View previous topic | View next topic

FaceApp Warning

Page 1 of 2
Goto page 1, 2  Next

PDR
1327082.  Sat Jul 20, 2019 3:50 am Reply with quote

Thought I'd pass this on to those with a FaceAche dependancy. It's an internal "security advisory":

Corporate Cyber-defenders wrote:
Greetings Teammates,

As many of you are social media users, I wanted to send out some information regarding the newest trend, FaceAPP.

FaceApp is a new app that hit the market in the last few days and has become extremely popular. You can alter your looks, clothing, and even make yourself older & younger. It has been confirmed that this is Russian owned. There are several privacy concerns and the Terms of Use are very scary. If I were you, Iíd stay away!!! Several news outlets have been broadcasting information regarding this app and putting a warning out there to users.

You can find the apps website and see the full terms and privacy information for yourself:
Website: https://faceapp.com/
Terms: https://faceapp.com/terms
Privacy: https://faceapp.com/privacy

Below are some of the concerns, directly from the Apps term page:

You grant FaceApp a perpetual, irrevocable, nonexclusive, royalty-free, worldwide, fully-paid, transferable sub-licensable license to use, reproduce, modify, adapt, publish, translate, create derivative works from, distribute, publicly perform and display your User Content and any name, username or likeness provided in connection with your User Content in all media formats and channels now known or later developed, without compensation to you. When you post or otherwise share User Content on or through our Services, you understand that your User Content and any associated information (such as your [username], location or profile photo) will be visible to the public.
You grant FaceApp consent to use the User Content, regardless of whether it includes an individualís name, likeness, voice or persona, sufficient to indicate the individualís identity. By using the Services, you agree that the User Content may be used for commercial purposes. You further acknowledge that FaceAppís use of the User Content for commercial purposes will not result in any injury to you or to any person you authorized to act on its behalf. You acknowledge that some of the Services are supported by advertising revenue and may display advertisements and promotions, and you hereby agree that FaceApp may place such advertising and promotions on the Services or on, about, or in conjunction with your User Content. The manner, mode and extent of such advertising and promotions are subject to change without specific notice to you. You acknowledge that we may not always identify paid services, sponsored content, or commercial communications as such.


Up to you, but a popular expression including a reference tro a bargepole would seem appropriate...

PDR

 
Willie
1327099.  Sat Jul 20, 2019 4:35 pm Reply with quote

PDR wrote:
Thought I'd pass this on to those with a FaceAche dependancy. It's an internal "security advisory":

Corporate Cyber-defenders wrote:
Greetings Teammates,

As many of you are social media users, I wanted to send out some information regarding the newest trend, FaceAPP.

FaceApp is a new app that hit the market in the last few days and has become extremely popular. You can alter your looks, clothing, and even make yourself older & younger. It has been confirmed that this is Russian owned. There are several privacy concerns and the Terms of Use are very scary. If I were you, Iíd stay away!!! Several news outlets have been broadcasting information regarding this app and putting a warning out there to users.

You can find the apps website and see the full terms and privacy information for yourself:
Website: https://faceapp.com/
Terms: https://faceapp.com/terms
Privacy: https://faceapp.com/privacy

Below are some of the concerns, directly from the Apps term page:

You grant FaceApp a perpetual, irrevocable, nonexclusive, royalty-free, worldwide, fully-paid, transferable sub-licensable license to use, reproduce, modify, adapt, publish, translate, create derivative works from, distribute, publicly perform and display your User Content and any name, username or likeness provided in connection with your User Content in all media formats and channels now known or later developed, without compensation to you. When you post or otherwise share User Content on or through our Services, you understand that your User Content and any associated information (such as your [username], location or profile photo) will be visible to the public.
You grant FaceApp consent to use the User Content, regardless of whether it includes an individualís name, likeness, voice or persona, sufficient to indicate the individualís identity. By using the Services, you agree that the User Content may be used for commercial purposes. You further acknowledge that FaceAppís use of the User Content for commercial purposes will not result in any injury to you or to any person you authorized to act on its behalf. You acknowledge that some of the Services are supported by advertising revenue and may display advertisements and promotions, and you hereby agree that FaceApp may place such advertising and promotions on the Services or on, about, or in conjunction with your User Content. The manner, mode and extent of such advertising and promotions are subject to change without specific notice to you. You acknowledge that we may not always identify paid services, sponsored content, or commercial communications as such.


