The Fun App Trap

A close review of the Terms of Use for the FaceApp indicate that a user grants to the company the following:

“a perpetual, irrevocable, nonexclusive, royalty-free, worldwide, fully-paid, transferable sub-licensable license to use, reproduce, modify, adapt, publish, translate, create derivative works from, distribute, publicly perform and display your User Content [defined to include photographs, text, and “other materials”] and any name, username or likeness provided in connection with your User Content in all media formats and channels now known or later developed, without compensation to you.”

In reviewing the bolded terms, this means that the company can use the images and names forever (perpetual), a user cannot change his/her mind after using the app and attempt to retract the images (irrevocable) and that FaceApp can sell or share the content with anyone (transferable sub-licensable). While the FaceApp privacy policy indicates that information will not be rented or sold to third parties outside of FaceApp without a user’s consent, agreement to the Terms of Use may be read as granting such consent.

For any user concerned about the security of personal information, which here includes information that is capable of being used to inform facial recognition technology now and in the future, it is important to closely scrutinize the terms of applications such as this. This is the type of facial recognition technology used to pick an individual out of a crowd and associate a face with a name (Think of a camera communicating back: Jane Doe has been located at 555 Main Street). Several states have laws governing this type of collection. Illinois, for one, has one of the most stringent biometric laws in the United States (the Biometric Information Privacy Act or BIPA) and requires a detailed notice regarding collection, storage and the purpose of the use of someone’s biometric identifier, and a written release from the individual. As many users are signing on to accept the terms of use and privacy policy of FaceApp, it remains to be seen if these terms are deemed acceptable under applicable law.

In addition to privacy issues, national security concerns have also been raised in connection with use of the FaceApp, including by one high-profile senator and the Democratic National Committee, which recently warned presidential campaigns against using the app. The concerns have principally centered on the fact that FaceApp itself is based in Russia, a country which the US Intelligence Community considers a significant espionage threat. Russia’s government, even before 2016 legislation that formalized it, has had the inherent ability to strong-arm Russian companies into sharing their data, regardless of where it is stored or how long it is retained.

In the hands of Russian intelligence and security services, such as the Foreign Intelligence Service (SVR) or the Federal Security Service (FSB), this personal, biometric data of US citizens could be leveraged for nefarious purposes, unbeknownst to FaceApp users. In addition to deploying facial recognition to police the World Cup last year, Russia is currently in the process of outfitting Moscow with even more artificial intelligence-driven facial recognition systems, primarily sourced from China. FaceApp data could enable targeted surveillance to be conducted on Americans traveling or living in Russia.

A repository of facial photos, such as those uploaded to FaceApp, also could potentially be used to fraudulently access Americans’ smartphones. By gaming the facial identification systems that have replaced passcodes and fingerprint identification systems in recent years, malign actors could access a wide range of financial, medical, and other personal data that now resides on smartphones. Lastly, facial photos taken on a modern-day mobile phone typically have geolocation data embedded within them, which could raise both national security and privacy concerns.