{"id":15893,"date":"2019-07-24T09:10:06","date_gmt":"2019-07-24T17:10:06","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2019\/07\/24\/news-9638\/"},"modified":"2019-07-24T09:10:06","modified_gmt":"2019-07-24T17:10:06","slug":"news-9638","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2019\/07\/24\/news-9638\/","title":{"rendered":"FaceApp scares point to larger data collection problems"},"content":{"rendered":"

Credit to Author: David Ruiz| Date: Wed, 24 Jul 2019 16:38:29 +0000<\/strong><\/p>\n

Last week, if you thumbed your way through Facebook, Instagram, and Twitter, you likely saw altered photos of your friends with a few extra decades written onto their faces\u2014wrinkles added, skin sagged, hair bereft of color. <\/p>\n

Has 2019 really been that long? Not really. <\/p>\n

The photos are the work of FaceApp, the wildly popular, AI-powered app that lets users \u201cage\u201d pictures of themselves, change their hairstyles, put on glasses, and present a different gender. <\/p>\n

Then, seemingly overnight, users, media reports, and members of Congress turned FaceApp into the latest privacy parable: If you care about your online privacy, avoid this app at all costs, they said.  <\/p>\n

It\u2019s operated by the Russian government, suggested the investigative outlet Forensic News<\/a>. <\/p>\n

It\u2019s a coverup to train advanced facial recognition software, theorized multiple Twitter users<\/a>.<\/p>\n

It\u2019s worthy of an FBI investigation, said Senator Chuck Schumer of New York<\/a>. <\/p>\n

The truth is less salacious. Here\u2019s what we do know. <\/p>\n

FaceApp’s engineers work out of St. Petersburg, Russia, which is not by any means a mark against the company. FaceApp does not, as previously claimed, upload a user\u2019s entire photo roll to servers anywhere in the world. FaceApp\u2019s Terms of Service agreement does not claim to transfer the ownership<\/em> of a user\u2019s photos to the company, and FaceApp\u2019s CEO said the company would soon update its agreement to more accurately describe that the company does not utilize user content for \u201ccommercial purposes.\u201d <\/p>\n

Finally, the blowback against FaceApp\u2014for what the company could collect, per its privacy policy, and how it could use that data\u2014is a bit skewed. Countless American companies allow themselves to do the same exact thing today. <\/p>\n

\u201cThe language you quoted to me, I recommend you look at the terms on Facebook or any other sort of user-generated service, like YouTube,\u201d said Mitch Stoltz, senior staff attorney at Electronic Frontier Foundation, when we read FaceApp\u2019s agreement to him over the phone.  <\/p>\n

\u201cIt\u2019s almost word-for-word,\u201d Stoltz said. \u201cAll that verbiage, in a vacuum, sounds broad, but if you think about it, those are the terms used by almost any website that allows users to upload photos.\u201d<\/p>\n

But the takeaway from this week of near-hysteria should not be complacency. Instead, the story of FaceApp should serve as yet another example supporting the always-relevant, sometimes-boring guideline for online privacy: Ask questions first, download later (if at all). <\/p>\n

FaceApp\u2019s terms of service agreement<\/strong><\/h3>\n

When users download and use FaceApp, they are required to agree to the parent company\u2019s broad Terms of Service agreement<\/a>. Those terms are extensive: <\/p>\n

\u201cYou grant FaceApp a perpetual, irrevocable, nonexclusive, royalty-free, worldwide, fully-paid, transferable sub-licensable license to use, reproduce, modify, adapt, publish, translate, create derivative works from, distribute, publicly perform and display your User Content and any name, username or likeness provided in connection with your User Content in all media formats and channels now known or later developed, without compensation to you.\u201d<\/p>\n

Further, users are told through the Terms of Service agreement that \u201cby using the Services, you agree that the User Content may be used for commercial purposes.\u201d<\/p>\n

This covers, to put it lightly, a lot. But it is far from unique, Stoltz said.  <\/p>\n

\u201cAny website that allows anyone in the world to post photos is going to have a clause like that\u2014\u2018by uploading photos you give us permissions to do anything with it,\u2019\u201d Stoltz said. \u201cIt protects them against all manner of users trying to bring legal claims, where, oh, they only wanted four copies of a photo, not 10 copies. The possibilities are endless.\u201d <\/p>\n

Several years ago, CNN dug through some of the most dictatorial terms of service agreements<\/a> for popular social media platforms, Internet services, and companies, and found that, for example, LinkedIn claimed it could profit from users\u2019 ideas. <\/p>\n

Relatedly, Terms of Service, Didn\u2019t Read<\/a>, which evaluates companies\u2019 user agreements, currently shows that Google and Facebook can use users\u2019 identities in advertisements shown to other users, and that the two companies can also track your online activity across other websites. <\/p>\n

Stoltz also clarified that FaceApp\u2019s Terms of Service agreement does not claim to take the copyright<\/em> of a photo away from whoever took that photo\u2014a process that would be difficult to do in a contract. <\/p>\n

\u201cIt\u2019s been tried\u2014it\u2019s something the courts don\u2019t like,\u201d Stoltz said. <\/p>\n

