It’s getting old, but we must join all the rest concerned with whether FaceApp is (still) intercepting your personal data. Created in 2017 by Wireless Lab, this Russian app has recently gone viral again with its new aging filter that got everyone, from Taylor Swift to your dad, wanting to look older.

But how and what exactly is this FaceApp taking away from you?

FaceApp’s Terms of Service

Well, there is no exact answer to the aforementioned question because FaceApp’s policies are quite vague and speak a lot about what they’re not doing now – but might be doing in the future.

As always, it all starts with the user giving FaceApp necessary permission to upload your photo to their servers. But what is buried in the Terms of Use and Privacy Policy is the extent to which it can be used. It says:

All processed images can be modified, reproduced, and even published, not counting out the commercialization

Again, let’s remind ourselves that if the product is free, it means you’re the product. Unfortunately, that works not only for FaceApp but for most of the apps that you use, such as Twitter or Instagram. So if you trust them, there’s no big reason why you shouldn’t trust FaceApp.

FaceApp policies have stayed the same

For starters, Wireless Labs has updated neither their Terms of Use nor Privacy Policy since 2017, so you can be sure that everything you did this week with your face isn’t falling under some new agreements that will have you unknowingly advertising some anti-age cream on a billboard in Moscow.

On the other hand, the policies are broad enough to let this happen.

What’s more, FaceApp won’t necessarily walk the extra mile to inform you about the updates on their policies: “We may also attempt to notify you by sending an email notification to the address associated with your account, if any, or providing notice through our Services.”

Auto-agreement

To continue, you’re automatically agreeing with FaceApp’s Terms of Use by visiting their website or downloading the app. You won’t get any GDPR-like pop-ups that inform you of what happens if you continue browsing their website, especially if you’re in the US.

Ask your mom before use

The app can be used from age 13, but minorities must be supervised by a parent or legal guardian who’ll get to agree to Terms of Use. As we all know, this probably won’t be the case, leaving parents and guardians responsible without knowing.

FaceApp can (ab)use your face

FaceApp does not claim ownership of any User Content that you post on or through the Services

While this sounds great from the user’s perspective, further reading brings more troublesome points:

You grant an irrevocable right to use your User Content, even for commercial purposes

Also, you cannot claim any injury that resulted from FaceApp using your User Content, which probably includes any mental illness after seeing a banner with your wife sporting a beard. In fact, there’s no way you could sue FaceApp unless there’s some copyright infringement when someone else uploads your pictures. Finally, any disputes will be solved without a class action, via individual arbitration, making it pretty hard to sue FaceApp for almost anything.

FaceApp jurisdiction

The services fall under the US jurisdiction, and your data is allegedly stored in Amazon and Google servers, which means you should be worrying first about your photos getting into the hands of the US and not Russia’s government. But the worst part is that your personally identifiable information can fall into Putin’s hands as well, with the R&D team of Wireless Lab based in Saint Petersburg.

FaceApp’s Privacy Policy

FaceApp's Privacy Policy

The first part about Wireless Lab servers recording your IP address, browser type, etc., and using that information to provide targeted ads is a common practice. But you have to keep in mind that all this data can now be paired with your face which can be used to learn your gender, age, and other profiling info.

Later, Wireless Labs tries to reassure that your information won’t be shared with third-parties without your consent. Unfortunately, that doesn’t include FaceApps’s affiliate partners or those who help provide the service to you. That basically means any company that Wireless Labs decides to do business with.

Where and for how long FaceApp stores your images

While your images are stored on Amazon and Google servers, they can be stored in any country in which FaceApp, its Affiliates or Service Providers maintain facilities. So please keep in mind that even though the US is not the best place when it comes to protecting personal data, having it in Russia or China is by no means an upgrade.

What clearly stands out in the FaceApp Privacy Policy is the right to be forgotten, which is lacking

While the Wireless Lab founder Yaroslav Goncharov has stated that users can ask for their data deletion, FaceApp is still to provide a better way to do so other than reporting a bug as it is now. He also claims that the majority of FaceApp users don’t log in, which means there’s no connection between their photos and other personal information.

Mr. Goncharov has also stated that most images are deleted within 48 hours. While this means that there’s no reason to be concerned for the majority of FaceApp users, there will probably be some photos deemed to be interesting that will stay in the Wireless Labs servers indefinitely.

Future risks of using FaceApp today

While FaceApp doesn’t pose any immediate threat – but obviously wants to get your data to sell or use it for targeted advertising – there’s a chance that will backfire later when your face will become your ID. In case of a data breach, your photo and other data can be used to access your bank account illegally. Nevertheless, it’s far-fetched, as most likely you’ll need 2-factor authentication to access your important accounts, which would also serve as a means to put off others from skinning your face.

And thinking of how many pictures you’ve shared everywhere already, the risk of fake-facing will be there, with or without FaceApp. Google has 8 million images to train face-recognition algorithms, while Facebook boasts at least 10 million. Microsoft and IBM have also used millions of photos for their own facial recognition services.

You won’t see your nudes from your camera roll online

FaceApp doesn’t upload all your camera roll, contrary to some claims that began circulating yesterday. It’s only the photo that you’ve selected and uploaded. But this is a serious risk if the app scans and can identify the content of your photo library, which might include not only selfies but also some notes with wifi passwords or credit card numbers.

While some iPhone users might boast their “Never allow photo access” option makes then safe, the truth is that any app can override this by asking for one or more photos, and you tapping on them creates an exception to the rule. But it seems that iOS 13 will already have an “Only once” option, solving this “never means never” dilemma.

Bottom line

This is not the only viral action that results in data that corporations use for their benefit. For example, Google used YouTube videos with the mannequin challenge, where you had to stay still, to train AI. And who can say that your video was not one of them? And even if it was, do you feel violated now, after mindlessly clicking OK on those ToS and privacy policies that Google served you back in the day?

As always, whenever there’s something security and privacy concerning, the media is out there to create a big story of it. But the point is that we should be aware not about FaceApp or the next scandalous thing, but our online security in general. More often then not the most damage is being done silently in a prolonged period, rather than in some spontaneous action that dies out in a few days.

That’s why we’re using this occasion for another reminder to check this only security list:

  • Do you use secure and unique passwords for each account?
  • If no, have you considered using a password manager?
  • Do you have any malware protection?
  • Are you encrypting your traffic and hiding your IP address with a VPN?

If you’ve found yourself shaking your head sideways more than nodding in approval, it’s time to put some effort into protecting all of your data to save your face.

And in this case, the sooner, the better.