FaceApp was a test. We didn't pass

Commentary: Our inability to draw lines when it comes to our personal data is a real problem, with real ramifications. This won't age well.

Ry Crist Senior Editor / Reviews - Labs
Originally hailing from Troy, Ohio, Ry Crist is a writer, a text-based adventure connoisseur, a lover of terrible movies and an enthusiastic yet mediocre cook. A CNET editor since 2013, Ry's beats include smart home tech, lighting, appliances, broadband and home networking.
Expertise Smart home technology | Wireless connectivity Credentials
  • 10 years product testing experience with the CNET Home team
Ry Crist
5 min read

FaceApp lets users upload a picture, then alter it to look older, younger or like another gender.

Sarah Tew/CNET

I woke up, poured some coffee and, as I often do each morning, checked Twitter. There, among the headlines, were faces. Old faces, young faces, weird faces. Altered faces of friends, colleagues and strangers, all of them using FaceApp, the latest viral trend. God forbid we miss out on any of those.

"Why on earth are you still tweeting FaceApp pics?" I asked one of them. This person, a tech writer I think highly of, explained that some of the people they like the most who cover questions of future surveillance seemed to think that privacy issues with FaceApp are overblown.

Are they? FaceApp's privacy policy makes it clear that the app pulls data like your location, IP address and log file information for the purpose of aiming targeted ads at you. With data like that, advertisers could aim ads at users in specific regions, for instance.

"We may also share certain information such as cookie data with third-party advertising partners," the policy reads. "This information would allow third-party ad networks to, among other things, deliver targeted advertisements that they believe will be of most interest to you."

Targeted ads aren't anything new, of course -- and neither is FaceApp, which has been around for two years now. Aviran Hazum, head of Analysis and Response at the security research firm Check Point Research, tells CNET that he didn't find anything out of the ordinary when he took a closer look at how FaceApp works.

"This app seems to be developed in a good fashion," Hazum writes. "No greedy permissions, and it does what they claim it does."

Read more: Amazon and Google are listening to your voice recordings. Here's what we know about that

But now, FaceApp is going viral once more, with millions of people downloading it in order to participate in an internet craze. And it's hard to blame them -- the tech is scarily good. Who wouldn't want to see and share a stunning representation of what they might look like in 30 years?


I know I was tempted. After all, ads are already targeted at me every day because of products and services I already willingly use. What's the harm in a few more of those ads if I'm getting to try out some cutting-edge tech in the process?

But I read that privacy policy before downloading the app, and it gave me a lot of pause. Then, I saw FaceApp's terms of service, which include the following:

You grant FaceApp a perpetual, irrevocable, nonexclusive, royalty-free, worldwide, fully-paid, transferable sub-licensable license to use, reproduce, modify, adapt, publish, translate, create derivative works from, distribute, publicly perform and display your User Content and any name, username or likeness provided in connection with your User Content in all media formats and channels now known or later developed, without compensation to you.

A reminder that terms like these aren't written for your benefit. They're written to cover potential legal liabilities while sharing as little as possible about what a company is actually doing with your data -- and I'd add that you can find similar catchalls in the terms and conditions for apps and services like Facebook, Instagram and Snapchat. You click accept without reading, and the company can say, "it's not our fault, you were warned."

And in this case, we were. We've known that FaceApp is controversial for some time now. We know that facial recognition is troubling and that deepfake technology can be used to create stunningly realistic videos of a person using nothing more than a single image of their face.

"Privacy invasions often sneak in through 'fun' disguises," CNET cybersecurity and privacy reporter Alfred Ng tells me, pointing out that Cambridge Analytica got all the data it needed using quirky personality quizzes. "It's important for people not to fall for these traps. It's like Hansel and Gretel and the candy house."

We also know that FaceApp is the product of a Russian company, and that Russian intelligence weaponized social media in order to spread propaganda during the 2016 US presidential election. I don't advocate hysteria, and I don't think that anyone should automatically assume that an app or service is nefarious simply because it's based out of Moscow -- but I do support skepticism. Prominent Democrats and Republicans say that FaceApp is a cause for concern that merits further scrutiny -- perhaps we ought to take heed.

So let me repeat the question I asked this morning: Why are we still using this app? Even if you take FaceApp at its word that it's not uploading all of your photos, the company still says troubling things, like promising that it deletes most -- but not all -- user images after 48 hours. OK... What is it doing with the images it keeps?

Another good question: What sort of vetting do Apple and Google do before hosting apps like FaceApp that collect user data in order to deliver targeted ads? Is there any extra scrutiny of apps like these that are based out of Russia? I've asked both companies these questions, and will update this space with on-the-record responses if I receive them.

"Users want more control and transparency over how their personal information is being used by applications, and expect Android, as the platform, to do more to provide that control and transparency," Sameer Samat, VP of Product Management, Android & Google Play, wrote in a recent blog post. "This responsibility to users is something we have always taken seriously, and that's why we are taking a comprehensive look at how our platform and policies reflect that commitment."

"We have strict policies on how app developers can handle user data," a Google spokesperson adds, pointing out that when a violation is found, the company takes action.

A much larger issue than FaceApp

Playing it safe and saying thanks but no thanks to FaceApp should be an easy call. But everything is relative, and it's unfair to zero in on one problematic app when the entire internet is riddled with glaring privacy concerns, to the point where we've grown somewhat numb to them. As one headline put it, "Think FaceApp is scary? Wait until you hear about Facebook."

In other words, anyone concerned with FaceApp ought to be concerned with the entire app ecosystem -- and maybe it's a good thing that the FaceApp hubbub is drawing more attention to the larger issue at hand. In that sense, concerns about FaceApp and FaceApp alone probably are somewhat overblown.

But let's be careful not to shrug this one off. For most of us, sacrificing some privacy in order to enjoy the fruits of the internet is unavoidable, but unless we see larger action toward regulating these sorts of data privacy concerns, we'll need to get much, much better at drawing lines for ourselves. 

Call me a killjoy, but maybe that means taking a pass on posting pics of what we'll look like in 30 years. Personally, I'm more concerned about what the state of privacy will look like in 30 years. I don't need AI to show me that it ain't pretty.

Privacy advocates rank the creepiest tech gifts of 2018

See all photos