MANILA, Philippines – You’ve probably seen them all over Instagram: faces of your friends if they had been decades older.
That’s because of an app called FaceApp, a photo editor that lets you make your selfies look younger or older, add a smile, and change your hairstyle, among other options. The most popular feature so far though is the option of adding years and wrinkles to your face. It’s very realistic and fascinating, leading to the app’s popularity.
With the popularity, comes some controversy, including one US senator who has called for an investigation of the app.
Why the worries?
The worries root from the fact that the selfies are being uploaded and processed on FaceApp’s server, and that the app was uploading the user’s entire camera roll on the server – although several online experts have come out to say that they have found no evidence pointing to such.
The company that owns the app has also caused some concern because it is based in Russia, and whose CEO is a former executive at the Russian counterpart of Google, Yandex. Russia has generally not had the rosiest reputation when it comes to cyber issues, although, again, some have pointed out that it isn’t fair to judge the app just because of where it is based.
Users also cannot delete the photos on the app’s servers by their own. They have to make a request to FaceApp in order to do so, as told to TechCrunch. Delete requests can be sent “via the mobile app using ‘Settings->Support->Report a bug’ with the word ‘privacy’ in the subject line.” The company also told the site that it’s adding that it’s “working on a better UI for that.”
Another concern? The terms of service may be problematic, lacking specificity in such a way that the company may be able to use people’s data such as their usernames, names, and likenesses for commercial purposes. The Verge, quoting lawyer Elizabeth Potts Weinsten, says that the terms of service may not be compliant with the GDPR, which may be the biggest concern for anyone who cares about their data. The site also reports that the company has said that it doesn’t sell user data to third parties.
What have researchers found?
The Verge says that they’ve found that the app isn’t “doing anything particularly unusual in either its code or its network traffic, so if you’re worried about FaceApp, there are probably a bunch of other apps on your phone doing the same thing.” Although, the site adds that “the conversation does bring attention to standard tech practices that might be more invasive than users realize.”
Researcher Jane Manchun Wong that she hasn’t found anything “fishy” in the app:
I am not seeing much fishy in FaceApp— Jane Manchun Wong (@wongmjane) July 17, 2019
Photos are uploaded to FaceApp's servers on AWS w/ authorization. Not much info is being sent to FaceApp's servers other than user metrics (e.g. ui interactions)
I just wish there's an option for users to delete their photos from the server
iOS researcher Will Strafach says he hasn’t found evidence that the app is uploading the full camera roll to remote servers:
using a network traffic analyzer, I tried to replicate the thing people are talking about with FaceApp allegedly uploading your full camera roll to remote servers, but I did not see the reported activity occur.— Will Strafach (@chronic) July 17, 2019
here is marlo stanfiekd with a beard though pic.twitter.com/6wy8cHLNuA
Another security researcher going by the monicker Elliot Alderson warns not to judge the app just because it comes from Russia:
As far as I can see, there is no reason to be concerned with the current version available on the store. I don’t see why the nationality of the developers is an issue. There is also some legit devs in Russia.— Elliot Alderson (@fs0c131y) July 17, 2019
Forbes also found out that the servers of the app are based mostly in America, not Russia. “The servers for FaceApp.io were based in Amazon data centers in the U.S. The company told Forbes that some servers were hosted by Google too, across other countries, including Ireland and Singapore,” says the site.
Generally, nothing has been seen that there’s anything serious behind FaceApp. Practice some vigilance. If you want to use it, be aware that it’s going to get a hold of your face photo. That’s the trade-off here, and most apps will have this trade-off: your data for their service. If you’re uncomfortable having your photo on an app’s server, avoid using it. – Rappler.com