Scrolling through your social media feeds, you likely noticed the surge of friends and public figures sharing posts of their future selves using the widely popular FaceApp. However, like most things, the devil is in the details. It’s only after combing through the Russian-affiliated application that cybersecurity experts began to question its user data privacy and practices—raising larger questions about user security regarding social media applications.
We sat with CyZen’s Will Mendez about the mounting concerns about user data privacy and practices following widespread scrutiny of FaceApp’s accepted terms of service.
FaceApp has been around since 2017, but it’s gone viral again with the new FaceApp Challenge. Do you think it’s a threat to people’s privacy?
It is still too early to tell as not enough testing of the application appears to have been done. I suspect because the application has gone viral it will face more scrutiny from the security community.
There are two main issues that could be a privacy concern:
- First, because the app requires the photo to be modified to be uploaded to the cloud, there could be a concern as to where the photo is being loaded and how it is being protected.
- Second, the terms and conditions of use appear to allow FaceApp to do what they please with user content such as your photos.
Is an app that uses artificial intelligence to collect biometric data on your face a potential privacy issue?
Without knowledge of the technology used one could speculate that the algorithms used to manipulate the uploaded images may be sufficient to reproduce images that can “fool” facial biometric systems used by phones. There is always a risk to privacy when collecting biometric data especially since we are not sure how that data is being safeguarded.
Should companies be worried if employees are doing this on company-owned devices?
Companies should always worry when employees install non-business related applications on company-owned devices. This increases the risk of the device being compromised due to vulnerabilities in the software.
- The use of this software provides a particular risk due because employees may inadvertently take a picture of sensitive information at the office. Whether it’s a post it with a password (another risk in itself) or pictures of monitors that contain sensitive information, the application has the potential to upload sensitive information that could be used by a threat actor to target the organization.
- Additionally, if geo tagging is enabled, the uploaded photo will reveal the location of the phone when the photo was taken. If the employee is working in a sensitive area or a classified area (such as deployed service members), the location would be revealed to FaceApp and with whomever they shared the photo.
Are there other apps that people should be concerned about where they’re sharing their personal data?
Consumers should be concerned with every app they install on their mobile devices.
- They should pay particular attention to the permissions given to these applications as too much access could lead to sharing of personal information.
- Additionally, consumers should read the terms and conditions to determine how their data is being used. In the case with FaceApp they appear to have cart Blanche permission to do whatever with uploaded photos.
What advice can you give to individuals, and to companies, about the use of such apps that capture images of your face?
- First, always make sure the application has been verified either by the Apple’s App Store or Google’s Play Store to minimize the risk of obtaining malicious software.
- Second, when installing applications pay attention to the permissions being asked such as the ability access storage or other features.
For apps that capture images of your face I would pay attention to how long those images will be stored as well as where. While the country of origin for apps may not be of concern, one should consider, if the country has very lax privacy laws and your data is store in that county, your privacy may be at risk.
While social media is a powerful tool that connects and empowers users, its fluidity and accessibility makes it easy to forget potential largescale cybersecurity threats. Contact Will Mendez with any questions you may have surrounding your cybersecurity solutions.
Compliments of Cyzen, a member of the EACCNY