When an app goes viral, how can you know whether itâ€™s all good fun â€” or covertly violating your privacy by, say, sending your face to the Russian government?
Thatâ€™s the burning question about FaceApp, a program that takes photos of people and â€œagesâ€ them using artificial intelligence. Soon after it shot to the top of the Apple and Google store charts this week, privacy advocates began waving warning flags about the Russian-made appâ€™s vague legalese. Word spread quickly that the app might be a disinformation campaign or secretly downloading your entire photo album. Leaders of the Democratic party warned campaigns to delete the app â€˜immediately.â€™
I got some answers by running my own forensic analysis and talking to the CEO of the company that made the app. But the bigger lesson was how much app-makers and the stores run by Apple and Google leave us flying blind when it comes to privacy.
I raised similar questions a few weeks ago when I ran an experiment to find out what my iPhone did while I slept at night. I found apps sending my personal information to all sorts of tracking companies Iâ€™d never heard of.
Looking under the hood of FaceApp with the tools from my iPhone test, I found it sharing information about my phone with Facebook and Google AdMob, which probably help it place ads and check the performance of its ads. The most unsettling part was how much data FaceApp was sending to its own servers, after which â€¦ who knows what happens. Itâ€™s not just your own face that FaceApp might gobble up â€” if you age friends or family members, their face gets uploaded, too.
In an email exchange, FaceApp CEO Yaroslav Goncharov tried to clarify some of that.
These five questions are basics we ought to know about any app or service that wants something as personal as our faces.
1. What data do they take?
FaceApp uploads and processes our photos in the cloud, Goncharov said, but the app will â€œonly upload a photo selected by a user for editing.â€ The rest of your camera roll stays on your phone. You can also use FaceApp without giving it your name or email â€” and 99 percent of users do just that, he said.
2. How long do they hold on my data?
The appâ€™s terms of service grant it a â€œperpetualâ€ license to our photos. Goncharov said FaceApp deletes â€œmostâ€ of the photos from its servers after 48 hours.
3. What are they doing with my data?
Is FaceApp using our faces and the maps it makes of them for anything other than the express purpose of the app, such as running facial identification on us? â€œNo,â€ Goncharov said. Legally, though, the appâ€™s terms give it â€” and whoever might buy it or work with it in the future â€” the right to do whatever it wants, through an â€œirrevocable, nonexclusive, royalty-free, worldwide, fully-paid, transferrable sub-licensable license.â€ (Clear as mud?)
4. Who has access to my data?
Do government authorities in Russia have access to our photos? â€œNo,â€ Goncharov said. FaceAppâ€™s engineers are based in Russia, so our data is not transferred there. He said the company also doesnâ€™t â€œsell or share any user data with any third partiesâ€ â€” aside, I pointed out, from what it shares with trackers from Facebook and AdMob. (Another exception: Users in Russia may have their data stored in Russia.)
5. How can I delete my data?
Just deleting the app wonâ€™t get rid of the photos FaceApp may have in the cloud. Goncharov said people can put in a request to delete all data from FaceAppâ€™s servers, but the process is convoluted. â€œFor the fastest processing, we recommend sending the requests from the FaceApp mobile app using â€˜Settings->Support->Report a bugâ€™ with the word â€˜privacyâ€™ in the subject line. We are working on the better UI [user interface] for that,â€ he said.
Why not post this information to FaceAppâ€™s website, beyond the legalese? â€œWe are planning to make some improvements,â€ Goncharov said.
Same question for the app stores run by Apple and Google. Those giant companies make money from a cut of upgrades you can purchase in the app. Weâ€™re literally paying them to read the privacy policies â€” and vet that companies such as FaceApp are telling the truth. Why not better help us understand right where we download whatâ€™s really going on? Neither company replied with an on-the-record comment.
Much better to help us sort through all of this before millions of us upload our faces somewhere we might regret.
Read more tech advice and analysis from Geoffrey A. Fowler:
Goodbye, Chrome: Googleâ€™s Web browser has become spy software
Not all iPhones are the same. These cost less and are better for the Earth.
Rock this way: AirPods, Beats and Bose wireless ear buds take the headbang test