app authors. This means that whatever data provided will be available to them, for whatever use, for as long as they want. It is the potential for this unbounded activity which requires users to be vigilant and ensure the privacy policy includes clear statements surrounding what data was used, where it is being processed and by what organization, and for how long the original and derivative works are retained. In the case of FaceApp we also need to look at the question of image copyright and the nature of their service. When a photo is taken, the photographer owns the copyright to the resulting image. They can license that image and absent a license, most jurisdictions have strict guidelines on how an image can be used. Additionally, if the image is of a person, the photographer should have obtained a release from all people in the image. When combined the license and releases provide the legal framework for how images can be used in specific contexts. While much of the coverage of FaceApp’s recent surge in popularity has centered around privacy concerns, the reality is any image uploaded to FaceApp is being transferred to a third party absent a license and modified versions of the uploaded image are then returned. The FaceApp Privacy Policy doesn’t help matters as it simply states that User Content is available to any company in the group of companies FaceApp is part of – without defining this group. All of this should raise alarms whenever a free service is acting on sensitive information like images – the revenue to pay for the service is coming from somewhere and it’s likely the sale of data related to what the service provides. “
Javvad Malik, Security Awareness Advocate at KnowBe4:
“The implications on privacy for apps like Faceapp is extremely concerning. The app itself uses AI to digitally age users’ photos, which is fun from a novelty perspective, but the same types of AI is used to produce deepfake type of imagery which can be used for nefarious purposes such as public embarrassment or blackmail. The fact that faceapp retains access to iOS photos without permission should be a red flag for all app store maintainers”
Tim Erlin, VP at Tripwire:
“Overreaching terms of service are not a new phenomenon. In most cases, they’re written by lawyers who are tasked with protecting the company, not the consumer. It’s no surprise that terms of service are heavily skewed toward that end. The percentage of people who make a decision not to use an app because of the terms of service is very small. There’s no downside for an app publisher to be overly aggressive in what rights they claim in their terms. Until the terms become relevant to the apps adoption, we can expect more of the same.”
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.