(CNN) – The Democratic National Committee sent a security alert to 2020 presidential campaigns Wednesday afternoon warning them not to use the popular smartphone application FaceApp, CNN has learned.
“This app allows users to perform different transformations on photos of people, such as aging the person in the picture. Unfortunately, this novelty is not without risk: FaceApp was developed by Russians,” the alert from Bob Lord, the DNC’s chief security officer, read.
In 2016, the DNC and Democratic campaigns were attacked by Russian hackers. Since 2016, the DNC has sought to take steps to prevent a repeat of 2016 by investing in cyber security, including hiring Lord, a former Yahoo! executive.
Lord told campaigns that the DNC had “significant concerns about the app (as do other security experts) having access to your photos, or even simply uploading a selfie.”
“It’s not clear at this point what the privacy risks are, but what is clear is that the benefits of avoiding the app outweigh the risks,” Lord continued.
Lord recommended “campaign staff and people in the Democratic ecosystem” should not use the app.
He added, “If you or any of your staff have already used the app, we recommend that they delete the app immediately.”
Last August, the DNC warned candidates running in last November’s midterms not to use devices produced by Chinese manufacturers ZTE and Huawei.
FaceApp’s viral success
In early 2017, a service called FaceApp received a wave of press for using artificial intelligence to transform pictures of faces, making them look older or younger, male or female, or adding a smile to appear happier.
This week, FaceApp once again made headlines as celebrities, including the Jonas Brothers, Drake and Dwayne Wade, appeared to use the app to show what they might look like when they get much older. Enough people rushed to download the app and see their own selfies turn gray that FaceApp is currently the top free app in Apple’s App Store.
By Wednesday morning, however, there were growing privacy concerns about the app. As one breathless headline in a New York tabloid put it: “Russians now own all your old photos.”
The fears came from stitching together scary sounding but unfortunately not uncommon wording in the app’s terms of service with an unverified — and now deleted — claim from a developer on Twitter about the app “uploading all your photos” and the simple fact that the company is based in St. Petersburg, Russia.
The FaceApp episode highlights how, after more than a year of high-profile privacy scandals in the tech industry, consumers still don’t adequately scrutinize services before handing over their sensitive personal data. At the same time, it’s a reminder of how little we understand how companies collect our information and what rights they have to it.
Joshua Nozzi, the developer who first raised alarms about FaceApp, and other security researchers later knocked down the initial fear that FaceApp is covertly harvesting your entire smartphone camera roll. Likewise, the fact that a company is based in Russia doesn’t automatically mean it’s a tool of the Russian government.
“Most images are deleted from our servers within 48 hours from the upload date,” the company said in a lengthy statement provided to TechCrunch addressing the privacy concerns. (Representatives for FaceApp did not immediately respond to our request for comment.)
What remains concerning, however, is the language in the app’s terms of service. In one densely-worded section, the company informs users that they “grant FaceApp a perpetual, irrevocable, nonexclusive, royalty-free, worldwide, fully-paid, transferable sub-licensable license to use, reproduce, modify, adapt, publish, translate, create derivative works from, distribute, publicly perform and display your User Content and any name, username or likeness provided in connection with your User Content in all media formats and channels now known or later developed, without compensation to you.”
Translation: FaceApp can effectively do what it wants with your selfie. But this puts FaceApp in pretty good company. Other prominent tech companies have inserted similarly concerning language into terms of service over the years to assert their rights to use names, pictures and other content shared by users as they please.
“If you share a photo on Facebook, you give us permission to store, copy, and share it with others,” Facebook says in its own terms of service.
And yet, we keep sharing first and asking questions later, if we ask them at all.
In between FaceApp’s first brush with virality and its explosion in popularity this week, there have been a number of tech privacy scandals, any one of which should arguably have been enough to make people at least reconsider how much information they share with tech companies.
Data collected through a seemingly benign personality test on Facebook was provided to Cambridge Analytica, a controversial data firm that worked for Donald Trump’s presidential campaign. A popular period tracking app was found to be sharing data with Facebook. Amazon reportedly employs a global team to listen when you speak to its Echo smart speakers.
But the moment we hear about a flashy new service that can make our selfies look older, or match them with a famous painting, we are quick to throw caution to the wind and hand over the photo of our face, without knowing for sure where it’s stored or what it may be used for.
Tech companies certainly deserve criticism for their data privacy practices, but so do we.
See the full statement published by TechCrunch:
1. FaceApp performs most of the photo processing in the cloud. We only upload a photo selected by a user for editing. We never transfer any other images from the phone to the cloud.
2. We might store an uploaded photo in the cloud. The main reason for that is performance and traffic: we want to make sure that the user doesn’t upload the photo repeatedly for every edit operation. Most images are deleted from our servers within 48 hours from the upload date.
3. We accept requests from users for removing all their data from our servers. Our support team is currently overloaded, but these requests have our priority. For the fastest processing, we recommend sending the requests from the FaceApp mobile app using “Settings->Support->Report a bug” with the word “privacy” in the subject line. We are working on the better UI for that.
4. All FaceApp features are available without logging in, and you can log in only from the settings screen. As a result, 99% of users don’t log in; therefore, we don’t have access to any data that could identify a person.
5. We don’t sell or share any user data with any third parties.
6. Even though the core R&D team is located in Russia, the user data is not transferred to Russia.
Additionally, we’d like to comment on one of the most common concerns: all pictures from the gallery are uploaded to our servers after a user grants access to the photos (for example, https://twitter.com/joshuanozzi/status/1150961777548701696). We don’t do that. We upload only a photo selected for editing. You can quickly check this with any of network sniffing tools available on the internet.