FaceApp: The Latest Mobile App that May Compromise User's Privacy
Artistic photo of a smart phone

The recent explosion of the face morphing application FaceApp is just another example of the kinds of things users do with their mobile devices that could impact their privacy and security. Released more than two years ago, FaceApp is not a new mobile application, but it is grabbing the attention of the right media influencers, specifically celebrities, and has suddenly become the number one download on both iOS and Android devices. What is all the uproar about?

FaceApp is one of many mobile applications that demand excessive permissions and control over your digital content. The End User License Agreement (EULA) allows for indefinite retention and unlimited use of the content that you upload. That includes things like photos of yourself, your children, and your friends along with other data you knowingly or unknowingly share. Most “entertainment” oriented applications actually do something similar. Facebook is well known for lopsided rights to user content. Instagram, an app owned by Facebook, has many similar properties to FaceApp. Mobile users need to look beyond just the FaceApp privacy scare. It is potentially an issue for any application that users download on a daily basis.

While FaceApp has officially responded to the concerns with some fairly reasonable statements on actual use of your content, it is up to us to trust that statement is true. We also have to hope that nothing changes (like the company being acquired or a change in business model or situation) because they have all the rights and you have no protection of the content you share, which could be every photo on your device. The official statement says that is not happening, but it is important to know that it could based on the legal agreement.

Other concerns around FaceApp center on the company that owns it and more specifically the fact that they are headquartered in St. Petersburg, Russia. When we start to dig into an app and start to realize that all our photos, our personal information if we are logged in, and potentially other data like location and dates of photos could be available to a State Actor that has demonstrated an egregious lack of concern for your personal privacy and one that has a history of using our own information against us. This risk is certainly worth considering, but the cow is out of the barn, and we have no way to fix it for FaceApp. Given users’ complete lack of discretion in downloading and sharing content through this and many other applications, it is unlikely to be an easy fix in the future.

What should you do to protect your privacy and security from applications like FaceApp?

• Review the permissions and EULA before downloading, and DON’T install if you are not comfortable.
• If you simply must use the app even with concerns (“but it’s soooo cool!”), you can limit individual permissions on your device, but know that may also affect the functionality of the application.
• Consider what other data you are asked to share with the application, like login information that may include personal data like birthdate, family status, etc. Don’t share it if you don’t have to.
• Speaking of sharing information, consider what other data sources might be available to the company or its owner (think Facebook and Instagram) that could be combined to expose more about you than you think or are comfortable with.
• Don’t forget that hackers have a history of successfully compromising all kinds of companies and then combining the data about you to create an even more serious privacy and security risk. No data online is safe, so don’t share anything that represents a potential security and privacy risk.
• Where photos are concerned, realize that combining photos, other data, and artificial intelligence functionality like facial recognition brings in new and previously unidentified risks that could have impacts that extend well beyond your smart device.

The bottom line is that most apps are not just fun and games. Be sure to read the policies, know what information is being collected, where it is going, and how it is being used. And as always, when in doubt, don’t download.

About the Author

The referenced media source is missing and needs to be re-embedded.

Mike Johnson

  • Honeywell/James J. Renier Chair in Security Technologies
  • Senior Fellow
  • Director of Graduate Studies - MSST

James J. Renier Chair in the Management of Security Technologies

Mike Johnson serves as the director of graduate studies for the Master of Science in Security Technologies degree program at TLI. He also develops, teaches and administers graduate level courses in security technologies innovation, management and leadership, as well as participates in the development and delivery of customized short courses and professional development programs in response to industry needs. He brings more than 25 years of professional experience in security risk management, formerly serving as CISO and Operations Risk Director at Bremer Bank, and has gained broad skills in the areas of IT and information security risk management in a heavily regulated industry.

Share