Is your smartphone app a risk to your privacy?
Lately, you may have noticed pictures popping up on your Instagram, Facebook and Twitter feeds of familiar faces looking older, younger or even changing in gender or ethnicity. This is due to a recent surge in popularity of a Russian-owned app called FaceApp, which lets users alter their photos with different filters.
However, this seemingly harmless fun could entail implications to the protection of your personal data. The so-called ‘FaceApp Challenge’ has seen celebrities such as Kim Kardashian, Drake and Kevin Hart sharing photos of themselves looking significantly aged – but are any of them aware of the possible threat to their personal data?
A close look at the vague terms and conditions in FaceApp’s privacy policy unveils some unsettling statements that could mean users are putting their biometric information at risk.
Apps and compliance with privacy rules
It has come to light that FaceApp is not entirely compliant with European privacy laws (such as the GDPR), and concerns have been voiced about the app’s connections to Russia, a country that fails to meet the required level of data protection laid out in the strict EU legislation, which aims at protecting our privacy – especially in an online environment.
For example, Article 8 of the GDPR states that the processing of personal data of persons under the age of 16 is only lawful where the holder of parental responsibility has given consent; the general approach to this by FaceApp seems surprisingly lax, with no active measures in place to ensure this, and an age requirement of 4+ listed in the app store.
Following the social-media concerns, the US Senate minority leader has even called for the FBI and Federal Trade Commission to conduct a security and privacy investigation into the app.
Criticism
The company responsible for publishing FaceApp is facing criticism related to its use of data collection, storage and retention, which its privacy policy does little to appease. The terms and conditions include that the app has the right to reproduce and publish any images users upload and that it can retain the photos and personal user information for ‘commercial use’.
The company’s founder has spoken out about these rising concerns, denying that FaceApp accesses the photo libraries of its users and to assure users that it only uploads photos selected by the user to its remote servers. The company claims that most images are deleted from their servers within 48 hours and are not generally transferred to Russia. Currently, there is no evidence to suggest anything sinister is happening concerning users’ personal data, or even that the app is accessing entire camera rolls, and users can even request that all their data be deleted (a right that is anyways inherent in the GDPR).
However, likely unbeknownst to most users, these types of apps are not only gathering your photos, but also your metadata – think of how Snapchat collects your geographical information, accesses your private messages and contacts. Research suggests that FaceApp and similar apps are not doing anything particularly unusual concerning the access and handling of users’ personal data, but nevertheless, it is heightening the conversation around these ‘standard’ practices that may be more invasive than users perceive.
What can you do to protect your privacy?
In France, CNIL, the authority responsible for overseeing privacy matters has taken things into their own hands. Indeed, CNIL recently published tips and advice on how to stay safe concerning photo-editing applications that could be accessing your personal data. Whilst these tips are aimed at French users, they are actually really useful for anyone in Europe and even further afield!
Read the T&Cs
According to CNIL’s advice, you are strongly advised to read the terms and conditions of an app carefully before accepting or even downloading anything.
These terms should tell you whether your photos are being kept in or outside of the European Union, if they are communicated to third parties, if they are ever reused for other purposes and whether or not there is a way to exercise your GDPR rights (e.g. right of deletion, right to be informed, etc.).
Check the legitimacy of any app
Always checking the legitimacy of the app by only downloading it from an official app store and checking its reviews. A quick Google search can also let you know if there are any scandals related to the app, meaning that you can make a more informed choice before you choose to use it.
Photo Uploads – Consent of family & friends
The CNIL point out that an app’s access to the camera and library means that the app can access all of your photos, not just the ones you intend to submit.
When uploading your photo, beware of messages that offer access to your full album!
Furthermore, although you have accepted the terms and conditions of the app, people you take photos of might not have. Your colleagues or relatives may not have accepted the terms of use of this app. Out of respect for their privacy and especially if these photos can be made public, only use photos of yourself within the application.
Check if you want to share other data on your smartphone
Finally, as mentioned above, if you share photos, keep in mind that they may also include metadata, such as geolocation, the time pictures were taken or information on your device. Some applications can even continue to run and collect data when you are not using them anymore. Remember to remove the rights of the app after use.
Conclusion
Some serious privacy activists might say that the safest way to protect your privacy online or when using apps is just simply to not use them! However, that is not always realistic (or even the most fun option!)
Depending on what checkbox you tick, an unscrupulous company taking your data may use it for purposes which you never even imagined (including publishing images as memes or GIFs online), and you wouldn’t want this coming back to haunt you down the line – for example, when you are applying for a new job or making a college application.
Therefore, our message here is just to be aware of your privacy rights, and any related risks – especially in respect of the data you are sharing. For example, sharing your email address is one thing – if it falls into the wrong hands, your email address can be easily changed. When submitting biometric personal data, such as photos of your face or even voice recordings – changing your face or voice to later safeguard your privacy is almost impossible!
Article by Rebecca Willoughby and Charlotte Gerrish @ Gerrish Legal, first published on TechGirl in October 2019