Privacy and security experts are warning people about the ongoing viral FaceApp Challenge in which users add years to images of their faces on their smartphone using the AI-powered app.
The free service FaceApp uses AI to edit the photos on users’ phones and changes them into what users supposedly might look like decades from now. The app can also make other changes, such as add grey hair and beard.
The FaceApp Challenge quickly went viral with the #faceappchallenge trending on social media.
But experts are warning people, that although the FaceApp Challenge is fun, users might unknowingly be signing over rights to their own images to a Russian company. FaceApp is owned by Wireless Lab, a company based in St. Petersburg, Russia.
— HANSON (@hansonmusic) July 17, 2019
FaceApp Challenge warnings
Forbes reports that concerns were first raised earlier in the week when a developer named Joshua Nozzi took to Twitter to warn people that FaceApp could be accessing people’s phones, taking as many photos as it can find, and uploading them to the company’s servers without users’ permission.
French security research expert Elliot Anderson, whose real name is Baptiste Robert, investigated the app to find out where it was sending users’ images. He concluded that contrary to Nozzi’s suggestion that the app might be taking all photos on users’ phones and sending them to the company’s servers, it only took the photos that users had submitted.
Anderson also found that the company’s servers were not based in Russia, as some had claimed, but in the U.S. According to Forbes, it was not clear how much access the company’s employees have to the images uploaded to their servers or whether the processing was done exclusively on users’ phones or on the company’s servers.
As far as I can see, there is no reason to be concerned with the current version available on the store. I don’t see why the nationality of the developers is an issue. There is also some legit devs in Russia.
— Elliot Alderson (@fs0c131y) July 17, 2019
HOWEVER: they do appear to upload single images in order to apply the filters server-side. while not as egregious, this is non-obvious and I am sure many folks are not cool with that.
— Will Strafach (@chronic) July 17, 2019
Despite Anderson’s confirmation that the company’s servers are based in the U.S. and Australia, other security experts continued to warn users about the Russian company behind the app. The company first became visible in 2017 and currently has more than 80 million users worldwide.
Experts have drawn attention to the details of the company’s privacy policies, saying that users could be unwittingly signing over control on how their images are used and how and where they are stored.
FaceApp CEO responds to security questions
He said that the company stores uploaded photos in the cloud in order to optimize performance and save users the need to upload their submitted photos each time they want to do an editing operation. He added that most of the photos uploaded to their servers were deleted within 48 hours.
Walsh warned people to be wary of apps that could end up harvesting and transmitting their sensitive data without their knowledge. As an example, he mentioned an app called Meitu that came out in 2017 that allowed people to turn their selfies into Manga characters. According to Walsh, it was later found that the app was transmitting sensitive data back to servers in China.
Your face is copyrighted
“Your face is now a form of copyright where you need to be really careful who you give permission to access your biometric data,” security expert Ariel Hochstad told the Daily Mail. “If you start using that willy nilly, in the future when we’re using our face to access things, like our money and credit cards, then what we’ve done is we’ve handed the keys to others.”
Other privacy experts posted an excerpt from FaceApp’s terms and conditions to Twitter, pointing out that it essentially gives the company a perpetual and irrevocable right to use, adapt, modify and publish images that users submit.
If you use #FaceApp you are giving them a license to use your photos, your name, your username, and your likeness for any purpose including commercial purposes (like on a billboard or internet ad) — see their Terms: https://t.co/e0sTgzowoN pic.twitter.com/XzYxRdXZ9q
— Elizabeth Potts Weinstein (@ElizabethPW) July 17, 2019
While we're all dragging FaceApp for taking our photos as their own, probably worth rereading Twitter's Terms of Service: pic.twitter.com/OJ0p9SLc4A
— Lance Ulanoff (@LanceUlanoff) July 17, 2019
It also allows the company to “publicly perform and display your User Content and any name, username, or likeness provided in connection with your User Content in all media formats and channels now known or later developed.[sic]”