Is FaceApp really spying on you? No more than Facebook, says researcher

A new and popular app is accused of harvesting photos with its users' permission

FaceApp-Mobile-Phone-Photos-Shutterstock How much do apps like FaceApp threaten your privacy? | Shutterstock

We are conditioned to say ‘yes’ when apps ask our permission to consume, consolidate and circulate our data. If we do not, the app will not work. It is a Hobbesian choice — take it or leave it — and more often than not, we take it.

The latest app to work wonders with user data is FaceApp ‑ an AI-based imaging tool that uses machine-learning to change a person’s appearance; from old to young, young to old, male to female (and vice versa), and even add a smile to an otherwise blank expression.

With over one million downloads on the Play Store and 435,000 downloads on the App Store, it has started a wave of gender-bending, age-lifting and appearance shifting posts. Sport stars started taking the #AgeChallenge en masse, prompting ESPN to share an image of the Cricket World Cup captains aged by a few decades (give or take).

As everyone took to the app for some light-hearted fun, social media feeds were taken over by the app’s content.

As with any new thing, there were sceptics. The app will not work unless users grant it permission to view their photos. On installing the app, users are asked for permission to “access photos media, files and files”. This allows the app to access the image that you want to add, say, 40 years to.

Instagram-terms-and-conditions Screenshot of the app's terms and conditions

For context, FaceApp’s founder, Yaroslav Goncharov, told TechCrunch in 2017 that the app uses “deep generative convolutional neural networks” to process and create its images. This means that FaceApp’s AI splits into two processes: One that creates altered images and one that tries to tell if they are fake. It runs this process through multiple iterations, giving you the altered file only when it is so realistic that even the AI cannot tell which is fake and which is original.

The catch

Though the app has swiftly become a phenomenon, fears have surfaced over whether all those photos are being taken away from your phones and stored on a server somewhere. Yaroslav being Russian has added to the backlash.

FaceApp’s terms and conditions added to the fire, with screenshots of the page widely shared by users concerned about their privacy.

“User Content does not include user-generated filters. Except for the license you grant below, you retain all rights in and to your User Content, as between you and FaceApp. Further, FaceApp does not claim ownership of any User Content that you post on or through the Services.

You grant FaceApp a perpetual, irrevocable, nonexclusive, royalty-free, worldwide, fully-paid, transferable sub-licensable license to use, reproduce, modify, adapt, publish, translate, create derivative works from, distribute, publicly perform and display your User Content and any name, username or likeness provided in connection with your User Content in all media formats and channels now known or later developed, without compensation to you. When you post or otherwise share User Content on or through our Services, you understand that your User Content and any associated information (such as your [username], location or profile photo) will be visible to the public.”

Frightening as this reads, it is not too dissimilar from other app’s terms and conditions. Take Instagram, which says the same thing but in politer terms.

Instagram-terms-and-conditions Instagram's terms and conditions

Such licenses allow companies to use and redistribute your photos and content for free or for a fee with no legal implications for them. It might be a problem for you, however, if you share content on Instagram that you have sold the exclusive rights to elsewhere.

Fears that the app is uploading user data to a cloud or server in Russia are as-yet unverified. A Twitter thread by French security researcher Elliot Anderson points out that the app only uploads modified photographs — not your entire camera roll — to its servers. He points out that the app uses Facbeook's own SDK, and that Snapchat’s terms and conditions are also similar, urging readers to read the terms and conditions of other applications.

The implication

Anderson’s clarification does not take away from the inherent dangers of such apps. Neural networks that train themselves to recreate your likeness can be abused in a myriad of ways — from putting your likeness in situations that did not take place (like DeepFakes) to selling your image to companies with whom you do not want your face to be associated with.

The real issue is one that plagues users of any app — how far can free apps go with the permissions granted to them? A 2016 International Computer Science Institute (ICSI) study looked at 283 Android VPN apps and the permissions they took. Despite claiming to be secure services, the vast majority of them (75 per cent) used third party apps to host sensitive user data. The paper’s observation was that most users were unaware of the extent of the sweeping permissions they had granted these apps, when it came to sensitive data.

A recent ICSI report found over 1,300 apps took data even without getting permission to do so, tracking user’s phones and sensitive information without consent.