FaceApp gets federal attention as Sen. Schumer raises alarm on data use
It’s been hard to get away from FaceApp over the last few days, whether it’s your friends posting weird selfies using the app’s aging and other filters, or the brief furore over its apparent (but not actual) circumvention of permissions on iPhones. Now even the Senate is getting in on the fun: Sen. Chuck Schumer (D-NY) has asked the FBI and the FTC to look into the app’s data handling practices.
“I write today to express my concerns regarding FaceApp,” he writes in a lettersent to FBI Director Christopher Wray and FTC Chairman Joseph Simons. I’ve excerpted his main concerns below:
Furthermore, it is unclear how long FaceApp retains a user’s data or how a user may ensure their data is deleted after usage. These forms of “dark patterns,” which manifest in opaque disclosures and broader user authorizations, can be misleading to consumers and may even constitute a deceptive trade practices. Thus, I have serious concerns regarding both the protection of the data that is being aggregated as well as whether users are aware of who may have access to it.
In particular, FaceApp’s location in Russia raises questions regarding how and when the company provides access to the data of U.S. citizens to third parties, including potentially foreign governments.
For the cave-dwellers among you (and among whom I normally would proudly count myself) FaceApp is a selfie app that uses AI-esque techniques to apply various changes to faces, making them look older or younger, adding accessories, and, infamously, changing their race. That didn’t go over so well.
There’s been a surge in popularity over the last week, but it was also noticed that the app seemed to be able to access your photos whether you said it could or not. It turns out that this is actually a normal capability of iOS, but it was being deployed here in somewhat of a sneaky manner and not as intended. And arguably it was a mistake on Apple’s part to let this method of selecting a single photo go against the “never” preference for photo access that a user had set.
Fortunately the Senator’s team is not worried about this or even the unfounded (we checked) concerns that FaceApp was secretly sending your data off in the background. It isn’t. But it very much does send your data to Russia when you tell it to give you an old face, or a hipster face, or whatever. Because the computers that do the actual photo manipulation are located there — these filters are being applied in the cloud, not directly on your phone.
His concerns are over the lack of transparency that user data is being sent out to servers who knows where, to be kept for who knows how long, and sold to who knows whom. Fortunately the obliging FaceApp managed to answer most of these questions before the Senator’s letter was ever posted.
The answers to his questions, should we choose to believe them, are that user data is not in fact sent to Russia, the company doesn’t track users and usually can’t, doesn’t sell data to third parties, and deletes “most” photos within 48 hours.
Although the “dark patterns” of which the Senator speaks are indeed an issue, and although it would have been much better if FaceApp had said up front what it does with your data, this is hardly an attempt by a Russian adversary to build up a database of U.S. citizens.
While it is good to see Congress engaging with digital privacy, asking the FBI and FTC to look into a single app seems unproductive when that app is not doing much that a hundred others, American and otherwise, have been doing for years. Cloud-based processing and storage of user data is commonplace — though usually disclosed a little better.
Certainly as Sen. Schumer suggests, the FTC should make sure that “there are adequate safeguards in place to protect the privacy of Americans…and if not, that the public be made aware of the risks associated with the use of this application or others similar to it.” But this seems the wrong nail to hang that on. We see surreptitious slurping of contact lists, deceptive deletion promises, third-party sharing of poorly anonymized data, and other bad practices in apps and services all the time — if the federal government wants to intervene, let’s have it. But let’s have a law or a regulation, not a strongly worded letter written after the fact.