When an app goes viral, how can you know whether it’s all good fun — or covertly violating your privacy by, say, sending your face to the Russian government?
I got some answers by running my own forensic analysis and talking to the CEO of the company that made the app. But the bigger lesson was how much app-makers and the stores run by Apple and Google leave us flying blind when it comes to privacy.
I raised similar questions a few weeks ago when I ran an experiment to find out what my iPhone did while I slept at night. I found apps sending my personal information to all sorts of tracking companies I’d never heard of.
Looking under the hood of FaceApp with the tools from my iPhone test, I found it sharing information about my phone with Facebook and Google AdMob, which probably help it place ads and check the performance of its ads. The most unsettling part was how much data FaceApp was sending to its own servers, after which … who knows what happens. It’s not just your own face that FaceApp might gobble up — if you age friends or family members, their face gets uploaded, too.
FaceApp adds decades to your age for fun, but the popular, Russian-owned app raises privacy concerns
In an email exchange, FaceApp CEO Yaroslav Goncharov tried to clarify some of that.
These five questions are basics we ought to know about any app or service that wants something as personal as our faces.
1. What data do they take?
FaceApp uploads and processes our photos in the cloud, Goncharov said, but the app will “only upload a photo selected by a user for editing.” The rest of your camera roll stays on your phone. You can also use FaceApp without giving it your name or email — and 99 percent of users do just that, he said.
2. How long do they hold on my data?
The app’s terms of service grant it a “perpetual” license to our photos. Goncharov said FaceApp deletes “most” of the photos from its servers after 48 hours.
3. What are they doing with my data?
Is FaceApp using our faces and the maps it makes of them for anything other than the express purpose of the app, such as running facial identification on us? “No,” Goncharov said. Legally, though, the app’s terms give it — and whoever might buy it or work with it in the future — the right to do whatever it wants, through an “irrevocable, nonexclusive, royalty-free, worldwide, fully-paid, transferrable sub-licensable license.” (Clear as mud?)
4. Who has access to my data?
Do government authorities in Russia have access to our photos? “No,” Goncharov said. FaceApp’s engineers are based in Russia, so our data is not transferred there. He said the company also doesn’t “sell or share any user data with any third parties” — aside, I pointed out, from what it shares with trackers from Facebook and AdMob. (Another exception: Users in Russia may have their data stored in Russia.)
5. How can I delete my data?
Just deleting the app won’t get rid of the photos FaceApp may have in the cloud. Goncharov said people can put in a request to delete all data from FaceApp’s servers, but the process is convoluted. “For the fastest processing, we recommend sending the requests from the FaceApp mobile app using ‘Settings->Support->Report a bug’ with the word ‘privacy’ in the subject line. We are working on the better UI [user interface] for that,” he said.
Why not post this information to FaceApp’s website, beyond the legalese? “We are planning to make some improvements,” Goncharov said.
Same question for the app stores run by Apple and Google. Those giant companies make money from a cut of upgrades you can purchase in the app. We’re literally paying them to read the privacy policies — and vet that companies such as FaceApp are telling the truth. Why not better help us understand right where we download what’s really going on? Neither company replied with an on-the-record comment.
Much better to help us sort through all of this before millions of us upload our faces somewhere we might regret.
Read more tech advice and analysis from Geoffrey A. Fowler: