This controversy brings to light just what exactly we’re allowing companies to access when we allow services, but also provides a lesson to brands around transparency behind data collection and usage.
FaceApp privacy issues
The reason public panic set in was mainly due to the permissions you have to allow in order to use the app to edit photos.
Essentially, you have to give the app access to all your camera roll photos, which appear directly in the app’s home screen rather than a separate “camera roll” screen as other apps have.
This, combined with the viral privacy concerns, caused people to think that FaceApp (and its Russian developers) now had access to every photo in your camera roll.
Not only that, but an article from Forbes suggested that the app may have access to even more than just your photos:
“To make FaceApp actually work, you have to give it permissions to access your photos — ALL of them. But it also gains access to Siri and Search .... Oh, and it has access to refreshing in the background — so even when you are not using it, it is using you.”
Understandably, this caused uneasiness among many.
However, as the news became more widespead, more technical experts tested the app themselves and weighed in on how your data is actually shared, stored, and processed within FaceApp, and what threat it poses for the security of its users.
Upon further review by experts, it appears that things aren’t as bad as they may seem.
While the app does have access to your photos, it seems as though it only can access the ones you select for editing in the app. Per the app’s purpose, this makes sense, as it would need to see these in order to transform your picture with the desired filters.
HOWEVER: they do appear to upload single images in order to apply the filters server-side. while not as egregious, this is non-obvious and I am sure many folks are not cool with that.
Still, even though the app may not have access to as much as we thought, the app’s roots in Russia may make users uneasy regardless. However, Forbes reported that data from the app is sent to servers mainly based in the United States, not Russia:
“This all turns out to be another of the Web’s many storm-in-teacup moments. A security researcher who goes by the pseudonym Elliot Alderson (real name Baptiste Robert) downloaded the app and checked where it was sending users’ faces. The French cyber expert found FaceApp only took submitted photos — those that you want the software to transform — back up to company servers.”
“And where are those servers based? Mostly America, not Russia. A cursory look at hosting records confirmed to Forbes that this was true: The servers for FaceApp.io were based in Amazon data centers in the U.S. The company told Forbes that some servers were hosted by Google too, across other countries, including Ireland and Singapore. And, as noted by Alderson, the app also uses third-party code, and so will reach out to their servers, but again these are based in the U.S. and Australia.”
So, even though the app’s servers are not Russian-based, what data is stored within the app’s servers, and why?
To answer this question, FaceApp founder Yaroslav Goncahrov weighed in, telling Forbes:
“We only upload a photo selected by a user for editing. We never transfer any other images from the phone to the cloud."
"We might store an uploaded photo in the cloud. The main reason for that is performance and traffic: we want to make sure that the user doesn't upload the photo repeatedly for every edit operation. Most images are deleted from our servers within 48 hours from the upload date."
Essentially, just like when a user visits your website, you can access their in-app or on-site activity — but can’t see what other website’s they currently have open, or any other specific details on their computer.
Additionally, if you’re still uncomfortable with FaceApp having this data, Goncahrov noted you can request to have all of your user data wiped entirely with the following steps:
Go to “Settings”
Click on “Support” and then “Opt to report a bug”
In the text box, ask for your data to be deleted from the app (Note: Goncahrov says by putting “privacy” in the subject line, it can help your matter get dealt with more quickly)
State of data privacy in 2019
What’s interesting about this public outcry over FaceApp is that it seems to be rooted in its seemingly alarming terms of service language. However, it’s actually not much different than other widely used apps like Facebook, Instagram, Twitter, or TikTok.
It didn’t take long for this comparison to become its own kind of “meme” on social media:
guys faceapp can use your likeness! you were very smart to not have fun with the old filter!
thank god you only use twitter, instagram and facebook that do the exact same thing
and scanned your face for apple, instagram and snapchat
While I’m not trying completely discredit concern over FaceApp’s “perpetual, irrevocable, nonexclusive, royalty-free” rights to your content produced in-app, it is worth noting that we grant the same level of access if not more to apps like these regularly, and they’re just as free to use the data however they want.
For example, YouTuber Cody Ko learned his lesson on TikTok’s data access levels the hard way, and shared a video about his experience.
I won’t dig into the details, but essentially, Ko made a video poking fun at the app, and made a few TikTok videos in the process.
Although his account was set to private, he noticed that TikTok was using screenshots of his videos posted in the app as advertisements on Facebook.
Does that language sound familiar?
My point is that when we download apps to our phone or give information to websites, we’re often giving up more than we may think as we scroll through the terms of service.
If you’re worried about FaceApp, you may want to re-evaluate the other apps you’re using as well.
What companies can do about data transparency
Sure, you could read the full Terms of Service list before downloading, but we all know how rare that is. Still, it makes users feel like these claims were “snuck in,” knowing most people would never see it.
The fact is, many apps and websites rely heavily on customer data to run and gain analytics to improve.
So as a marketer who relies on this data, what do you do?
The first step is transparency. Be upfront with exactly what information you’re collecting, where it’s going, and what you’re planning to do with it.
This allows users to make a more educated decision if they want to use your app. Sure, it might turn off some users, but it’s better than making your audience feel as though you’ve intentionally misled them.
For example, after the backlash, FaceApp updated its features and now shows a clear message asking users for permission to send data to the cloud, and what they need this access for.
Additionally, when it asks users to grant permission to access photos, it added a note explaining why.
While this doesn’t cover all the concerns, it does make users more educated on what exactly they’re signing up for when using the app.
Whether you have an app or a website, there are valuable lessons to be learned here. Make sure you’re transparent with your customers on what you’re collecting and why. By making it clear exactly what you’re planning to do with collected data, you can put customers at ease and avoid making them distrust you when if they want to know more about your data policies.
When you’re upfront, you control the story, and it’s better for everyone involved. People deserve to know what the data they’re providing to you is going to be used for.
Additionally, with privacy laws like GDPR in effect (which will inevitably become more widespread) it’s smart to have good data practices in place now so it’s second nature if stricter laws become enforced.
Overall, as brands, it’s our responsibility to communicate things like this to our customer base clearly and transparently. Like any other marketing tactic, transparency is key in building brand trust and ultimately leveraging that trust to create a loyal following of customers.