Two-Faced App: UK Watchdog monitoring privacy concerns over FaceApp

August 1, 2019

3 min read

Sign up to our mailing list! 👇

What's going on here?

The Information Commissioner’s Office (ICO) is considering allegations that FaceApp, the popular face-aging photo app, is misusing personal data.

What does this mean?

FaceApp, which operates on iPhone and Android devices, allows users to place AI-powered filters, such as instant ageing and smiling, over uploaded pictures of their faces. Thousands of people, including celebrities, have shared their results from the app on social media platforms using the hashtag #faceappchallenge. However, concerns have been raised over how Personal Data is being collected, stored and possibly shared by the app.  

US lawyer Elizabeth Potts Weinsein argued that the app’s terms and conditions suggested user photos could be used for commercial purposes, such as FaceApps’ own advertisements. However, Lance Ulanoff, editor-in-chief of tech website Lifewire, highlighted that Twitter’s Terms of Service contained a similar clause. FaceApp’s chief executive Yaroslav Goncharov responded by stating that the terms in FaceApp’s privacy policy were generic and that the company does not share any data for ad-targeting purposes or sell or share any user data with any third parties.

Mr Goncharov also denied the allegations that the app stored the photo libraries of users without their permission, stating that they “only upload a photo selected by a user for editing. We never transfer any other images from the phone to the cloud. Most images are deleted from our servers within 48 hours of the upload date.”

Others have speculated that FaceApp may use data gathered from user photos to train facial recognition algorithims. This can be done even after the photos are deleted as the measurements of features on a person’s face can be extracted and used for this purpose. However, Mr Goncharov stated they “don’t use photos for facial recognition training, only for editing pictures.”

What's the big picture effect?

The allegations around FaceApp highlight the threat to privacy social media poses if strict safeguards are not put in place. One such safeguard is the EU General Data Protection Regulations (GDPR). Under the GDPR, users have the right to know whether their data is stored in or outside the EU, whether their data is shared with third parties or used for secondary purposes, and how to exercise the right to object, erase or access their data. FaceApp’s terms & conditions are noncompliant with some articles of the GDPR.

In FaceApp’s case, the server that stores user photos is located in the US, whilst FaceApp itself is a Russian company with offices in St Petersburg. Where Personal Data is transferred from the EU to a country that does not ensure an adequate level of protection, users have the right to know what appropriate safeguards are in place to protect their data. The European Commission determines which countries have sufficient protection and currently, both Russia and the United States fall below the threshold. To date, FaceApp does not specifically warn users about this transfer of data outside the EU.

The French Supervisory Authority (Cnil) recently published a set of guidelines and tutorials outlining potential privacy issues when using apps such as FaceApp. Cnil advises that mobile apps should only be downloaded from official stores, such as the Apple App store or Google Play store, in order to avoid downloading malware or other potentially fraudulent apps.

Cnil also advises verifying in phone settings whether the app can access only selected photos or all photos stored on the device. This is in addition to revoking access to cameras and mobile data after use, in order to minimise the amount of access the app may have to your personal data.

A spokesperson for the ICO stated, “We would advise people signing up to any app to check what will happen to their personal information and not to provide any personal details until they are clear about how they will be used.”

It remains to be seen whether the ICO will launch an investigation or simply monitor the situation.

Report written by Erin Stockdale

If you’d like to write for LittleLaw, click here!

Share this now!

Check out our recent reports!