A while back, I left the vast cesspool of mainstream social media for the weirder and wilder pastures of places like Mastodon (and yes, I’m very smug about it). The downside is that I often don’t hear about new fads unless something goes horribly wrong, which is exactly what happened when everyone had a collective freakout about FaceApp after initially falling in love with it.
FaceApp, in case you were like me and totally missed it, lets you apply filters to your face to appear aged and decrepit, perhaps appealing to the much documented millennial obsession with decay and eventual oblivion. FaceApp was then accused of hijacking people’s personal information and photos and, gasp!, sending them to Russia. An internet poop emoji storm ensued.
This led my colleague Jose to ask a very reasonable question in Slack:
If one were to delete an app such as FaceApp, is the damage of granting these apps access to your info already done or are you safe again?
Security wonks can often get very snarky and dismissive of real, valuable questions like this. Many take the attitude that people shouldn’t have downloaded the apps in the first place, which is not only unhelpful, but further cements the security wonk reputation for hating fun. Jose’s question is valid: does deleting an app that was snooping on you in any way make you safe again?
The Real Story About FaceApp
First things first: the fears about FaceApp specifically seem a smidge overblown. My colleague Michael Kan spoke to several security experts about FaceApp, all of whom said it was not overtly malicious and, in some cases, actually praised the app. Aviran Hazum, a researcher from the antivirus company Check Point, told Kan, “I must say that this app seems to be developed in a good fashion—no greedy permissions, and it does what they claim it does.”
In fact, Kan reports that the initial warnings that the app steals all your images without asking were baseless and were eventually retracted. It is true, however, that the app is from a Russian developer, but without any evidence that the specific app or developer has done something wrong, it’s hard to hold that against the app.
While FaceApp may not be the sneaking terror we may have initially thought, it does have some problems. Like many apps and services we sign up for on a whim, it’s not always clear what the app does with your information, how long its kept, or with whom FaceApp shares your information.
It’s Still Not Great
I reached out to Bill Budington, the Senior Staff Technologist at the Electronic Frontier Foundation (EFF), to get a sense of what FaceApp does and what risks it presents. He pointed out that the language of the company’s terms of service paint a grim picture.
You grant FaceApp a perpetual, irrevocable, nonexclusive, royalty-free, worldwide, fully-paid, transferable sub-licensable license to use, reproduce, modify, adapt, publish, translate, create derivative works from, distribute, publicly perform & display your User Content and any name, username or likeness provided in connection with your User Content in all media formats and channels now known or later developed, without compensation to you.
“This gives FaceApp and its parent company Wireless Lab an enormous amount of latitude to do pretty much anything with your data that they’d like,” said Budington in an email. “Unfortunately, privacy policies like this are far too common, and this one in particular sounds like it’s using boilerplate language copied from somewhere else.”
We may also share certain information such as cookie data with third-party advertising partners. This information would allow third-party ad networks to,…