SINGAPORE, July 20 — Hysteria surrounding FaceApp went viral within hours of a sharply worded warning being posted online on Monday (July 15).

The Russian-made mobile application, with more than 80 million active users, is a photo filtering app which allows users to see what they or others might look like when they are older. It was branded in some quarters as being part of a Russian plot, sparking fears that the app could be collecting more personal data from its users than it should.

Is everyone overreacting based on the nationality of the app developer? Yes, experts said, but the app does make some demands of users that exceed those on apps such as Snapchat, Facebook and Instagram.

What is FaceApp and who developed it

FaceApp was developed by St Petersburg-based start-up Wireless Labs, whose chief executive officer is Yaroslav Goncharov — a former executive at Yandex, widely known as “Russia’s Google”.

Launched in 2017, the app built up a large following and then made headlines last year after users condemned its “ethnicity filters” as racist.

In the past week, however, its popularity surged again, as a viral challenge with the hashtag #AgeChallenge filled the Internet with photos of people — including celebrities — sporting grey hair and wrinkles. With the aid of artificial intelligence, the app renders an image of a user looking a few decades older in a matter of seconds.

How did panic spread?

On Monday, as the challenge was dominating social media, a software engineer from the United States, Joshua Nozzi, tweeted: “BE CAREFUL WITH FACEAPP — the face aging fad app. It immediately uploads your photos without asking, whether you chose one or not.”

By Tuesday morning, his accusation was being carried on multiple news platforms, prompting French security researcher Baptiste Robert to point out that FaceApp’s servers are based in the United States, not Russia.

A report in business news outlet Forbes added that some of FaceApp’s servers were hosted by Google in countries including Singapore, noting that the app uses third-party code, which would reach out to servers in the US and Australia.

FaceApp also clarified in statements to the media on Wednesday that user data is not transferred to Russia, and that most of the photo processing is done “in the cloud”.

However, it “might store an uploaded photo in the cloud”, it stated, in order to facilitate “performance and traffic”.

“We want to make sure that the user doesn’t upload the photo repeatedly for every edit operation,” FaceApp told 9to5Mac, the first website to carry Nozzi’s allegations. “Most images are deleted from our servers within 48 hours from the upload date.”

Although Nozzi recanted his initial position in a blog post on Wednesday, the damage from his initial tweet was done.

Alarming fine print

The episode prompted online users to read the fine print under the app’s terms of use, and one clause in particular did not sit comfortably with them.

It states: “You grant FaceApp a perpetual, irrevocable, nonexclusive, royalty-free, worldwide, fully-paid, transferable sublicensable licence to use, reproduce, modify, adapt, publish, translate, create derivative works from, distribute, publicly perform and display your User Content and any name, username or likeness provided in connection with your User Content in all media formats and channels now known or later developed, without compensation to you.”

Nozzi also realised that FaceApp connects to users’ Facebook accounts, whether they want it to or not. “It does use their API (Application Programming Interface) to identify itself and the device to Facebook even if you don’t tap the Facebook share button,” the app maker said.

He also raised other red flags, such as the “completely unnecessary” level of photo access requested, and how it does not warn users beforehand that selecting a picture would send that photo to the FaceApp servers for processing.

Is it different from other apps?

Similar concerns were raised when Snapchat released a new update for the terms of service for its app in 2015, which asserted its rights to reproduce, modify, and republish photos, and save those photos to Snapchat’s servers.

After its users expressed outrage, branding the terms “scary” and threatening to delete their accounts, Snapchat said in a blog post that its new terms indeed granted the company “broad licence” to user content, but that is “common to services like ours”.

Instagram’s terms sparked massive outcry in 2012, but it was over language suggesting that the app, and its owner Facebook, would be allowed to sell the photos or related data that users upload to third parties without permission.

What experts say about data collection

Putting in context the brewing FaceApp episode, cyber-security experts told TODAY that it is technically possible for any app to be collecting more data than it should, pointing out that this applies to extensively used apps such as Google and Facebook.

Dr Steven Wong, president of the Association of Information Security Professionals, said: “For apps that take photos of the user, the user must be aware that high-resolution pictures of them are now available to the vendor.” He highlighted that these high-resolution photos can be abused to make some basic facial authentication systems.

Terence Siau, general manager for Singapore at London-based think tank Centre for Strategic Cyberspace, said that in agreeing to FaceApp’s privacy policy, users “allow FaceApp to use their content which may include using the photo to be published as an (advertisement) or using it to develop facial recognition tech”.

He noted that most social media platforms make money by harvesting personal data.

Digital forensics specialist Ali Fazeli said that the privacy problem is more widespread than commonly thought. “Apps like Facebook and Instagram not only keep the photos and posts on the server, they also harvest metadata such as personal details, location details, user search behaviour, and the social networking map of each user,” he said.

Noting that US Senate minority leader Chuck Schumer had asked the Federal Bureau of Investigation to launch a probe into FaceApp, Fazeli added: “I think the US senator must be really worried about the American apps and not the Russian app.”

In 2013, Edward Snowden leaked documents showing that the US National Security Agency had forced US tech companies, including Facebook, to hand over the data of millions of people around the world to American spies under a programme called Prism.

Ori Sasson, director of cyber-intelligence firm S2T, noted that the trove of photos that FaceApp accumulates is “not valuable” unless it is matched with accompanying data, such as the users’ names, ages, contact numbers and identification numbers.

Still, caution is called as users give “more power” to malicious figures behind apps than those behind links, where phishing is a common mode of attack, he said. — TODAY