View previous topic | View next topic

FaceApp Warning

Page 1 of 2
Goto page 1, 2  Next

Jenny
1327133.  Sun Jul 21, 2019 11:06 am Reply with quote

Fortunately, this is not an app that tempted me to download it. I shall now definitely not bother.

 
Leith
1327138.  Sun Jul 21, 2019 11:33 am Reply with quote

Willie wrote:
Physical location of the server does matter as they will have to comply with the regulations in the country where the server is physically located and whilst the USA is not perfect, it has stronger protections that Russian. This is the reason UK government agencies cannot store data on servers ion the US as the administration is done from the UK, but the server is located in the US and their regulations don't meet UK government standards.

The location is not complelely irrelevent, but it doesn't significantly mitigate the concern that the principle owners and administrators the data are a Russian company (how significant that concern is is another question).

Willie wrote:
The app does not and never has had access to all your photos, one person raised a concern and when this was tested it was found that the only photos they have access to are the specific ones you upload.

I've seen reports of tests indicating that the app currently doesn't harvest photo data, but no evidence that it couldn't with the permissions and terms acceptance it requires.
I'm open to correction, but from what I've seen of the Android app permissions framework, I'm not sure it's even capable of restricting uploads in that way (permissions for internet access and photo access have to be requested at runtime, but it's a one-off request, not one that is specific to each file upload). Again, the same would apply for any cloud-based image processing app, though.

Willie wrote:
Faceapp is also a method of broadcasting social media content and there is no difference between you uploading a photo to Twitter and Faceapp, in fact most social media sites have pretty much the same.

I'll take your word for that, not having used the app. Even so, its terms seem to go beyond (albeit not much beyond) even what a fully fledged social media platform requires.

Willie wrote:
Techradar's whole article pretty mush says exactly what I said. There are always concerns with putting your personal stuff online, but Faceapp really is not much different than the vast majority of the internet.

I think the scope of the terms, and the fact that the company is from a state at the centre of recent allegations of interference with, and misuse of social media data does merit a little more scrutiny than usual for a social media app. It may be that the focus on this app in particular is disproportionate to the difference in risk versus other apps, but it's a useful reminder of just how much trust we put in all social media apps, often with relatively little thought.

 
Willie
1327140.  Sun Jul 21, 2019 12:56 pm Reply with quote

PDR wrote:
I passed on the Advisory as a matter of courtesy - I don't have the personal expertise to judge its validity. But I will say that the organisation which generated (DSTL) it is not a dilettante in IA matters, and they do not issue warnings unless they believe they have significant justification.

PDR


To be fair they can't that worried as it isn't mentioned on their web site, even in passing. They may have seen the concerns raised by other people and rightly passed them on with a general message about being careful; what you do on line. Unfortunately those sites who really on click baits and national newspapers who love to sow panic to sell toilet paper always over egg it with these types of warnings.

It is the same as all the warnings about Huawei, it was all over the press about a backdoor that was found in some of their equipment. The national press and scaremongers when nuclear, but never once mentioned that prety much the same back door was found in Cisco equipment the next day. Neither company deliberately put the back door in and both fixed the issue very quickly, but China bad, USA good.

 
barbados
1327142.  Sun Jul 21, 2019 1:53 pm Reply with quote

Willie wrote:
PDR wrote:
I passed on the Advisory as a matter of courtesy - I don't have the personal expertise to judge its validity. But I will say that the organisation which generated (DSTL) it is not a dilettante in IA matters, and they do not issue warnings unless they believe they have significant justification.

PDR


To be fair they can't that worried as it isn't mentioned on their web site, even in passing. They may have seen the concerns raised by other people and rightly passed them on with a general message about being careful; what you do on line. Unfortunately those sites who really on click baits and national newspapers who love to sow panic to sell toilet paper always over egg it with these types of warnings.


Just because DSTL don't feature the app on their website does not mean they wouldn't have offered advise on the matter.

 
Willie
1327149.  Sun Jul 21, 2019 4:28 pm Reply with quote

barbados wrote:
Willie wrote:
PDR wrote:
I passed on the Advisory as a matter of courtesy - I don't have the personal expertise to judge its validity. But I will say that the organisation which generated (DSTL) it is not a dilettante in IA matters, and they do not issue warnings unless they believe they have significant justification.

PDR


To be fair they can't that worried as it isn't mentioned on their web site, even in passing. They may have seen the concerns raised by other people and rightly passed them on with a general message about being careful; what you do on line. Unfortunately those sites who really on click baits and national newspapers who love to sow panic to sell toilet paper always over egg it with these types of warnings.


Just because DSTL don't feature the app on their website does not mean they wouldn't have offered advise on the matter.


That's why I said they could have passed on a general warning, but only as in the most minor of warnings. Rather more of a think before you use as like all internet activities there are risks, rather than don't use.

Many government agencies wouldn't let it's staff use this site and others will put out a general message to think before using as it doesn't use https, but that doesn't mean there is any specific risk or even any real risk at all.

 
PDR
1327155.  Sun Jul 21, 2019 4:53 pm Reply with quote

I think you misunderstand. This wasn't a "general" or "minor" warning. This was a formal security advisory issued to UK List-x companies. This particular one is not classified, although these are not usually put in the public domain. I passed this particular one on because I know there are a lot of social media users on this forum who might benefit from the information.

This isn't some trivial piece of net-gossip, but rather a piece of formal advice originating from the country's cyber-security specialists.

The childish blather deriding the expertise of these organisations is dangerously unhelpful (as well as amusingly inaccurate).

