Last week, if you thumbed your way through Facebook, Instagram, and Twitter, you likely saw altered photos of your friends with a few extra decades written onto their faces—wrinkles added, skin sagged, hair bereft of color.
Has 2019 really been that long? Not really.
End Date: Friday Sep-27-2019 15:18:16 PDT
Buy It Now for only: $28.27
Buy It Now | Add to watch list
End Date: Saturday Sep-21-2019 3:29:19 PDT
Buy It Now for only: $4.45
Buy It Now | Add to watch list
The photos are the work of FaceApp, the wildly popular,
AI-powered app that lets users “age” pictures of themselves, change their hairstyles,
put on glasses, and present a different gender.
Then, seemingly overnight, users, media reports, and members
of Congress turned FaceApp into the latest privacy parable: If you care about
your online privacy, avoid this app at all costs, they said.
It’s operated by the Russian government, suggested the investigative outlet Forensic News.
It’s a coverup to train advanced facial recognition software, theorized multiple Twitter users.
It’s worthy of an FBI investigation, said Senator Chuck Schumer of New York.
The truth is less salacious. Here’s what we do know.
FaceApp’s engineers work out of St. Petersburg, Russia, which is not by any means a mark against the company. FaceApp does not, as previously claimed, upload a user’s entire photo roll to servers anywhere in the world. FaceApp’s Terms of Service agreement does not claim to transfer the ownership of a user’s photos to the company, and FaceApp’s CEO said the company would soon update its agreement to more accurately describe that the company does not utilize user content for “commercial purposes.”
“The language you quoted to me, I recommend you look at the
terms on Facebook or any other sort of user-generated service, like YouTube,”
said Mitch Stoltz, senior staff attorney at Electronic Frontier Foundation,
when we read FaceApp’s agreement to him over the phone.
“It’s almost word-for-word,” Stoltz said. “All that verbiage, in a vacuum, sounds broad, but if you think about it, those are the terms used by almost any website that allows users to upload photos.”
But the takeaway from this week of near-hysteria should not
be complacency. Instead, the story of FaceApp should serve as yet another example
supporting the always-relevant, sometimes-boring guideline for online privacy:
Ask questions first, download later (if at all).
FaceApp’s terms of service agreement
When users download and use FaceApp, they are required to agree to the parent company’s broad Terms of Service agreement. Those terms are extensive:
FaceApp a perpetual, irrevocable, nonexclusive, royalty-free, worldwide,
fully-paid, transferable sub-licensable license to use, reproduce, modify,
adapt, publish, translate, create derivative works from, distribute, publicly
perform and display your User Content and any name, username or likeness
provided in connection with your User Content in all media formats and channels
now known or later developed, without compensation to you.”
users are told through the Terms of Service agreement that “by using the
Services, you agree that the User Content may be used for commercial purposes.”
to put it lightly, a lot. But it is far from unique, Stoltz said.
website that allows anyone in the world to post photos is going to have a
clause like that—‘by uploading photos you give us permissions to do anything
with it,’” Stoltz said. “It protects them against all manner of users trying to
bring legal claims, where, oh, they only wanted four copies of a photo, not 10
copies. The possibilities are endless.”
Several years ago, CNN dug through some of the most dictatorial terms of service agreements for popular social media platforms, Internet services, and companies, and found that, for example, LinkedIn claimed it could profit from users’ ideas.
Relatedly, Terms of Service, Didn’t Read, which evaluates companies’ user agreements, currently shows that Google and Facebook can use users’ identities in advertisements shown to other users, and that the two companies can also track your online activity across other websites.
clarified that FaceApp’s Terms of Service agreement does not claim to take the copyright
of a photo away from whoever took that photo—a process that would be difficult
to do in a contract.
“It’s been tried—it’s something the courts don’t like,” Stoltz said.
Stoltz also said that, while consumers do have the option to bring a legal challenge against a contract they allege is unfair, such successful challenges are rare. Stoltz gave one example of where that worked, though: a judge sided with a rental car customer who challenged a company’s extra charge every time the driver sped past the speed limit.
said nuh-uh, you can’t bury that in a contract and expect people to fully understand
that,” Stolz said.
As to how
FaceApp will actually use user-generated photos, FaceApp CEO Yaroslav Goncharov
told Malwarebytes Labs in an email that the company plans to update its terms
to better reflect that it does not use any users’ images for “commercial
Dispelling the rumors
On July 17, United States Sen. Schumer asked the FBI and the Federal Trade Commission to investigate FaceApp because of the app’s popularity, the location of its parent company, and its alleged potential link to foreign intelligence operations in Russia.
The next day, Sen. Schumer spoke directly to consumers in a video shared on Twitter, hammering on the same points:
“The risk that your facial data could also fall into the
hands of something like Russian intelligence, or the Russian military
apparatus, is disturbing,” Schumer said.
But, according to FaceApp’s CEO, that isn’t true. In responding to questions from The Washington Post, Goncharov said the Russian government has no access to user photos, and, further, that unless a user actually lives in Russia, user data is not located in the country.
Goncharov also told The Washington Post that user photos processed by FaceApp are stored on servers run by Google and Amazon.
In responding to questions from Malwarebytes Labs, Goncharov clarified that the company removes photos from those servers based on a timer, but that sometimes, if there is a large quantity of photos, the removal process can actually take longer than the chosen time limit itself.
“You can set a policy for an [Amazon Simple Storage] bucket that says ‘delete all files that are older than one day.’ In this case, almost all photos may be deleted in 25 hours or so. However, if you have too many incoming photos it can take longer than one hour (or even 24 hours) to delete all photos that are older than 24 hours,” Goncharov said. “[Amazon Web Services] doesn’t provide a guarantee that it takes less than a day to complete a bucket policy. We have a similar situation with Google Cloud.”
Another concern that some users raised about FaceApp was the
possibility that the app was accessing and downloading every photo
locally stored on a user’s device.
But, again, the rumors proved to be overblown. Cybersecurity researchers and an investigation by Buzzfeed News revealed that the network traffic between FaceApp and its servers did not show any nefarious hoovering of user data.
“We didn’t see any suspicious increase in the size of outbound
traffic that would indicate a leak of data beyond permitted uploads,” Buzzfeed
News wrote. “We uploaded four pictures to FaceApp, which corresponds with the
four spikes in the graphic, with some noise at the end after the fourth upload.”
Finally, despite the many distressed comments on Twitter, Goncharov also told The Washington Post that his company is not using its technology for any facial recognition purposes.
What you should do
We get it—FaceApp is fun. Sadly, for many, online privacy is
less so. (We disagree.) But that does not make online privacy any less
For those of you who have already downloaded and used FaceApp, the company recently described an ad-hoc method for removing your data from their servers:
“We accept requests from users for removing all their data
from our servers. Our support team is currently overloaded, but these requests
have our priority. For the fastest processing, we recommend sending the
requests from the FaceApp mobile app using ‘Settings->Support->Report a
bug’ with the word ‘privacy’ in the subject line. We are working on the better
UI for that.”
Always remember, the fear of missing out on the latest online craze should be weighed against the fear of having your online privacy potentially invaded.
The post FaceApp scares point to larger data collection problems appeared first on Malwarebytes Labs.
Powered by WPeMatico