FaceApp and Its Targeted Audience

[NB: Please check the byline, thanks! /~Rayne]

You may have seen the buzz earlier this week across social media when cellphone users loaded and used a mobile app which applied an aging filter to a selfie photo so users could see a predictive image of their future face.

Except the vain and foolish downloaded an app developed in Russia — an app with the most ridiculous terms of service. More at this Twitter thread by @PrivacyMatters:

The app doesn’t make it easy to find their Terms of Service (TOS) or Privacy Policy, which to me is a red flag.

Russia does not fall under the EU’s Global Data Privacy Regulation, meaning users cannot have expectations of privacy and government oversight protecting their data. Russia ratified the Council of Europe’s Data Protection Convention 108 in 2013 but this appears to be little more than a head fake when Russians have taken Facebook data and used it for adverse micro-targeting against U.S. citizens in 2016. If the convention had been taken seriously, Russia’s government would also have investigated the Internet Research Agency for abusing personal data without users’ consent after the Department of Justice indicted IRA members.

The app’s developers say users’ data isn’t hosted in Russia, clarifying after initial inquiries that only a limited amount of each users’ data was hosted on Amazon Web Services and Google Cloud — but how would the average user be able to validate this claim? The question of hosting seems at odds with the developers’ explanation that

The Democratic National Committee issued a warning to 2020 campaigns that FaceApp should not be used and should be removed from devices.

It’s ridiculous that after the DNC was hacked and state election systems breached or targeted by Russia in 2016 that any sentient Democrat working or volunteering for a Democratic candidate’s campaign would be stupid enough to download and use this app, if they even read the TOS. But the  viral popularity of the application and the platforms on which its output was most often shared likely propelled its dispersion even among those who should know better.

Which brings up the app’s targeted audience: younger people who share images frequently in social media.

The app required users’ social media identity; it captured the IMEI address of the device they were using. Imagine being able to TREASUREMAP all these users over the internet and LANs.

Finally, the app captured the users’ image for editing. Imagine this data linked to all of a user’s Facebook data, matched to their DMV records including their photo, validated by phone number if recorded by DMV.

It’d be insanely easy to ‘clone’ these users in both content and in photos and in videos using Deep Fake technology.

It’d be a snap to micro-target them for political messaging and to make threats using manufactured kompromat.

All of this should be particularly worrying since the audience for this application is the youngest voter age groups which are least likely to vote for Trump and the GOP.

And they are the largest portion of the U.S. military. Think of what the FitBit app disclosed to any snoopers watching military bases. How many users who downloaded FaceApp were active duty or their family members?

Imagine FaceApp and all the other social data, public and private, synced with their phone which reveals their physical location. These users are entirely touchable.

There’ve been quite a few rebuttals to those worried about FaceApp; most complain that such concerns are merely Russia-as-boogeyman fearmongering and that U.S. Big Tech and Chinese apps like TikTok are just as bad (or worse) about collecting too much personal data and misusing it without users’ consent. Or they minimize the risk by theorizing the estimated 150 million selfies collected may train a Russian facial recognition app without users’ consent.

Except Europeans can rely on the GDPR for recourse and Americans have recourse through U.S. laws; they can also press for changes in legislation (assuming the obstructive Senate Majority Leader pulls his thumb out of his backside and does something constructive for once).

One other concern not touched upon is that we don’t know what this particular app can do over the long run even if deleted.

Researchers looking at it now may find it is rather inert apart from the invasive collection of personal photos.

But what about future updates? Can this app push malware which can collect other information from users’ devices?

And what about the photos themselves, once captured and stored. Could the developers embed detailed tracking in the images just as Facebook has?

Bottomline: FaceApp is a huge security risk. It may not be the only one but it’s one we know about now.

We need to regulate not only personal data collection but applications which collect data — their developers must be more transparent and upfront with what the app does with data before the app is downloaded.

We also need to work with Big Tech platforms through which apps like FaceApp are downloaded. We’re back to the question whether they’re publishers or utilities and what role they play in enabling dispersion of apps which can be weaponized against users.

And we may need to institute some kind of watchdog to detect risks before they reach the public. Perhaps as part of the regulation of personal data collection a licensing or clearinghouse process should be established before apps are permitted access to the marketplace. Apple has done the best job of the Big Tech so far in policing which apps are permitted in its market. Should gatekeeping for national security interests rest solely on a few corporations, though?


