Skip to content
Naked Security Naked Security

FaceApp privacy panic sets internet alight

You grant FaceApp a perpetual, irrevocable license to use, reproduce, modify and adapt your image. Sounds scary.

If you’ve been anywhere near Facebook this week, you’ve probably seen selfies of friends next to AI-generated images of what they’ll look like in a few decades. Underneath those posts, you’ll see comments from others warning them they’ve just signed over their soul to an obscure Russian company. That’s right, it’s time for another internet bogeyman. This week, its name is FaceApp.

Launched in 2017, FaceApp (which isn’t associated with Facebook) is an iOS and Android app from Russian company Wireless Lab. It lets you upload a selfie and then manipulates it for you, changing your facial expression, age, and even your gender. It’s very convincing (judging from those pictures on Facebook).

Although the app has offered an aging filter since shortly after its launch, it went viral this week after someone noticed that the company was claiming complete rights to the photos it processed. The terms and conditions are pretty Draconian:

You grant FaceApp a perpetual, irrevocable, nonexclusive, royalty-free, worldwide, fully-paid, transferable sub-licensable license to use, reproduce, modify, adapt, publish, translate, create derivative works from, distribute, publicly perform and display your User Content and any name, username or likeness provided in connection with your User Content in all media formats and channels now known or later developed, without compensation to you. When you post or otherwise share User Content on or through our Services, you understand that your User Content and any associated information (such as your username, location or profile photo) will be visible to the public.

The ‘irrevocable’ part had the internet all aflutter, and even invited Congressional scrutiny. Senator Chuck Schumer wrote to the chair of the Federal Trade Commission on Wednesday fretting about the app.

He said:

FaceApp’s location in Russia raises questions regarding how and when the company provides access to the data of US citizens to third parties, including potentially foreign governments.

Many other press reports and social media posts also raised fears about the app for the same two reasons: irrevocability, and Russia. Responding to TechCrunch, though, Wireless Lab said that FaceApp only uploads photos selected by the users for editing, and may store them in the cloud because that’s where it does its processing. It usually deletes images from its servers within 48 hours, it added. Also, it said it doesn’t send user data to Russia, but processes images on US cloud providers’ infrastructure.

An app that denies you any rights in its terms and conditions should set your alarm bells ringing. But other services’ terms, while not so aggressive, are still concerning.

For example, although Facebook says you own your content, the company can use your picture, along with data about other actions you take on Facebook, with any ads or sponsored content. The company can share your image with third parties, including unspecified service providers that support Facebook. You can end your agreement with Facebook by deleting your image, it says, although it may continue to appear if you have shared it with others and they have not deleted it.

Or check out Accuweather’s privacy policy. – the company that lost users after researchers found it sending location data. That’s because its policy lets it gather information about other devices nearby. Its terms also let it harvest your device ID and information from wearable devices like your pulse and body temperature. Your pulse and body temperature… for a weather app?

People may worry about Wireless Lab using your image for its own purposes, but as we’ve covered before, others in the West, including YouTube and IBM have already done that. An anti-privacy contract should concern you, but what’s worrying is how few people take the time to read the terms and conditions of well-known apps, no matter what country they come from.

1 Comment

Thank you! I normally read the T&C before downloading an app but due to the popularity I didn’t do my due diligence. The media absolutely sent everyone into a tizzy on this one regarding phones being hacked & the company owning all of the photos/data on the phone. So very glad you guys are here to break down the facts!!! While not great with regards to the whole “irrevocable” issue, it’s nice to know all you security researchers do tests to get to the bottom of things and present facts!


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!