When an app goes viral, how can you know if it's all good fun - or covertly violating your privacy by, say, sending your face to the Russian government?
That's the burning question about FaceApp, a program that takes photos of people and "ages" them using artificial intelligence. Soon after it shot to the top of the Apple and Google store charts this week, privacy advocates began waving warning flags about the Russian-made app's vague legalese. Word spread quickly that the app might be a disinformation campaign, or secretly downloading your entire photo album.
I got some answers by running my own forensic analysis and talking to the CEO of the company that made the app. But the bigger lesson was how much appmakers and the stores run by Apple and Google leave us flying blind when it comes to privacy.
[Panic over Russian company’s FaceApp is sign of new distrust of Internet]
I raised similar questions a few weeks ago, when I ran an experiment to find out what my iPhone did while I slept at night. I found apps sending my personal information to all sorts of tracking companies I'd never heard of.
So what about FaceApp? It was vetted by Apple's App Store and Google's Play Store, which even labeled it an "Editors' Choice." They both link to its privacy policy - which they know nobody reads.
Looking under the hood of FaceApp with the tools from my iPhone test, I found it sharing information about my phone with Facebook and Google AdMob, which likely help it place ads and check the performance of its ads. The most unsettling part was how much data FaceApp was sending to its own servers, after which . . . who knows what happens. It's not just your own face that FaceApp might gobble up - if you age a friend or family member, their face gets uploaded, too.
In an email exchange, FaceApp's CEO Yaroslav Goncharov tried to clarify some of that.
These five questions are basics we ought to know about any app or service that wants something as personal as our faces.
1) What data do they take?
FaceApp uploads and processes our photos in the cloud, Goncharov said, but the app will “only upload a photo selected by a user for editing.” The rest of your camera roll stays on your phone. You can also use FaceApp without giving it your name or email - and 99% of users do just that, he said.
2) How long do they hold on my data?
The app's terms of service grant it a "perpetual" license to our photos. Goncharov said FaceApp deletes "most" of photos from its servers after 48 hours.
3) What are they doing with my data?
Is FaceApp using our faces and the maps it makes of them for anything other than the express purpose of the app, like running facial identification on us? "No," said Goncharov. Legally, though, the app's terms give it - and whoever might buy it or work with it in the future - the right to do whatever it wants, through an "irrevocable, nonexclusive, royalty-free, worldwide, fully-paid, transferrable sub-licensable license." (Clear as mud?)
4) Who has access to my data?
Do government authorities in Russia have access to our photos? "No," says Goncharov. FaceApp's engineers are based in Russia, our data is not transferred there. He said the company also doesn't "sell or share any user data with any third parties" - aside, I pointed out, from what it shares with trackers from Facebook and AdMob. (Another exception: Users in Russia may have their data stored in Russia.)
5) How can I delete my data?
Just deleting the app won’t get rid of the photos FaceApp may have in the cloud. Goncharov said people can put in a request to delete all data from FaceApp’s servers, but the process is convoluted. “For the fastest processing, we recommend sending the requests from the FaceApp mobile app using ‘Settings->Support->Report a bug’ with the word ‘privacy’ in the subject line. We are working on the better UI (user interface) for that," he said.
Why not post this information to FaceApp's website, beyond the legalese? "We are planning to make some improvements," Goncharov said.
Same question for the app stores run by Apple and Google. Those giant companies make money from a cut of upgrades you can purchase in the app. We're literally paying them to read the privacy policies - and vet that companies like FaceApp are telling the truth. Why not better help us understand right where we download what's really going on? Neither company replied with an on-the-record comment.
Much better to help us sort through all of this before millions of us upload our faces somewhere we might regret.