Up to you, but a popular expression including a reference tro a bargepole would seem appropriate...

PDR


Whilst you should always be careful of the security risks of any online activity, Faceapp is really getting an overblown scaremongering reaction.

The app is Russian owned, but the servers the images are edited on are in the USA. It does not download to all your images as was reported, but only the ones you specifically upload and as to the terms and conditions they really are not that different to other web service providers such as Twitter

Quote:
By submitting, posting or displaying Content on or through the Services, you grant us a worldwide, non-exclusive, royalty-free license (with the right to sublicense) to use, copy, reproduce, process, adapt, modify, publish, transmit, display and distribute such Content in any and all media or distribution methods (now known or later developed).

 
tetsabb
1327105.  Sat Jul 20, 2019 6:32 pm Reply with quote

I hope they enjoy my dickpics....
:-)

 
Leith
1327127.  Sun Jul 21, 2019 9:17 am Reply with quote

Willie wrote:
The app is Russian owned, but the servers the images are edited on are in the USA.

Physical location of servers has limited relevence to privacy concerns. It's the identity of the people who administer and access the data and the quality of their data security that matters.
This forum is (or at least has been) hosted on US servers. That has no bearing on the fact that the folks who look after the underlying database are mostly doing so from the UK.

Willie wrote:
It does not download to all your images as was reported, but only the ones you specifically upload

The app requires that you grant it access to all your photos. I think that's a fairly inevitable consequence of the way smart phone app security works at the moment, and I'm not aware of any evidence that this particular app is abusing the access that it is granted. Once granted that access, however, I don't think there is any legal or technical impediment to such an app harvesting any picture data it might want to. That's certainly something worth highlighting to people who might not have considered the security and privacy implications. This applies equally to most apps that do cloud-based image processing.

Willie wrote:
and as to the terms and conditions they really are not that different to other web service providers such as Twitter

Twitter is a platform for broadcasting social media content. It's fairly obvious why it would need the legal rights to broadcast any content you provide to it. It's worth thinking about why an app that is ostensilbly a photo editor needs such rights and what that might imply about its owner's business model and what they are doing with the data they are provided.

Even then, the FaceApp terms on privacy and advertising go somewhat beyond typical social media app terms. In particular they provide quite restricted ability to delete your data once it has been uploaded.

This seems a reasonably balanced treatment of the topic:
https://www.techradar.com/uk/news/is-faceapp-safe-a-deeper-look-at-the-viral-hit

 
Willie
1327128.  Sun Jul 21, 2019 9:41 am Reply with quote

Leith wrote:
Willie wrote:
The app is Russian owned, but the servers the images are edited on are in the USA.

Physical location of servers has limited relevence to privacy concerns. It's the identity of the people who administer and access the data and the quality of their data security that matters.
This forum is (or at least has been) hosted on US servers. That has no bearing on the fact that the folks who look after the underlying database are mostly doing so from the UK.

Willie wrote:
It does not download to all your images as was reported, but only the ones you specifically upload

The app requires that you grant it access to all your photos. I think that's a fairly inevitable consequence of the way smart phone app security works at the moment, and I'm not aware of any evidence that this particular app is abusing the access that it is granted. Once granted that access, however, I don't think there is any legal or technical impediment to such an app harvesting any picture data it might want to. That's certainly something worth highlighting to people who might not have considered the security and privacy implications. This applies equally to most apps that do cloud-based image processing.

Willie wrote:
and as to the terms and conditions they really are not that different to other web service providers such as Twitter

Twitter is a platform for broadcasting social media content. It's fairly obvious why it would need the legal rights to broadcast any content you provide to it. It's worth thinking about why an app that is ostensilbly a photo editor needs such rights and what that might imply about its owner's business model and what they are doing with the data they are provided.

Even then, the FaceApp terms on privacy and advertising go somewhat beyond typical social media app terms. In particular they provide quite restricted ability to delete your data once it has been uploaded.