This is an open thread.

23 replies
  1. Rayne says:

    Since I know some people will probably ask, here’s my suggestion about new apps:

    Before downloading any app:

    — Use only marketplaces which monitor applications, like Apple Store, Google Play, Download(.)com;

    — Check the application’s About/Contact Us for the location of the business; look for a physical site address taking note of the country of origin. Avoid apps for which developers’ location isn’t obvious.

    — Look for Terms of Service (TOS) and Privacy Policy (PP). Avoid any application for which these aren’t obvious or available.

    — Check TOS and PP for information regarding location of data hosting. If not apparent, ask the developers through Contact Us or user forums for this information.

    If you’re an Android user who downloaded FaceApp or other app about which you are concerned:

    — Back up your data and double-check to make sure you have both a back-up and secondary copies of any important data before you go any further;

    — Make sure you have all passwords for any installed accounts and apps off the device and available for re-installation;

    — Delete the app;

    — Reset your phone to factory settings via Settings;

    — Reinstall your apps and data, updating the device OS if possible. You may even find your device runs better now.

    Sorry, Apple people, you’ll need to look up help for Apple.

    YMMV, not a licensed IT professional, not responsible for any boo-boos.

      • Rayne says:

        Thanks. I probably should have added a few more points:

        — Avoid using your Facebook, Google, or other Big Tech account identity to log into 3rd party apps;

        — If you can do whatever it is through a browser, don’t download an app at all (every app is a new ‘tunnel’ with access to your phone);

        — If it’s not inconvenient, get a different device with a new IMEI if you downloaded FaceApp. Every DNC employee/volunteer who had access to the DNC’s network and downloaded FaceApp should reset their phone to factory; it’d be more secure if they got a new IMEI.

    • Democritus says:

      Love this place, copying advice and bookmarking in my internet privacy bookmark folder. Thank you from someone who knows enough to be scared of all the shit out there, but not enough to actually know what to do to stay safe except the basics. I do not download many apps though, and always read the terms. *waves at drouse*

      Know what sucks? They are adding these shitty terms to downloaded older console and pc games, including older final fantasy. Yes I’m a nerd.

      My sibling used to help with that, but they met someone new and then migrated to trump and so…

      Oh, I also wanted to repost this thread by Asha encouraging us to interact more with our fellow citizens, and loved it.


      My neck/shoulder/arm is on fire so that should do for posting :)

      Oh god I’m turning into the old person who bitches about aches and pains🙄

  2. Buford says:

    We must all assume that the russians are going to help the republicans and trump win again…these folks have no scruples, no morals, no ethics, and none of what would be considered “good”…then there are the russians…

    • timbo says:

      Hmm. Not every Russian is a bad person.

      I can remember finding it odd that a Russian was actually smiling at the 72 Olympics. Why? Because as a little child, I had been lead to believe that Russians were just not happy at all ever; my parents had never told me that, it was something that I had been lead to believe from all the hackneyed jingoism of mid-20th century politics in the US. I had an epiphany back then—perhaps everything I feel is true ain’t true.

      As an adult, we must remember that people are people. And that national policies of nations, big and small, do not make every person associated with those nations bad or unworthy of respect as human beings.

    • Mooser says:

      Oh, the Russians, now that everybody is so to speak, ‘loaded for bear’, might just ‘help’ the Democrats, with a series of clumsy and easily traceable stunts.

  3. drouse says:

    And then there is the terms of service themselves. I dare anyone who isn’t a lawyer to get to the end without their eyes glazing over. Perhaps in this day of “A.I.”(yes, the quotes are deliberate) and machine learning, these platforms could “read” the TOS and raise red flags about problematic terms. Another thing to to worry is things like the browser extensions that lie doggo for weeks before slurping data.

    • drouse says:

      I need to amend that to terms that a end user would find problematical. After all these platforms have no problem to claiming your data as their own.

  4. Eureka says:

    Thanks, Rayne, especially for focusing in on the non-GOP catches/cultivees in the target pool.

    Reminds me, I often wish we had a live, expanded, continuously-updated version of _Dragnet Nation_ for privacy and safety consults.

