Naked Security Naked Security

FBI: Russia-based FaceApp is a ‘potential counterintelligence threat’

It's a grabby little app, data-wise, but how is it different from, say, Google or Facebook?

Last summer, users geeked out, privacy lovers freaked out, and at least one lawmaker fretted about an aging/expression-tweaking/gender-swapping mobile app called FaceApp (no relation to Facebook) that hails from Russia.

We’re on it, the FBI said last week, saying that it views any app or product coming out of Russia as a “potential counterintelligence threat.”

In a 25 November letter responding to concerns raised by Senator Chuck Schumer, FBI assistant director Jill Tyson said that the agency is investigating FaceApp over its ties to Russia.

FaceApp lets you do things like, say, get a handle on what you’ll look like if you still want to go to Hogwarts when you’re 80.

The app also pulls what you can think of as a FaceGrab – i.e., what its license says is its “perpetual, irrevocable, nonexclusive, royalty-free, worldwide, fully-paid, transferable sub-licensable license” to not just users’ manipulated likenesses, but also to their privacy, as in, username, location or profile photo.

In July 2019, Sen. Schumer had written to the director and chair of the Federal Trade Commission (FTC), calling on the FTC and FBI to look into the national security and privacy risks posed by the millions of Americans who were handing over full, irrevocable access to their personal photos and data to an app from a company – Wireless Lab – based in Russia.

What Schumer said at the time:

FaceApp’s location in Russia raises questions regarding how and when the company provides access to the data of US citizens to third parties, including potentially foreign governments.

At the time, Wireless Lab responded by saying that FaceApp only uploads photos selected by users for editing, and that it may store them in the cloud because that’s where it does its processing. It usually deletes images from its servers within 48 hours, the company said. Also, it said that it doesn’t send user data to Russia, instead processing images on US cloud providers’ infrastructure.

US, Russia, wherever: they’re all grabbing data

Forbes spoke with Ian Thornton-Trump, a CompTIA faculty member, who said that an adversarial nation like Russia – or any other adversarial country – would be happy to hoover up whatever data it can from whatever advantageously positioned US person it might get it from:

Russia would very much appreciate and encourage the use of FaceApp by anyone with a security clearance and their immediate family.

But how is a FaceApp data grab any different from a US company’s data grab?

We needn’t look far for examples of grabby US apps: Facebook, Google and Apple are all facing antitrust and privacy investigations.

At any rate, as far as nation state espionage goes, LinkedIn is a spy’s playground. A few years back, Germany’s spy agency – Bundesamt für Verfassungsschutz (BfV) – published eight of the most active profiles it says were being used on LinkedIn to contact and lure German officials for espionage purposes.

A more recent example: in June 2019, we saw a LinkedIn profile for “Katie Jones,” an extremely well-connected, attractive, young redhead and purportedly a Russia and Eurasia Fellow at the top think-tank Center for Strategic and International Studies (CSIS). An Associated Press investigation concluded that the profile was actually a deepfake created by artificial intelligence (AI) that managed to convince about 40 people to connect with it.

Thornton-Trump suggested that the hand-wringing over FaceApp’s potential risk to national security amounts to little more than pre-election “political pandering.”

I feel like this is a political opportunity to stoke the narrative of ‘tech company in Russia is bad; tech company in USA is good.’