This seems a reasonably balanced treatment of the topic:
https://www.techradar.com/uk/news/is-faceapp-safe-a-deeper-look-at-the-viral-hit


Physical location of the server does matter as they will have to comply with the regulations in the country where the server is physically located and whilst the USA is not perfect, it has stronger protections that Russian. This is the reason UK government agencies cannot store data on servers ion the US as the administration is done from the UK, but the server is located in the US and their regulations don't meet UK government standards.

The app does not and never has had access to all your photos, one person raised a concern and when this was tested it was found that the only photos they have access to are the specific ones you upload.

Faceapp is also a method of broadcasting social media content and there is no difference between you uploading a photo to Twitter and Faceapp, in fact most social media sites have pretty much the same.

Techradar's whole article pretty mush says exactly what I said. There are always concerns with putting your personal stuff online, but Faceapp really is not much different than the vast majority of the internet.

 
PDR
1327129.  Sun Jul 21, 2019 10:25 am Reply with quote

I passed on the Advisory as a matter of courtesy - I don't have the personal expertise to judge its validity. But I will say that the organisation which generated (DSTL) it is not a dilettante in IA matters, and they do not issue warnings unless they believe they have significant justification.

PDR

 
Jenny
1327133.  Sun Jul 21, 2019 11:06 am Reply with quote

Fortunately, this is not an app that tempted me to download it. I shall now definitely not bother.

 
Leith
1327138.  Sun Jul 21, 2019 11:33 am Reply with quote

Willie wrote:
Physical location of the server does matter as they will have to comply with the regulations in the country where the server is physically located and whilst the USA is not perfect, it has stronger protections that Russian. This is the reason UK government agencies cannot store data on servers ion the US as the administration is done from the UK, but the server is located in the US and their regulations don't meet UK government standards.

The location is not complelely irrelevent, but it doesn't significantly mitigate the concern that the principle owners and administrators the data are a Russian company (how significant that concern is is another question).

Willie wrote:
The app does not and never has had access to all your photos, one person raised a concern and when this was tested it was found that the only photos they have access to are the specific ones you upload.

I've seen reports of tests indicating that the app currently doesn't harvest photo data, but no evidence that it couldn't with the permissions and terms acceptance it requires.
I'm open to correction, but from what I've seen of the Android app permissions framework, I'm not sure it's even capable of restricting uploads in that way (permissions for internet access and photo access have to be requested at runtime, but it's a one-off request, not one that is specific to each file upload). Again, the same would apply for any cloud-based image processing app, though.

Willie wrote:
Faceapp is also a method of broadcasting social media content and there is no difference between you uploading a photo to Twitter and Faceapp, in fact most social media sites have pretty much the same.

I'll take your word for that, not having used the app. Even so, its terms seem to go beyond (albeit not much beyond) even what a fully fledged social media platform requires.

Willie wrote:
Techradar's whole article pretty mush says exactly what I said. There are always concerns with putting your personal stuff online, but Faceapp really is not much different than the vast majority of the internet.

I think the scope of the terms, and the fact that the company is from a state at the centre of recent allegations of interference with, and misuse of social media data does merit a little more scrutiny than usual for a social media app. It may be that the focus on this app in particular is disproportionate to the difference in risk versus other apps, but it's a useful reminder of just how much trust we put in all social media apps, often with relatively little thought.

 
Willie
1327140.  Sun Jul 21, 2019 12:56 pm Reply with quote

PDR wrote:
I passed on the Advisory as a matter of courtesy - I don't have the personal expertise to judge its validity. But I will say that the organisation which generated (DSTL) it is not a dilettante in IA matters, and they do not issue warnings unless they believe they have significant justification.

PDR


To be fair they can't that worried as it isn't mentioned on their web site, even in passing. They may have seen the concerns raised by other people and rightly passed them on with a general message about being careful; what you do on line. Unfortunately those sites who really on click baits and national newspapers who love to sow panic to sell toilet paper always over egg it with these types of warnings.

