eXtensions - Monday 22 July 2019
Cassandra - Online Image Conversions by FaceApp and More: Who Owns What and Should We Care
By Graham K. Rogers
While some have been concerned about the potential for abuse of data, security persons have had a look and suggest that the initial alarms sounded may not be valid. Sen Chuck Schumer was alarmed about the Russian connection and has demanded that the FBI have a look. However, Devin Coldewey (TechCrunch) is not convinced and takes the explanation of the developer at face value: "user data is not in fact sent to Russia, the company doesn't track users and usually can't, doesn't sell data to third parties, and deletes "most" photos within 48 hours."
There is however the problem that T&C concedes ownership to the developer until the end of time, which is slightly less than Facebook or Twitter when it comes to user images. When the TechCrunch comment appeared I was not wholly convinced as the only assurances were coming from the developer spokesman and (in the spirit of MRC), He would say that, wouldn't he?
In the Guardian, Arwa Mahdawi took this a little further, noting that "this is a fault in the way it is allowed to access images" and, despite earlier fears, it is only uploading the selected images. The article also added information from the developers that "[although the] core R&D team is located in Russia, the user data is not transferred to Russia". Again, that was on the say-so of the spokesman.
Schumer was not convinced and is right to be concerned about such methods of manipulating images. Why does it need a server: surely if the developers are that smart, there could be in-app processing. When a user sends an image, unless the metadata is specifically stripped out, there is a lot of information that could be useful for marketing (at best) or for other purposes. As an example, in a simple image (a closeup of work on an oil painting I saw last week) I can use the Investigator app installed on my iOS devices, to show the embedded metadata as in the 4 screenshots here:
Commenting on the wider issue of privacy and granting access to photographs, Sidney Fussell (The Atlantic) suggests this is a symptom of the times and few look at the potential for abuse that is authorized by users who want to use these apps, including Facebook. Most users are unaware of the potential for abuse when opening up apps to access data on devices. Worse: most users don't care.
In his 2016 article Daniel Bader (Android Central), outlined some of the T&C concerning image ownership and data use, but there is no mention that the AI conversions were taking place in Russia. Not many read the T&C and I often criticize my students for this. I do, and I note also that in the T&C for Prisma there is the comment that, You will need to use your credentials (e.g., username and password) from a third-party online platform to access some or all of our Services. It is not clear if the password is provided to Prisma, but I would hope not.
Note also the wide conditions in the iOS Terms & Conditions concerning ownership of output:
It would seem to be theirs and not yours.
Note that when the developer first set up, there was an operation that could receive, convert and send back thousands of images from worldwide users, all using (then) a free app. This appears to have changed from its initial version and there is now a 3-day trial period after which there are subscriptions. I may be a little cynical, but no one seemed to question who paid for that or what would be happening to the data. Doubtless income from the subscriptions have now recovered the initial costs.
I look forward to confirmation (one way or another) from the FBI, or from any other security organizations that are looking into questions surrounding the FaceApp and its use of data. Mind you, the access to photographs of the few million or so who signed up for this app pales in comparison with the amount of information that was vacuumed up and then used to sway public opinion by Cambridge Analytica and Facebook. This is still being done.
Graham K. Rogers teaches at the Faculty of Engineering, Mahidol University in Thailand. He wrote in the Bangkok Post, Database supplement on IT subjects. For the last seven years of Database he wrote a column on Apple and Macs. After 3 years writing a column in the Life supplement, he is now no longer associated with the Bangkok Post. He can be followed on Twitter (@extensions_th)
For further information, e-mail to
Back to Home Page