Stoltz also said that, while consumers do have the option to bring a legal challenge against a contract they allege is unfair, such successful challenges are rare. Stoltz gave one example of where that worked, though: a judge sided with a rental car customer who challenged a company\u2019s extra charge every time the driver sped past the speed limit<\/a>. <\/p>\n

\u201cThe court said nuh-uh, you can\u2019t bury that in a contract and expect people to fully understand that,\u201d Stolz said. <\/p>\n

As to how FaceApp will actually use user-generated photos, FaceApp CEO Yaroslav Goncharov told Malwarebytes Labs in an email that the company plans to update its terms to better reflect that it does not use any users\u2019 images for \u201ccommercial purposes.\u201d <\/p>\n

\u201cEven though our policy reserves potential \u2018commercial use,\u2019 we don’t use it for any commercial purposes,\u201d Goncharov said. \u201cWe are planning to update our privacy policy and TC to reflect this fact.\u201d<\/p>\n

Dispelling the rumors<\/strong><\/h3>\n

On July 17, United States Sen. Schumer asked the FBI and the Federal Trade Commission to investigate FaceApp because of the app\u2019s popularity, the location of its parent company, and its alleged potential link to foreign intelligence operations in Russia. <\/p>\n

The next day, Sen. Schumer spoke directly to consumers in a video shared on Twitter<\/a>, hammering on the same points: <\/p>\n

\u201cThe risk that your facial data could also fall into the hands of something like Russian intelligence, or the Russian military apparatus, is disturbing,\u201d Schumer said.<\/p>\n

But, according to FaceApp\u2019s CEO, that isn\u2019t true. In responding to questions from The Washington Post<\/a>, Goncharov said the Russian government has no access to user photos, and, further, that unless a user actually lives in Russia, user data is not located in the country. <\/p>\n

Goncharov also told The Washington Post that user photos processed by FaceApp are stored on servers run by Google and Amazon. <\/p>\n

In responding to questions from Malwarebytes Labs, Goncharov clarified that the company removes photos from those servers based on a timer, but that sometimes, if there is a large quantity of photos, the removal process can actually take longer than the chosen time limit itself. <\/p>\n

\u201cYou can set a policy for an [Amazon Simple Storage] bucket that says \u2018delete all files that are older than one day.\u2019 In this case, almost all photos may be deleted in 25 hours or so. However, if you have too many incoming photos it can take longer than one hour (or even 24 hours) to delete all photos that are older than 24 hours,\u201d Goncharov said. \u201c[Amazon Web Services] doesn’t provide a guarantee that it takes less than a day to complete a bucket policy. We have a similar situation with Google Cloud.\u201d<\/p>\n

Another concern that some users raised about FaceApp was the possibility that the app was accessing and downloading every<\/em> photo locally stored on a user\u2019s device. <\/p>\n

But, again, the rumors proved to be overblown. Cybersecurity researchers<\/a> and an investigation by Buzzfeed News<\/a> revealed that the network traffic between FaceApp and its servers did not show any nefarious hoovering of user data. <\/p>\n

\u201cWe didn\u2019t see any suspicious increase in the size of outbound traffic that would indicate a leak of data beyond permitted uploads,\u201d Buzzfeed News wrote. \u201cWe uploaded four pictures to FaceApp, which corresponds with the four spikes in the graphic, with some noise at the end after the fourth upload.\u201d<\/p>\n

Finally, despite the many distressed comments on Twitter, Goncharov also told The Washington Post that his company is not using its technology for any facial recognition purposes. <\/p>\n

What you should do<\/strong><\/h3>\n

We get it\u2014FaceApp is fun. Sadly, for many, online privacy is less so. (We disagree.) But that does not make online privacy any less important. <\/p>\n

For those of you who have already downloaded and used FaceApp, the company recently described an ad-hoc method<\/a> for removing your data from their servers:<\/p>\n

\u201cWe accept requests from users for removing all their data from our servers. Our support team is currently overloaded, but these requests have our priority. For the fastest processing, we recommend sending the requests from the FaceApp mobile app using \u2018Settings->Support->Report a bug\u2019 with the word \u2018privacy\u2019 in the subject line. We are working on the better UI for that.\u201d<\/p>\n

For those of you who want to avoid these types of problems in the future, there\u2019s a simple rule: Read an app\u2019s terms of service agreement and privacy policy before you download and use it. If the agreements and policies are too long to read through\u2014or too filled with jargon to parse\u2014you can always avoid downloading the app altogether. <\/p>\n

Always remember, the fear of missing out on the latest online craze should be weighed against the fear of having your online privacy potentially invaded. <\/p>\n

The post FaceApp scares point to larger data collection problems<\/a> appeared first on Malwarebytes Labs<\/a>.<\/p>\n

https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

Credit to Author: David Ruiz| Date: Wed, 24 Jul 2019 16:38:29 +0000<\/strong><\/p>\n\n\n\n
<\/a><\/td>\n<\/tr>\n
The blowback against FaceApp\u2014for which data the company can collect and how it can use that data\u2014is a bit overblown. Countless American companies do the exact same thing today.<\/p>\n

Categories: <\/p>\n