It is the same as all the warnings about Huawei, it was all over the press about a backdoor that was found in some of their equipment. The national press and scaremongers when nuclear, but never once mentioned that prety much the same back door was found in Cisco equipment the next day. Neither company deliberately put the back door in and both fixed the issue very quickly, but China bad, USA good.

 
barbados
1327142.  Sun Jul 21, 2019 1:53 pm Reply with quote

Willie wrote:
PDR wrote:
I passed on the Advisory as a matter of courtesy - I don't have the personal expertise to judge its validity. But I will say that the organisation which generated (DSTL) it is not a dilettante in IA matters, and they do not issue warnings unless they believe they have significant justification.

PDR


To be fair they can't that worried as it isn't mentioned on their web site, even in passing. They may have seen the concerns raised by other people and rightly passed them on with a general message about being careful; what you do on line. Unfortunately those sites who really on click baits and national newspapers who love to sow panic to sell toilet paper always over egg it with these types of warnings.


Just because DSTL don't feature the app on their website does not mean they wouldn't have offered advise on the matter.

 
Willie
1327149.  Sun Jul 21, 2019 4:28 pm Reply with quote

barbados wrote:
Willie wrote:
PDR wrote:
I passed on the Advisory as a matter of courtesy - I don't have the personal expertise to judge its validity. But I will say that the organisation which generated (DSTL) it is not a dilettante in IA matters, and they do not issue warnings unless they believe they have significant justification.

PDR


To be fair they can't that worried as it isn't mentioned on their web site, even in passing. They may have seen the concerns raised by other people and rightly passed them on with a general message about being careful; what you do on line. Unfortunately those sites who really on click baits and national newspapers who love to sow panic to sell toilet paper always over egg it with these types of warnings.


Just because DSTL don't feature the app on their website does not mean they wouldn't have offered advise on the matter.


That's why I said they could have passed on a general warning, but only as in the most minor of warnings. Rather more of a think before you use as like all internet activities there are risks, rather than don't use.

Many government agencies wouldn't let it's staff use this site and others will put out a general message to think before using as it doesn't use https, but that doesn't mean there is any specific risk or even any real risk at all.

 
PDR
1327155.  Sun Jul 21, 2019 4:53 pm Reply with quote

I think you misunderstand. This wasn't a "general" or "minor" warning. This was a formal security advisory issued to UK List-x companies. This particular one is not classified, although these are not usually put in the public domain. I passed this particular one on because I know there are a lot of social media users on this forum who might benefit from the information.

This isn't some trivial piece of net-gossip, but rather a piece of formal advice originating from the country's cyber-security specialists.

The childish blather deriding the expertise of these organisations is dangerously unhelpful (as well as amusingly inaccurate).

PDR

 
barbados
1327161.  Sun Jul 21, 2019 7:36 pm Reply with quote

Precisely, although you would only know of the warnings if you are in receipt of them.
Just 3 weeks ago i had a communication through advising against 8 character passwords. A quick check on the website for the particular provider shows no warning because the password policy is a local responsibility, and the end users donít need to know why I tell users their password should be 9 characters long so there is no need to publicise the warning.

 
dr.bob
1327173.  Mon Jul 22, 2019 5:03 am Reply with quote

PDR wrote:
The childish blather deriding the expertise of these organisations is dangerously unhelpful (as well as amusingly inaccurate).


Did Willie deride the expertise of these* organisations? I've read his messages a couple of times now and I don't really understand which part of what he said would give you that impression. Maybe you could explain so we can avoid a situation where people are talking at cross purposes.

The impression I got from what Willie said** is not that he thinks the DSTL lacks expertise, merely that he thinks they don't consider the problems with Faceapp to be particularly serious. Now that may well not be the case, in which case feel free to have a discussion about that. There seems little point in castigating someone for something they didn't say.


*By "these" do you mean the DSTL? That seems to be the only one that's been mentioned so far, unless I've missed something.

**Hopefully Willie can pop by soon and explain what he actually meant, rather than having some third party trying to interpret his words for him.

 
barbados
1327174.  Mon Jul 22, 2019 5:13 am Reply with quote

Do you not consider the suggestion that the DSTL canít consider it much of a problem because it doesnít appear on their website, suggesting that the information received was from a ckick-bait site rather than, as described is a little dismissive of the original post.

 

Page 1 of 2
Goto page 1, 2  Next

All times are GMT - 5 Hours


Display posts from previous:   

Search Search Forums

Powered by phpBB © 2001, 2002 phpBB Group