A new feature of the app “FaceApp”, which makes you visually older, provides many discussions about data security.
“FaceApp” is available since 2017 and it is free in the basic functions, for an annual or one-time fee, there are other features to make a portrait photo younger, with makeup, and to provide other hairstyles or use certain filters. It is astonishing that, for example, in the case of the aging function it is only possible to recognize by details that it is a manipulated image.
However, what sounds so funny, raises questions in many media that we want to shed more light on:
- Where do the data go?
- What happens to the pictures?
- How big is the security risk?
- Is the app a “snooping tool”?
In the following we will step by step deal with the facts and the allegations in order to get an overall picture.
Where do the data go? And what data anyway?
At this point, many, especially American media tap into the trap to declare this as a warning, as in an app that comes from Russia, only spying on the data of US citizens in question.
But we do not even have to wait and see if and when the FBI looks at the app more closely, as various security experts have already looked at the app and the data flow.
The expert Jane Manchun Wong, who mainly focuses on examining various apps for security, privacy and new, hidden functions, reports that she could not find anything suspicious in the app. The image, which is to be processed, is uploaded to an AWS server (AWS = Amazon Web Services), another authorization such as a name registration is not necessary.
Other data sent includes only user interactions with the app, but no other data that could uniquely identify a person.
However, she rightly criticizes: users have no control over how long their photos remain stored on the servers.
A closer look at a French security expert with the pseudonym “Elliot Alderson” (his real name is Robert Baptiste ) looked at. On Twitter he published the results of his research.
Accordingly, there is a lively exchange of data between the app and Firebase, a development platform for mobile and web applications, the Facebook SDK (Facebook interface for apps) and Account Kit (also developed by Facebook interface for quick registration) instead.
This traffic is understandable, as FaceApp allows, for example, to register as a user and to select images from their own Facebook account for processing. However, the app does not have to register.
Now it will be interesting!
It is now becoming more interesting when it comes to what data is exchanged with the Amazon cloud servers.
From there, the demo images are loaded, also gets the smartphone assigned an ID, the operating system is checked. On the server, in fact, only the photo to be edited is uploaded, not all photos, as some sites claim!
Why does the calculation have to take place on external servers?
Modern mobile phones with appropriate computing power and enough memory would actually manage to calculate the images locally. The decision to have this calculated on Amazon Cloud servers has more economic reasons:
- So even users with weaker smartphones can use the app = wider use of the app
- The developers want to protect their algorithm, as other developers would otherwise “disassemble” the app and tinker their own “aging and beautification software” from it
How is the data used?
The most likely thing you can do with portrait data is training facial recognition algorithms.
If this is the goal of FaceApp, they would not be alone, but just another company that practices this. For example, ” The Guardian ” reports that Google used 8 million profile pictures to train facial recognition algorithms, plus 2,000 Youtube videos uploaded to the “Mannequin Challenge”. Facebook used the profile pictures of 10 million users for the same purpose.
What happens to my data?
This is a very controversial point in the terms of the app. Definitely he is not DSGVO-compliant , but let’s take a look at it.
Specifically, this means that the photos may be used for example for their own advertising. There is also talk of under-licensing, which means that FaceApp is allowed to share the photos with other providers who may use them. Theoretically, your own photo could eventually appear on a billboard without the right to sue for your own picture.
No unique regulation
Who now believes that the creators of FaceApp simply take out too much, should look around a bit, because even in the popular short message service “Twitter” is such a passage in the terms :
Of course there is a difference!
Facebook and Twitter are services where you willingly publish images and texts, while at FaceApp, you superficially do this for yourself, before deciding whether or not to share an image.
Although the controversial passage is a standard formulation used on other pages as well, it leaves a bitter aftertaste with an app, since this is not a social network.
Several security experts examined the app and found no extraordinary data streams.
A personal assignment of images to people can not take place, if you do not, for example, linked to Facebook.
The data does not end up in Russia, but on Amazon Cloud servers, which are mostly in the US (none in Russia).
The terms and conditions are not unusual in certain points, but at least questionable.
Should I delete the app now?
This is now up to you.
Facebook, Instagram, WhatsApp, Twitter and many apps on the smartphone are already busy collecting personal data and pictures. Many apps give even far-reaching rights, such as the unique ID of the smartphone, the use of cards, the use of the microphone, the permission to manage calls and text messages, often without the need for the app.
FaceApp is in this sense just another app that gives you data, in this case superficial photos. If linked to Facebook and Twitter, it would also be possible to link the images to other data. So at least the theoretical possibilities, but Facebook alone gives so much data, photos and videos that a selfie with FaceApp is rather a drop in the bucket.
You have to realize that every app and every platform can and theoretically act with the data of the users.
If you attach importance to privacy and privacy, you should leave your finger on various apps and platforms, whether it is Facebook or FaceApp.