PDR

 
barbados
1327161.  Sun Jul 21, 2019 7:36 pm Reply with quote

Precisely, although you would only know of the warnings if you are in receipt of them.
Just 3 weeks ago i had a communication through advising against 8 character passwords. A quick check on the website for the particular provider shows no warning because the password policy is a local responsibility, and the end users donít need to know why I tell users their password should be 9 characters long so there is no need to publicise the warning.

 
dr.bob
1327173.  Mon Jul 22, 2019 5:03 am Reply with quote

PDR wrote:
The childish blather deriding the expertise of these organisations is dangerously unhelpful (as well as amusingly inaccurate).


Did Willie deride the expertise of these* organisations? I've read his messages a couple of times now and I don't really understand which part of what he said would give you that impression. Maybe you could explain so we can avoid a situation where people are talking at cross purposes.

The impression I got from what Willie said** is not that he thinks the DSTL lacks expertise, merely that he thinks they don't consider the problems with Faceapp to be particularly serious. Now that may well not be the case, in which case feel free to have a discussion about that. There seems little point in castigating someone for something they didn't say.


*By "these" do you mean the DSTL? That seems to be the only one that's been mentioned so far, unless I've missed something.

**Hopefully Willie can pop by soon and explain what he actually meant, rather than having some third party trying to interpret his words for him.

 
barbados
1327174.  Mon Jul 22, 2019 5:13 am Reply with quote

Do you not consider the suggestion that the DSTL canít consider it much of a problem because it doesnít appear on their website, suggesting that the information received was from a ckick-bait site rather than, as described is a little dismissive of the original post.

 
dr.bob
1327177.  Mon Jul 22, 2019 5:29 am Reply with quote

I'm merely considering whether Willie thinks that the DSTL lacks expertise. As far as I can tell, the original post didn't come from the DSTL. Certainly, any message which starts with "Greetings Teammates" doesn't sound like an official release from a government body.

Maybe PDR can pop by at some point and explain where the message he quoted came from and what relation it has to the DSTL.

 
Willie
1327180.  Mon Jul 22, 2019 5:56 am Reply with quote

PDR wrote:
I think you misunderstand. This wasn't a "general" or "minor" warning. This was a formal security advisory issued to UK List-x companies. This particular one is not classified, although these are not usually put in the public domain. I passed this particular one on because I know there are a lot of social media users on this forum who might benefit from the information.

This isn't some trivial piece of net-gossip, but rather a piece of formal advice originating from the country's cyber-security specialists.

The childish blather deriding the expertise of these organisations is dangerously unhelpful (as well as amusingly inaccurate).

PDR


UK security agencies are regularly putting out advisory notices on issues to do with IT security, some are specific and others are of the think before ho use variety. The latter are mainly teased because the general IT using population of most workplaces get very complacent and tend to forget basic concepts very quickly.

As to being 'dangerously unhelpful', IT is what I do for a living and I am rather more qualified than most people, even on this site, on IT security what with having a degree in the subject.

I have nothing but respect for government IT security agencies, but they do not always give the whole story.


Last edited by Willie on Mon Jul 22, 2019 5:58 am; edited 1 time in total

 
PDR
1327181.  Mon Jul 22, 2019 5:56 am Reply with quote

Maybe PDR just ain't going to bother passing on IT security advisories in future.

PDR

 
Alexander Howard
1327187.  Mon Jul 22, 2019 8:25 am Reply with quote

I recall something similar many years ago when Microsoft of all people put into their terms something along the lines of "and we can use and republish anything you send through our systems". It was then pointed out that every professional user would have to dump Microsoft products in favour of platforms which might respect commercial or client confidentiality, copyright and little details like that. The terms were changed.

 
barbados
1327193.  Mon Jul 22, 2019 9:51 am Reply with quote

dr.bob wrote:
I'm merely considering whether Willie thinks that the DSTL lacks expertise. As far as I can tell, the original post didn't come from the DSTL. Certainly, any message which starts with "Greetings Teammates" doesn't sound like an official release from a government body.

The consideration would appear to me that the DSTL do have the expertise, but the message lacks authority because the warning didn't appear on the DSTL website.
Similarly, when you question the salutation on the email. These have no bearing on the authority of the email because what would have happened is the DSTL team would have emailed their mailing list about their concerns. PDR would not have been part of that list, but the person responsible for the IT security within his organisation would be. It would have been sent to him (other genders are available) for consideration. Then if the person responsible for IT security thought it was a concern worthy of sharing then it would have been distributed to the staff leadership, and then on to the minions at the coal face. That would be the reason for the "greetings teammates".

 
dr.bob
1327194.  Mon Jul 22, 2019 10:17 am Reply with quote

Alexander Howard wrote:
I recall something similar many years ago when Microsoft of all people put into their terms something along the lines of "and we can use and republish anything you send through our systems". It was then pointed out that every professional user would have to dump Microsoft products in favour of platforms which might respect commercial or client confidentiality, copyright and little details like that. The terms were changed.


It's good that Microsoft changed those terms but, as has been discussed upthread, it's not unusual for companies to put all sorts of crazy things in their T's & C's.

Here's a good article on Wired that talks about the current furore around FaceApp. Interestingly it points out that the app was actually launched back in 2017. Back then, security concerns were raised though nobody was massively worried about them. The main source of concern at that time was over FaceApp's "blackface filter" (perhaps unsurprisingly).

The article suggests that the current concern stems more from the app's connections with Russia than any particularly unusual security problems. To make its point it lists a bunch of other, US based, companies that do far worse things with your personal data than FaceApp do but which aren't currently the subject of a media witch-hunt.

 

Page 1 of 2
Goto page 1, 2  Next

All times are GMT - 5 Hours


Display posts from previous:   

Search Search Forums

Powered by phpBB © 2001, 2002 phpBB Group