Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

8/8/2019
10:00 AM
Marc Rogers
Marc Rogers
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Yes, FaceApp Really Could Be Sending Your Data to Russia

FaceApp has an unprecedented level of access to data from 150 million users. What could its endgame be? We unpack three potential risks.

FaceApp, an app that offers special effects for photographs, has been downloaded and installed by more than 150 million people worldwide, according to consumer tech journalist John Koetsier, writing in Forbes. Koetsier writes that the most popular of these special effects is an artificial intelligence (AI)-enhanced photo filter that ages any faces in the photograph. This feature has gotten even more popular lately, leading to the app's privacy being called into question on a global scale.

FaceApp is developed and published by Wireless Lab, a company with headquarters in St. Petersburg, Russia. While Wireless Lab and its staff are based in Russia, company founder Yaroslav Goncharov told Forbes that all the app's storage and cloud resources are in the US and that the data collected by the app is hosted in the US, not Russia. Because FaceApp has such close ties to Russia, American political officials have raised concerns about the overall security of the app. But the potential issues go beyond where the data is hosted.

Here are three risks to unpack before deciding to use FaceApp:

Risk 1: Terms and Conditions
As with any social media app, the terms are the bulk of your contract and the primary mechanism that is supposed to protect you (the user). But terms are also a way for many companies to indicate what they anticipate they'll do with your information in the future, often long before actually acting on these plans.

I've been in the security space for nearly 30 years, but FaceApp's set of terms are among the worst I have seen, for example:

● You assign FaceApp irrevocable global rights to use your images or data as it sees fit without any need to compensate or inform you.
● FaceApp can continue to hold your images and data even after you have requested your information be deleted.
● The company reserves the right to share the data with any third party it chooses without any need to inform you.
● It reserves the right to host the data in any country it chooses.

As shocking as some of the terms are, you will find very similar language in many well-known social media apps, including Facebook, according to Dalvin Brown, in USA TODAY. This approach is almost certainly incompatible with legislation such as GDPR, which means Wireless Lab is ignoring international privacy regulations.

In response to widespread criticism, Goncharov is quoted in Forbes suggesting that the company might consider updating its terms. However, the company still hasn't made any concrete promises. For now, FaceApp's terms make it seem as if the company is absolutely collecting your data, has long-term plans for it, and is not obligated to listen to any request or demand you may have about the future of that data.

Risk 2: Murky international legal regulations around data privacy
It's not just the terms and conditions that are problematic. Wireless Lab is operating in a country that has very different legal processes and privacy legislation than the US, and this should be a significant red flag. If it does something you don't like, you likely have very little or no legal recourse.

As this story has developed, it has become clear to me that Wireless Lab's statement that the app is wholly hosted in the US may not be the complete picture. Host records indicate that one of the hosts the app communicates with is, in fact, in Russia. While it's not clear what data is being sent to this Russian host, the fact that it's there — even after the developer stated everything is in the US — is concerning.

Risk 3: FaceApp's Endgame
FaceApp has an unprecedented level of access to data from 150 million users. What could the company's endgame be? This is where we have to speculate. To start, we should first look at what it is harvesting:

● Your photos and contextual personal information.
● Your phone information (browser, serial number, IP address, configuration information, some location information).
● Details about your other apps, the OS on your phone, social media accounts and apps.
● Cookies, sign-in tokens, and any authentication information you share with it (for example, if you choose to log in with Facebook, it gets access to your Facebook access tokens and profile information).
● If the app is downloaded on Android, it can access your call history, contacts, logs, more-detailed location information, messages, and more.

This list is certainly not exhaustive; it merely encompasses the most obvious data to which the app has immediate access.

What could the company be doing with this data? On the obvious end of the spectrum, detailed information about more than 150 million people is something advertisers would pay good money for. But from an intelligence perspective, this is a highly useful and current database of people all over the world and their connections.

For example, a current, AI-enhanced database like this is something that people developing facial recognition need. One of the biggest flaws in current facial recognition technology is that it is only as good as the data used to train it. As a result, most models are skewed toward faces from the region where the technology was developed. A database like this could provide an extremely diverse catalog of real faces to train facial recognition technology.

Whatever the company's endgame is, one thing is very clear: As consumers, we need to get better at policing those with whom we share our data. The fact that almost all social media applications and services have consumer-unfriendly terms should be of great concern. As the saying goes: "If you're not paying for it, you're not the customer; you're the product being sold." It's never been more important to heed this warning.

Related Content:

Marc Rogers is the executive director of cybersecurity at Okta. With a career that spans more than 20 years, Marc has been hacking since the 80's and is now a white-hat hacker. Prior to Okta, Marc served as the head of security for Cloudflare and spent a decade managing ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
GitHub Named in Capital One Breach Lawsuit
Dark Reading Staff 8/14/2019
The Mainframe Is Seeing a Resurgence. Is Security Keeping Pace?
Ray Overby, Co-Founder & President at Key Resources, Inc.,  8/15/2019
The Flaw in Vulnerability Management: It's Time to Get Real
Jim Souders, Chief Executive Officer at Adaptiva,  8/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-5034
PUBLISHED: 2019-08-20
An exploitable information disclosure vulnerability exists in the Weave Legacy Pairing functionality of Nest Cam IQ Indoor version 4620002. A set of specially crafted weave packets can cause an out of bounds read, resulting in information disclosure. An attacker can send packets to trigger this vuln...
CVE-2019-5035
PUBLISHED: 2019-08-20
An exploitable information disclosure vulnerability exists in the Weave PASE pairing functionality of the Nest Cam IQ Indoor, version 4620002. A set of specially crafted weave packets can brute force a pairing code, resulting in greater Weave access and potentially full device control. An attacker c...
CVE-2019-5036
PUBLISHED: 2019-08-20
An exploitable denial-of-service vulnerability exists in the Weave error reporting functionality of the Nest Cam IQ Indoor, version 4620002. A specially crafted weave packets can cause an arbitrary Weave Exchange Session to close, resulting in a denial of service. An attacker can send a specially cr...
CVE-2019-8103
PUBLISHED: 2019-08-20
Adobe Acrobat and Reader versions, 2019.012.20035 and earlier, 2019.012.20035 and earlier, 2017.011.30142 and earlier, 2017.011.30143 and earlier, 2017.011.30142 and earlier, 2015.006.30497 and earlier, and 2015.006.30498 and earlier have an out-of-bounds read vulnerability. Successful exploitation ...
CVE-2019-8104
PUBLISHED: 2019-08-20
Adobe Acrobat and Reader versions, 2019.012.20035 and earlier, 2019.012.20035 and earlier, 2017.011.30142 and earlier, 2017.011.30143 and earlier, 2017.011.30142 and earlier, 2015.006.30497 and earlier, and 2015.006.30498 and earlier have an out-of-bounds read vulnerability. Successful exploitation ...