Experts warn vs privacy risks of FaceApp

MANILA, Philippines — Cybersecurity experts have warned against the risks of using image manipulation tool FaceApp, which has regained popularity over the past week because of a feature allowing users to change the gender of a person in a picture.

“While the idea of having an app that gender swaps humans in pictures does sound interesting and fun, it comes with several risks and dangers,” the Computer Professionals’ Union (CPU) said in a statement on Friday night.

“By using this application, we grant FaceApp (and whoever they give access to their database) freedom to access our personal digital likeness and permission to use it for their purposes,” it added.

The CPU noted a provision in the terms and conditions of the mobile application that gives the company non-exclusive, royalty-free and fully paid license to use content created by users.

These include photos, videos, messages, text, software and other materials that were created, posted, shared and stored using the app.

While this access is meant solely to provide services to the users, the group cited a provision stating that FaceApp “do not control, endorse or take responsibility for any user content or third-party content available on or linked to by our services.”

CPU said these might include “unscrupulous individuals or parties that seek to use a person’s digital likeness for nefarious purposes, from black propaganda to identity theft.”

“We need to be cautious of the digital footprints and personal information that we provide various social media platforms and other types of services online. This applies not only to FaceApp, but also to other third party apps that mine our information,” said the organization.

“We must realize that giving the people and organizations behind them permission to gather and use our personal information means that we do pay for their services – not in cash but at the cost of our attention, privacy and security,” it added.

It noted recent concerns over the proliferation of fake accounts on Facebook, which it said could benefit from FaceApp data.

“With the advent of the Anti-Terrorism bill possibly becoming law, there is danger that these doppelgänger accounts, coupled with realistic likeness of the persons they’re impersonating, could maliciously act in violation of the provisions of said law, thereby framing the actual person,” added CPU.

Cyber Security Philippines, a non-profit computer security incident response team, also warned against data mining and extraction of facial biometrics, noting that it can be used for identity theft, fraud, demolition, extortion or defamation.

Last year, US Senate Minority Leader Chuck Schumer urged the Federal Bureau of Investigation and the Federal Trade Commission to look into FaceApp over possible national security and privacy risks.

At the time, FaceApp had gained popularity worldwide over a feature allowing users to make themselves look older or younger.

Schumer said the level of access identified in the application’s terms of use and privacy notice may result in the photos being used in the future without the users’ consent.

“I have serious concerns regarding both the protection of the data that is being aggregated, as well as whether users are aware of who may have access to it,” he wrote.

“In particular, FaceApp’s location in Russia raises questions regarding how and when the company provides access to the data of US citizens to third parties, including potentially foreign governments,” he added.

FaceApp, in a statement sent to various tech websites at the time, clarified that it does not “sell or share any user data with any third parties” and that user data is not transferred to Russia even if their core research and development team is based there.

“FaceApp performs most of the photo processing in the cloud. We only upload a photo selected by a user for editing. We never transfer any other images from the phone to the cloud,” said the company.

“We might store an uploaded photo in the cloud. The main reason for that is performance and traffic: we want to make sure that the user doesn’t upload the photo repeatedly for every edit operation. Most images are deleted from our servers within 48 hours from the upload date,” it added.

FaceApp said they also accept requests from users to remove their data, recommending that users send these requests using the mobile application.