Have You Tried FaceApp? Your Digital Privacy May Be At Risk

If you’re one of the very few people who haven’t tried out FaceApp yet, no doubt your Facebook feed has already been flooded by those who have. The free app (available on both iOS and Android) which lets you see what you’d look like if you were younger, older or a member of the opposite sex, has caused quite a stir since its launch and currently rocketing to the top of the app charts, after being downloaded by millions of users.

But don’t be too hasty to jump on the bandwagon. Security experts have warned that people who use FaceApp may be putting their personal information at risk, including the pictures they are sharing of themselves.

Michael Bradley, a managing partner at law firm Marque Lawyers, told ABC Australia: “Anyone who has placed their face online in conjunction with their name and other identifying data (for example, anyone with a social media profile or website profile), is already plenty vulnerable to being digitally captured for future facial recognition uses.”

So what information are you giving up when using FaceApp, and should you be worried?

“When you use our Service, our servers automatically record certain log file information, including your web request, Internet Protocol address, browser type, referring / exit pages and URLs, number of clicks and how you interact with links on the Service, domain names, landing pages, pages viewed, and other such information,” reads FaceApp’s privacy policy.

The app uses “device identifiers” allowing the company to monitor how you browse and use the app in order to target you with “personalized content, which could include online ads or other forms of marketing“.

Users must also agree to have their information shared “with businesses that are legally part of the same group of companies that FaceApp is part of, or that become part of that group.” The policy does not state what companies this includes.

In the event that FaceApp is sold to another company, all of your personal information may be sold along with it, although the terms state that users will still own the content they upload and that the buyer “will have to honor the commitments we have made in this Privacy Policy.”

Lee Munson, security researcher at Comparitech, suggested that FaceApp’s privacy policy is fairly typical of smartphone apps.

“It’s a standard privacy policy – the company shares some limited data with third parties, may transfer ownership if company is sold, et cetera,” he told IBTimes UK. “Not particularly awesome for privacy-concerned users but no different to what 99.999% of other companies are doing.”

Still, the lack of a hardy privacy policy is more pertinent when dealing in facial recognition technology, particularly when users are uploading possibly the most personally-identifiable piece of information they could provide: their own face.

“As should be the case across the board, people would be advised to think about how your data might be used before downloading an app and agreeing to its privacy settings,” said David Emm, principal security researcher at Kaspersky Lab.

“In addition to the data conundrum, with facial recognition and biometrics looking like the new frontier of authentication, we should all be wary about sharing our facial likeness without a second thought. Our faces could conceivably become a mechanism for authentication, so we may soon have to start treating our faces like passwords and being aware that data obtained by companies such as FaceApp can easily fall into the hands of cybercriminals and be used to spoof our identities.”

FaceApp hasn’t seemed to raise as many red flags so far among the privacy-wary as another photo-altering app called Meitu did. But the privacy policy for FaceApp has still been creeping people out this week. According to that policy, FaceApp tracks and collects quite a lot of information about you from your phone when you use the app, both for the purposes of “improving the service” and to show you lots of ads. The question of how unusual that is for an app like this, though, is a different one.