#FacePalm: FaceApp's Terms of Use

News & Analysis
im

While people may think that providing their photos and data is a small price to pay for the entertainment FaceApp offers, the app raises concerns about privacy, manipulation, and data exploitation—although these concerns are not necessarily unique to FaceApp.

According to FaceApp's terms of use and privacy policy, people are giving FaceApp "a perpetual, irrevocable, nonexclusive, royalty-free, worldwide, fully-paid, transferable sub-licensable license" to use or publish the content they upload, and FaceApp can track their location, what websites they visit, when they open the app, and other metadata. In applying filters to peoples’ photos, FaceApp will create a detailed biometric map of their faces--which can be as unique to them as their fingerprint or DNA

People are right to be alarmed by terms of use like the one FaceApp has—as they should be with similar apps. It is not clear how FaceApp stores, uses, or manipulates peoples' data, including the detailed biometric maps of their faces, and this could change over time as profit incentives and technologies change. Even if you delete FaceApp, there is nothing in the terms of use that governs what the company will do with all the data they have collected about you. 

Because of the uniquely identifying nature of our faces and our inability to change them, cataloguing and storing peoples' faces in a database that can be mined indefinitely is problematic. A biometric map of someone's face isn't just used for unlocking smartphones, it is now a highly-prized commodity by governments and tech companies used to train algorithms and for facial recognition-enabled mass surveillance. In the future such biometric maps could be used for all sorts of purposes that people may not anticipate.

The fact that the app is based in Russia, where companies are obliged by law to store their data centres in the territory and make it accessible to security agencies, is also concerning, although it has been reported that at least in some cases the data isn't being transferred to servers based there, but is stored in Amazon data servers in the United States and Australia.

What can you do?

  • If you've used FaceApps and are concerned about your data - Tweet at them and ask for deletion !
  • Under some data protection laws, such as the EU's General Data Protection Regulation, you may have the right to request that a company deletes your personal data, under certain conditions. To find out more, read our explainer.
  • You can find out more about what rights you have over your personal data in our guide
  • Tell companies to stop exploiting your data! We've made it easy for you here.
  • Learn more about Our Data Future and the steps you can take in shaping it: we have to decide how to protect, enhance, and preserve our rights in a world where technology is everywhere and data is generated by every action. The future is not a given: our actions and decisions will take us where we want to go.
  • Learn more about how social media makes you a target and solutions for stopping platforms and devices you use from being weaponised against you.

What is Privacy International Doing?

We are pushing global companies to commit to the privacy of users around the world. We recommend such companies:

  • Adopt the European Union’s General Data Protection Regulation (GDPR) as a baseline standard for all users, as well as comply with any national legislation that requires stronger safeguards for users.
  • Demonstrate compliance with the data protection standards, including by being clear and transparent on what laws they apply to protect users’ data and how they have implemented them.
  • Use reasonable security safeguards to protect personal information from loss, unauthorised access, destruction, use, modification, or disclosure.

We recommend that governments:

  • Make data protection legislation as strong as possible and not undermined by legal loopholes and exemptions.
  • Ensure that any data protection framework is effectively implemented and enforced, including through the appointment of an independent regulator or authority with an appropriate mandate and resources.

The onus should be on the companies, institutions, and governments processing our data to protect it both by design and by default.