Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

8/8/2019
10:00 AM
Marc Rogers
Marc Rogers
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Yes, FaceApp Really Could Be Sending Your Data to Russia

FaceApp has an unprecedented level of access to data from 150 million users. What could its endgame be? We unpack three potential risks.

FaceApp, an app that offers special effects for photographs, has been downloaded and installed by more than 150 million people worldwide, according to consumer tech journalist John Koetsier, writing in Forbes. Koetsier writes that the most popular of these special effects is an artificial intelligence (AI)-enhanced photo filter that ages any faces in the photograph. This feature has gotten even more popular lately, leading to the app's privacy being called into question on a global scale.

FaceApp is developed and published by Wireless Lab, a company with headquarters in St. Petersburg, Russia. While Wireless Lab and its staff are based in Russia, company founder Yaroslav Goncharov told Forbes that all the app's storage and cloud resources are in the US and that the data collected by the app is hosted in the US, not Russia. Because FaceApp has such close ties to Russia, American political officials have raised concerns about the overall security of the app. But the potential issues go beyond where the data is hosted.

Here are three risks to unpack before deciding to use FaceApp:

Risk 1: Terms and Conditions
As with any social media app, the terms are the bulk of your contract and the primary mechanism that is supposed to protect you (the user). But terms are also a way for many companies to indicate what they anticipate they'll do with your information in the future, often long before actually acting on these plans.

I've been in the security space for nearly 30 years, but FaceApp's set of terms are among the worst I have seen, for example:

● You assign FaceApp irrevocable global rights to use your images or data as it sees fit without any need to compensate or inform you.
● FaceApp can continue to hold your images and data even after you have requested your information be deleted.
● The company reserves the right to share the data with any third party it chooses without any need to inform you.
● It reserves the right to host the data in any country it chooses.

As shocking as some of the terms are, you will find very similar language in many well-known social media apps, including Facebook, according to Dalvin Brown, in USA TODAY. This approach is almost certainly incompatible with legislation such as GDPR, which means Wireless Lab is ignoring international privacy regulations.

In response to widespread criticism, Goncharov is quoted in Forbes suggesting that the company might consider updating its terms. However, the company still hasn't made any concrete promises. For now, FaceApp's terms make it seem as if the company is absolutely collecting your data, has long-term plans for it, and is not obligated to listen to any request or demand you may have about the future of that data.

Risk 2: Murky international legal regulations around data privacy
It's not just the terms and conditions that are problematic. Wireless Lab is operating in a country that has very different legal processes and privacy legislation than the US, and this should be a significant red flag. If it does something you don't like, you likely have very little or no legal recourse.

As this story has developed, it has become clear to me that Wireless Lab's statement that the app is wholly hosted in the US may not be the complete picture. Host records indicate that one of the hosts the app communicates with is, in fact, in Russia. While it's not clear what data is being sent to this Russian host, the fact that it's there — even after the developer stated everything is in the US — is concerning.

Risk 3: FaceApp's Endgame
FaceApp has an unprecedented level of access to data from 150 million users. What could the company's endgame be? This is where we have to speculate. To start, we should first look at what it is harvesting:

● Your photos and contextual personal information.
● Your phone information (browser, serial number, IP address, configuration information, some location information).
● Details about your other apps, the OS on your phone, social media accounts and apps.
● Cookies, sign-in tokens, and any authentication information you share with it (for example, if you choose to log in with Facebook, it gets access to your Facebook access tokens and profile information).
● If the app is downloaded on Android, it can access your call history, contacts, logs, more-detailed location information, messages, and more.

This list is certainly not exhaustive; it merely encompasses the most obvious data to which the app has immediate access.

What could the company be doing with this data? On the obvious end of the spectrum, detailed information about more than 150 million people is something advertisers would pay good money for. But from an intelligence perspective, this is a highly useful and current database of people all over the world and their connections.

For example, a current, AI-enhanced database like this is something that people developing facial recognition need. One of the biggest flaws in current facial recognition technology is that it is only as good as the data used to train it. As a result, most models are skewed toward faces from the region where the technology was developed. A database like this could provide an extremely diverse catalog of real faces to train facial recognition technology.

Whatever the company's endgame is, one thing is very clear: As consumers, we need to get better at policing those with whom we share our data. The fact that almost all social media applications and services have consumer-unfriendly terms should be of great concern. As the saying goes: "If you're not paying for it, you're not the customer; you're the product being sold." It's never been more important to heed this warning.

Related Content:

Marc Rogers is the executive director of cybersecurity at Okta. With a career that spans more than 20 years, Marc has been hacking since the 80's and is now a white-hat hacker. Prior to Okta, Marc served as the head of security for Cloudflare and spent a decade managing ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19642
PUBLISHED: 2019-12-08
On SuperMicro X8STi-F motherboards with IPMI firmware 2.06 and BIOS 02.68, the Virtual Media feature allows OS Command Injection by authenticated attackers who can send HTTP requests to the IPMI IP address. This requires a POST to /rpc/setvmdrive.asp with shell metacharacters in ShareHost or ShareNa...
CVE-2019-19637
PUBLISHED: 2019-12-08
An issue was discovered in libsixel 1.8.2. There is an integer overflow in the function sixel_decode_raw_impl at fromsixel.c.
CVE-2019-19638
PUBLISHED: 2019-12-08
An issue was discovered in libsixel 1.8.2. There is a heap-based buffer overflow in the function load_pnm at frompnm.c, due to an integer overflow.
CVE-2019-19635
PUBLISHED: 2019-12-08
An issue was discovered in libsixel 1.8.2. There is a heap-based buffer overflow in the function sixel_decode_raw_impl at fromsixel.c.
CVE-2019-19636
PUBLISHED: 2019-12-08
An issue was discovered in libsixel 1.8.2. There is an integer overflow in the function sixel_encode_body at tosixel.c.