Cyber Security Expert Warns of the Dangers of FaceApp Hacked your Privacy & Steal Personal Information

FaceApp,  the AI-powered selfie-editing app that’s been having another viral moment of late, has now responded to a privacy controversy that we covered earlier here.
We’ve pasted the company’s full statement at the bottom of this post.
The tl;dr here is that concerns had been raised that FaceApp, a Russian startup, uploads users’ photos to the cloud — without making it clear to them that processing is not going on locally on their device.
Another issue raised by FaceApp users was that the iOS app appears to be overriding settings if a user had denied access to their camera roll, after people reported they could still select and upload a photo — i.e. despite the app not having permission to access their photos.
As we reported earlier, the latter is actually allowed behavior in iOS — which gives users the power to choose to block an app from full camera roll access but select individual photos to upload if they so wish.
This isn’t a conspiracy, though Apple could probably come up with a better way of describing the permission, as we suggested earlier.
On the wider matter of cloud processing of what is, after all, facial data, FaceApp confirms that most of the processing needed to power its app’s beautifying/gender-bending/age-accerating/-defying effects are done in the cloud.
Though it claims it only uploads photos users have specifically selected for editing. Security tests have also not found evidence the app uploads a user’s entire camera roll.
FaceApp goes on to specify that it “might” store the photos users have chosen to upload in the cloud for a short period, claiming this is done for “performance and traffic” — such as to make sure that a user doesn’t repeatedly upload the same photo to carry out another edit.
“Most images are deleted from our servers within 48 hours from the upload date,” it adds.
It also claims no user data is “transferred to Russia”, even though its R&D team is based there. So the suggestion is that storage and cloud processing are being performed using infrastructure based outside Russia. (We’ve asked it to confirm where this is done. Update: Founder Yaroslav Goncharov told us it uses AWS and Google Cloud.)
“We don’t sell or share any user data with any third parties,” it adds.
FaceApp also says users can request their data is deleted. Though it doesn’t yet have a very smooth way to do this — instead it asks users to send delete requests via the mobile app using “Settings->Support->Report a bug” with the word “privacy” in the subject line, adding that it’s “working on a better UI for that”.
It also points out that the vast majority of FaceApp users don’t log in — making the point that it’s not able to link photos to identities in most cases.
Here’s its statement in full:
We are receiving a lot of inquiries regarding our privacy policy and therefore, would like to provide a few points that explain the basics:
1. FaceApp performs most of the photo processing in the cloud. We only upload a photo selected by a user for editing. We never transfer any other images from the phone to the cloud.
2. We might store an uploaded photo in the cloud. The main reason for that is performance and traffic: we want to make sure that the user doesn’t upload the photo repeatedly for every edit operation. Most images are deleted from our servers within 48 hours from the upload date.
3. We accept requests from users for removing all their data from our servers. Our support team is currently overloaded, but these requests have our priority. For the fastest processing, we recommend sending the requests from the FaceApp mobile app using “Settings->Support->Report a bug” with the word “privacy” in the subject line. We are working on the better UI for that.
4. All FaceApp features are available without logging in, and you can log in only from the settings screen. As a result, 99% of users don’t log in; therefore, we don’t have access to any data that could identify a person.
5. We don’t sell or share any user data with any third parties.
6. Even though the core R&D team is located in Russia, the user data is not transferred to Russia.
But be warned: FaceApp, which you grant permission to access your photo gallery, also includes in their Terms and Conditions that they have the right to modify, reproduce and publish any of the images you process through its AI.
That means that your face could end up being commercialized — or worse.
UK-based Digitas strategist James Whatley said on Twitter, “You grant FaceApp a perpetual, irrevocable… royalty-free… license to use, adapt, publish, distribute your user content… in all media formats… when you post or otherwise share.”
That means they can also use your real name, your username or “any likeness provided” in any format without notifying, much less paying, you. They can retain that material as long as they want, even after you delete the app, and you won’t be able to stop them. Even those who set their Apple iOS photo permissions to “never,” as Tech Crunch points out, are not protected against the terms.

Security expert Ariel Hochstadt told Daily Mail that hackers, who are not infrequently agents of the Russian government, can log the websites visited and “the activities they perform in those websites,” though they might not know the identity of the person being tracked.

But when we also give them access to our phone’s camera, they can “secretly record” someone — who could be a targeted or prosecuted member of society, says Hochstadt, such as “a young gay person.” Now the hackers (and Russian government by proxy) can cross-reference your face and phone information with the websites you’re using.
Hochstadt continues, “They also know who this image is, with the huge database they created of Facebook accounts and faces, and the data they have on that person is both private and accurate to the name, city and other details found on Facebook.”
Even if hackers aren’t exactly working with the Russian government, says Hochstadt, “With so many breaches, they can get information and hack cameras that are out there, and be able to create a database of people all over the world, with information these people didn’t imagine is collected on them.” 

