Senate Minority Leader Chuck Schumer has urged the FBI and the Federal Trade Commission to assess the dangers of the FaceApp programme, which prompted a recent online craze with millions using its filters to look 40-50 years older in pictures. The prominent Democrat shared his concern that the app could pose “national security and privacy risks for millions of users” and claimed their data could find its way into the hands of third parties, including the Russian government.
The Congressman pointed out that the developer of the hit app, which has become one of the most downloaded features in the Google Play and App Store, is a St. Petersburg-based company called Wireless Lab. Schumer claimed that users are required to provide full, irrevocable access to their photos and data.
BIG: Share if you used #FaceApp:
— Chuck Schumer (@SenSchumer) July 18, 2019
The @FBI & @FTC must look into the national security & privacy risks now
Because millions of Americans have used it
It’s owned by a Russia-based company
And users are required to provide full, irrevocable access to their personal photos & data pic.twitter.com/cejLLwBQcr
Senator Schumer also suggested that it would be “deeply troubling” if users’ info would be “provided to a hostile foreign power actively engaged in cyber hostilities against the US”, in a less that disguised reference to the meddling allegations against Russia. One of his claims is that it was unclear how long FaceApp keeps the data, suggesting that there are “dark patterns” in place.
“In the age of facial recognition technology as both a surveillance and security use, it is essential that users have the information they need to ensure their personal and biometric data remains secure”, he wrote in his letter to the agencies, asking to examine if FaceApp users’ privacy is safe from “being compromised”.
Although the Russian-developed application first went viral in 2017, it has enjoyed a popularity surge of late amid the so-called “FaceApp challenge”, or “Age challenge” as more and more social media users, including celebrities, use its AI tech to age photos and make themselves look older.
Along with popularity, came claims that it might misuse users’ data, for instance, uploading not only specific photos but the whole photo roll, storing people’s faces on its servers and transferring it to Russia. The Verge pointed out that its policy “incorporates broad language”, allowing various data for commercial purposes to be used, while lawyer Elizabeth Potts Weinstein has insisted that FaceApp’s policy is incompliant with the EU General Data Protection Regulation.
Another alarmist was software developer Joshua Nozzi who claimed on Twitter: “BE CAREFUL WITH FACEAPP—the face aging add app. It immediately uploads your photos without asking, whether you chose one or not”. He, however, later apologised for his tweet and said that he was wrong. As The Daily Beast reported, citing two security researchers, Frenchman Robert Baptiste and Google engineer Ivan Rodriguez, no evidence was found that the application downloads all photos.
Baptiste told the outlet that the privacy policy flaws, FaceApp is accused of, are quite common.
“Their privacy policy is bad, but this is common. It's not a good thing, but this is not unusual”, he said, while The Verge notes that “the only difference in this case is that unlike Facebook or Google, FaceApp is Russia-based, and thereby inherits ill will because of Americans’ perception of the country”.
Rodriguez, meanwhile, has noted that the photo to be edited is downloaded to Amazon-operated cloud servers, confirming the Russian developer’s statement that they are not transferring data to Russia.
FaceApp CEO Yaroslav Goncharov, who used to work for the Russian tech giant Yandex, also noted earlier that although the selected photos are uploaded to the cloud, they get deleted shortly after (48 hours to be precise). Goncharov has denied that the data is sold to any third party.
"We don't sell or share any user data with any third parties”, he told Forbes.
The developer also noted that his company accepts specific requests from users to remove their data from its servers. The team is said to be “overloaded” but users can still send a special request to delete their data through Setting>Support>Report a bug, marking the message as “privacy”.