    Speaking of, Julia Angwin’s twitter is relatively quiet, not sure what’s going on (an old article– but after the kerfuffle– suggested maybe she _would_ still helm The Markup/”talks” were happening…then nada). In the meantime, saw she had rt’d this interview:

    “UP NOW: Season 3 of Crazy/Genius has started! In this episode, @dkthomp talks with @juliaangwin, @shoshanazuboff, and Sarah Igo, where they discuss privacy, surveillance, and data collection. Listen to it on @Spotify: (link)”

    “Is it inherently unjust to put a person’s life in the hands of an algorithm? The investigative reporter @JuliaAngwin talks with @dkthomp about her thoughts on new sentencing tools:(link, clip)”

    • Eureka says:

      Apropos of the broader topic of corp-gov interplay (including Rayne’s TREASUREMAP post linked in this post), Marcy tweeted today:

      emptywheel: “As you read about this app visualizing how much data Instagram collects from you, know that FBI increasingly obtains location info via mobile apps, which gives them all this other info. (quotes tweet below; gives ew link pasted below that)”

      WIRED: “This app lets your Instagram followers track your location. The developer created it to illustrate the wealth of sensitive data users willingly share on a public platform without considering the access Instagram and others have to it: (embedded clip) Who’s In Town (link to Wired article)”

      How the Government Uses Location Data from Mobile Apps

  5. Eureka says:

    Meant to add this story earlier; it is getting more circulation today: a look at the ice cold institutional realities away from the hot southern border- based stories. The detained couple, heads of a family, described as well-knitted and -regarded in the community for decades, fell out of status due to apparently common vagaries for people with long cases. Sans spoilers, as the title goes:

    My friends were detained by ICE in Philly. Here’s what happened when I tried to help them.


    • P J Evans says:

      ICE is going for people like them because they’re easy to find (and collect), unlike actual criminals.

      • Eureka says:

        That’s a good point. I had more focused on the minutiae– with which we can all empathize, if via different organizations (e.g. DMV stereotypes)– of in-built institutional frustrations (the story seems like it might take a positive turn when the lawyer-friend shows up, until it devolves back into ~’we don’t have that form here.’)

  6. Democritus says:

    Crazy article in the Daily Beast about a mega church that has practically taken over Meghan Rapinoes hometown, ie donates to pay police salaries, public auditoriums etc.

    Creepy and inceptions as hell.


    (Trying putting brackets around the link like eureka does so it’s not accidentally clickable, if that’s not how it’s done? Whoops, and help? I am a nerd, not a geek, and unfortunately my technically wizardry is much lacking. Though I can help you plan out an awesome D&D wizard ;-)

    Oh also has anyone been watching HBO’s Years and Years? This could be another way of getting people active and off their rears.


    Finally maybe with a campaign of pointing out the natsec dangers of these apps etc like Rayne so eloquently does here may finally help to get some sort of consumer online privacy protections should, nay WHEN, we finally get out of this mess we are in.

  7. Democritus says:

    Bad Rudy

    “Monday morning must-read on Rudy Giuliani and Ukraine: Two Unofficial US Operatives Reporting To Trump’s Lawyer Privately Lobbied A Foreign Government In A Bid To Help The President Win In 2020”


    Aside intellectually bankrupt GOP wants to demand stores are free to NOT have to sell to suspect classes even if open to general public, ie banning gays, but they also demand stores not be able to set their own content policies. Ie Amazon banning conversion therapy, child torture, books.


  8. BroD says:

    Thanks for the heads-up, Rayne. I guess a (rare) upside of being in my late 70’s is that I don’t need an app to find out what I look like.

    • Rayne says:

      That’s exactly why the app appears to target under-40 age group. The rest of us above that line can take a look in the mirror or check out our aging parents for a reality check.

  9. e.a.f. says:

    There needs to be some control over things like FaceApp.
    We are headed into a federal election in Canada later this year. Elections Canada says they’re as ready as they can be. In my opinion, no western government is really ready for their elections, if they don’t have better security and eliminate some of the stuff out there.

    People need to get over themselves and their ongoing quest for 5 seconds of fame. stop taking all those pictures and sending them out to the world. you don’t know where it will wind up.

    When I was a kid some Mothers used to say, never put anything in writing you don’t want to see on the front page of the newspaper. Always thought that was good advise. People might want to give that some thought and apply it to their devices.

    Don’t do Face book, don’t download aps–don’t trust them, don’t bank on line. Parents/family relatives who keep “sharing” pictures of the kids, how do you know where they’re going in the end. Does your kid really want to have those pictures out their when they’re adults. The cell phones we have today are nice toys, but like with all toys, they can be dangerous.

Comments are closed.