Eventually, technology expert Steve Sammartino believes, your face will also be used to access even more critical private information, such as banking credentials.
“Your face is now a form of copyright where you need to be really careful who you give permission to access your biometric data,” he tells journalist Ben Fordham. “If you start using that willy-nilly, in the future when we’re using our face to access things, like our money and credit cards, then what we’ve done is we’ve handed the keys to others.”
One cybersecurity expert, however, is warning these fun apps can come with consequences.

David Shipley with Beauceron Security said that while the product may be advertised as ‘free’, it’s your information that’s the real price. He noted that even a picture of your face can do plenty of damage.
“It can be used to identify you and unlock things like your smartphone or other things and you want to make sure you protect your identity.”
Shipley said that some hackers will go to extreme lengths to steal personal information.
“We’ve seen hacks in the last two years of Android phones that use facial ID, that if someone can get enough photos of your face and can actually 3D print a head and unlock your phone.”
He said the best way to ensure your data is to check the user agreement before downloading these kinds of apps.
Shipley warns other nefarious activities hackers can do include selling your search history and your location to other companies.
“A lot of companies trade data, almost like trading baseball cards like kids, and because they can sell it, they didn’t violate the spirit or terms of your agreement, but it certainly wasn’t what a lot of people thought was going to happen with their data.”
Overall, issues like this can pose serious problems in the future.
“People’s photos being used to create fake social media profiles that look more real and authentic or to make a copy of your very own social media profile to then target your friends and family with a variety of different scams and attacks.”
SHARE

Milan Tomic

Hi. I’m Designer of Blog Magic. I’m CEO/Founder of ThemeXpose. I’m Creative Art Director, Web Designer, UI/UX Designer, Interaction Designer, Industrial Designer, Web Developer, Business Enthusiast, StartUp Enthusiast, Speaker, Writer and Photographer. Inspired to make things looks better.

  • Image
  • Image
  • Image
  • Image
  • Image
    Blogger Comment
    Facebook Comment

8 comments:

  1. Selling USA FRESH SPAMMED SSN Leads/Fullz, along with Driving License/ID Number with EXCELLENT connectivity.

    **PRICE**
    >>2$ FOR EACH LEAD/FULLZ/PROFILE
    >>5$ FOR EACH PREMIUM LEAD/FULLZ/PROFILE

    **DETAILS IN EACH LEAD/FULLZ**

    ->FULL NAME
    ->SSN
    ->DATE OF BIRTH
    ->DRIVING LICENSE NUMBER WITH EXPIRY DATE
    ->ADDRESS WITH ZIP
    ->PHONE NUMBER, EMAIL, I.P ADDRESS
    ->EMPLOYEE DETAILS
    ->REALTIONSHIP DETAILS
    ->MORTGAGE INFO
    ->BANK ACCOUNT DETAILS

    >All Leads are Tested & Verified.
    >Invalid info found, will be replaced.
    >Serious buyers will be welcome & I will give discounts for bulk orders.
    >Fresh spammed data of USA Credit Bureau
    >Good credit Scores, 700 minimum scores
    >Bulk order will be preferable
    >Minimum order 20 leads/fullz
    >Hope for the long term business
    >You can asked for samples, specific states & zips (if needed)
    >Payment mode BTC, PAYPAL & PERFECT MONEY

    Email > leads.sellers1212@gmail.com
    Telegram > @leadsupplier
    ICQ > 752822040

    ''OTHER GADGETS PROVIDING''

    >SSN Fullz
    >Dead Fullz
    >Carding Tutorials
    >Hacking Tutorials
    >SMTP Linux Root
    >DUMPS with pins track 1 and 2
    >Sock Tools
    >Server I.P's
    >USA emails with passwords (bulk order preferable)

    **Contact 24/7**

    Email > leads.sellers1212@gmail.com
    Telegram > @leadsupplier
    ICQ > 752822040

    ReplyDelete
  2. Thanks for the valuable information. Are you looking for a one-stop solution to your Information/Cybersecurity needs? IARM, one of the few companies to focus exclusively on End-End Information/Cybersecurity solutions and services providers to organizations across all verticals. Cybersecurity Audit Services
    ISO 27001 Implementation and Consulting Company in Chennai
    Cybersecurity Company in Bangalore
    VAPT service provider in India
    Penetration Testing Company In India

    ReplyDelete
  3. ISO 45001 is an internationally recognized standard for the Occupational Health and Safety Management System (OH&SMS). This standard specifies requirements and as well as effective measures to reduce accidents, deaths, and injuries to the employees. ISO 45001 certification in Thailand is also known as Occupational Health & Safety Management System, for more contact us +91 9962590571

    ReplyDelete
  4. I would like to say this is a well-informed article and also beneficial article for us. Keep sharing this kind of articles, Thank you.Database hacker

    ReplyDelete
  5. This comment has been removed by the author.

    ReplyDelete