Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

8/8/2019
10:00 AM
Marc Rogers
Marc Rogers
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Yes, FaceApp Really Could Be Sending Your Data to Russia

FaceApp has an unprecedented level of access to data from 150 million users. What could its endgame be? We unpack three potential risks.

FaceApp, an app that offers special effects for photographs, has been downloaded and installed by more than 150 million people worldwide, according to consumer tech journalist John Koetsier, writing in Forbes. Koetsier writes that the most popular of these special effects is an artificial intelligence (AI)-enhanced photo filter that ages any faces in the photograph. This feature has gotten even more popular lately, leading to the app's privacy being called into question on a global scale.

FaceApp is developed and published by Wireless Lab, a company with headquarters in St. Petersburg, Russia. While Wireless Lab and its staff are based in Russia, company founder Yaroslav Goncharov told Forbes that all the app's storage and cloud resources are in the US and that the data collected by the app is hosted in the US, not Russia. Because FaceApp has such close ties to Russia, American political officials have raised concerns about the overall security of the app. But the potential issues go beyond where the data is hosted.

Here are three risks to unpack before deciding to use FaceApp:

Risk 1: Terms and Conditions
As with any social media app, the terms are the bulk of your contract and the primary mechanism that is supposed to protect you (the user). But terms are also a way for many companies to indicate what they anticipate they'll do with your information in the future, often long before actually acting on these plans.

I've been in the security space for nearly 30 years, but FaceApp's set of terms are among the worst I have seen, for example:

● You assign FaceApp irrevocable global rights to use your images or data as it sees fit without any need to compensate or inform you.
● FaceApp can continue to hold your images and data even after you have requested your information be deleted.
● The company reserves the right to share the data with any third party it chooses without any need to inform you.
● It reserves the right to host the data in any country it chooses.

As shocking as some of the terms are, you will find very similar language in many well-known social media apps, including Facebook, according to Dalvin Brown, in USA TODAY. This approach is almost certainly incompatible with legislation such as GDPR, which means Wireless Lab is ignoring international privacy regulations.

In response to widespread criticism, Goncharov is quoted in Forbes suggesting that the company might consider updating its terms. However, the company still hasn't made any concrete promises. For now, FaceApp's terms make it seem as if the company is absolutely collecting your data, has long-term plans for it, and is not obligated to listen to any request or demand you may have about the future of that data.

Risk 2: Murky international legal regulations around data privacy
It's not just the terms and conditions that are problematic. Wireless Lab is operating in a country that has very different legal processes and privacy legislation than the US, and this should be a significant red flag. If it does something you don't like, you likely have very little or no legal recourse.

As this story has developed, it has become clear to me that Wireless Lab's statement that the app is wholly hosted in the US may not be the complete picture. Host records indicate that one of the hosts the app communicates with is, in fact, in Russia. While it's not clear what data is being sent to this Russian host, the fact that it's there — even after the developer stated everything is in the US — is concerning.

Risk 3: FaceApp's Endgame
FaceApp has an unprecedented level of access to data from 150 million users. What could the company's endgame be? This is where we have to speculate. To start, we should first look at what it is harvesting:

● Your photos and contextual personal information.
● Your phone information (browser, serial number, IP address, configuration information, some location information).
● Details about your other apps, the OS on your phone, social media accounts and apps.
● Cookies, sign-in tokens, and any authentication information you share with it (for example, if you choose to log in with Facebook, it gets access to your Facebook access tokens and profile information).
● If the app is downloaded on Android, it can access your call history, contacts, logs, more-detailed location information, messages, and more.

This list is certainly not exhaustive; it merely encompasses the most obvious data to which the app has immediate access.

What could the company be doing with this data? On the obvious end of the spectrum, detailed information about more than 150 million people is something advertisers would pay good money for. But from an intelligence perspective, this is a highly useful and current database of people all over the world and their connections.

For example, a current, AI-enhanced database like this is something that people developing facial recognition need. One of the biggest flaws in current facial recognition technology is that it is only as good as the data used to train it. As a result, most models are skewed toward faces from the region where the technology was developed. A database like this could provide an extremely diverse catalog of real faces to train facial recognition technology.

Whatever the company's endgame is, one thing is very clear: As consumers, we need to get better at policing those with whom we share our data. The fact that almost all social media applications and services have consumer-unfriendly terms should be of great concern. As the saying goes: "If you're not paying for it, you're not the customer; you're the product being sold." It's never been more important to heed this warning.

Related Content:

Marc Rogers is the executive director of cybersecurity at Okta. With a career that spans more than 20 years, Marc has been hacking since the 80's and is now a white-hat hacker. Prior to Okta, Marc served as the head of security for Cloudflare and spent a decade managing ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Data Leak Week: Billions of Sensitive Files Exposed Online
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
Intel Issues Fix for 'Plundervolt' SGX Flaw
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-5252
PUBLISHED: 2019-12-14
There is an improper authentication vulnerability in Huawei smartphones (Y9, Honor 8X, Honor 9 Lite, Honor 9i, Y6 Pro). The applock does not perform a sufficient authentication in a rare condition. Successful exploit could allow the attacker to use the application locked by applock in an instant.
CVE-2019-5235
PUBLISHED: 2019-12-14
Some Huawei smart phones have a null pointer dereference vulnerability. An attacker crafts specific packets and sends to the affected product to exploit this vulnerability. Successful exploitation may cause the affected phone to be abnormal.
CVE-2019-5264
PUBLISHED: 2019-12-13
There is an information disclosure vulnerability in certain Huawei smartphones (Mate 10;Mate 10 Pro;Honor V10;Changxiang 7S;P-smart;Changxiang 8 Plus;Y9 2018;Honor 9 Lite;Honor 9i;Mate 9). The software does not properly handle certain information of applications locked by applock in a rare condition...
CVE-2019-5277
PUBLISHED: 2019-12-13
Huawei CloudUSM-EUA V600R006C10;V600R019C00 have an information leak vulnerability. Due to improper configuration, the attacker may cause information leak by successful exploitation.
CVE-2019-5254
PUBLISHED: 2019-12-13
Certain Huawei products (AP2000;IPS Module;NGFW Module;NIP6300;NIP6600;NIP6800;S5700;SVN5600;SVN5800;SVN5800-C;SeMG9811;Secospace AntiDDoS8000;Secospace USG6300;Secospace USG6500;Secospace USG6600;USG6000V;eSpace U1981) have an out-of-bounds read vulnerability. An attacker who logs in to the board m...