A while back, I left the vast cesspool of mainstream social media for the weirder and wilder pastures of places like Mastodon (and yes, I'm very smug about it). The downside is that I often don't hear about new fads unless something goes horribly wrong, which is exactly what happened when everyone had a collective freakout about FaceApp after initially falling in love with it.

FaceApp, in case you were like me and totally missed it, lets you apply filters to your face to appear aged and decrepit, perhaps appealing to the much documented millennial obsession with decay and eventual oblivion. FaceApp was then accused of hijacking people's personal information and photos and, gasp!, sending them to Russia. An internet poop emoji storm ensued.

This led my colleague Jose to ask a very reasonable question in Slack:

If one were to delete an app such as FaceApp, is the damage of granting these apps access to your info already done or are you safe again?

Security wonks can often get very snarky and dismissive of real, valuable questions like this. Many take the attitude that people shouldn't have downloaded the apps in the first place, which is not only unhelpful, but further cements the security wonk reputation for hating fun. Jose's question is valid: does deleting an app that was snooping on you in any way make you safe again?

The Real Story About FaceApp

First things first: the fears about FaceApp specifically seem a smidge overblown. My colleague Michael Kan spoke to several security experts about FaceApp, all of whom said it was not overtly malicious and, in some cases, actually praised the app. Aviran Hazum, a researcher from the antivirus company Check Point, told Kan, "I must say that this app seems to be developed in a good fashion—no greedy permissions, and it does what they claim it does."

In fact, Kan reports that the initial warnings that the app steals all your images without asking were baseless and were eventually retracted. It is true, however, that the app is from a Russian developer, but without any evidence that the specific app or developer has done something wrong, it's hard to hold that against the app.

While FaceApp may not be the sneaking terror we may have initially thought, it does have some problems. Like many apps and services we sign up for on a whim, it's not always clear what the app does with your information, how long its kept, or with whom FaceApp shares your information.

It's Still Not Great

I reached out to Bill Budington, the Senior Staff Technologist at the Electronic Frontier Foundation (EFF), to get a sense of what FaceApp does and what risks it presents. He pointed out that the language of the company's terms of service paint a grim picture.

You grant FaceApp a perpetual, irrevocable, nonexclusive, royalty-free, worldwide, fully-paid, transferable sub-licensable license to use, reproduce, modify, adapt, publish, translate, create derivative works from, distribute, publicly perform & display your User Content and any name, username or likeness provided in connection with your User Content in all media formats and channels now known or later developed, without compensation to you.

"This gives FaceApp and its parent company Wireless Lab an enormous amount of latitude to do pretty much anything with your data that they'd like," said Budington in an email. "Unfortunately, privacy policies like this are far too common, and this one in particular sounds like it's using boilerplate language copied from somewhere else."

Budington also points to a section of the privacy policy that relates to targeted advertising.

We may also share certain information such as cookie data with third-party advertising partners. This information would allow third-party ad networks to, among other things, deliver targeted advertisements that they believe will be of most interest to you.

"In other words," said Budington, "they work with online trackers, using data you've given them to better track you." Many companies that offer free services are part of a massive ecosystem designed to track you across the web and tailor advertisements to your interests. Companies have long argued that this is a small price to pay for a free service, and that targeted ads are more valuable to you, since they're more relevant to you.

Whether you agree with that or not, companies are working hard to learn a lot about you in order to turn your data into cash. To me it hardly seems a fair exchange, since that's probably not foremost on your mind when you download an app to mess with your face.

In response to the backlash against FaceApp, CEO Yaroslav Goncharov told Mashable, "we don't sell or share any user data with any third parties." Goncharov seems to be drawing a distinction here between "user data" and information FaceApp gathers. The company's privacy policy does point out that any information should be anonymized.

We may remove parts of data that can identify you and share anonymized data with other parties. We may also combine your information with other information in a way that it is no longer associated with you and share that aggregated information.

Anonymized information, however, isn't always so anonymous. A report in The New York Times shows that it is possible to connect "anonymized" information to the original person. Moreover, the information might be semi-anonymous, but it's still being used to serve ads to you. The end result for you, the FaceApp user, isn't so anonymous.

Goncharov told Mashable, "most images are deleted from our servers within 48 hours from the upload date." Several responses from the developer in the reviews on Google Play cite a similar 1-3 day time period. Goncharov also said that users can request to have their information removed from FaceApp's servers.

(Full disclosure: PCMag's publisher, ZiffMedia Group, owns Mashable and I can see most Mashable employees from my desk. Hi!)

For Budington, that's not good enough. "There's no way of knowing if they're telling the truth," he said. "But what's more concerning is that this assurance is probably the bare minimum they can give, leading one to ask: What do they do with the rest of the photos?"

Let's put it all together, in reference to Jose's question. Regarding your photos, FaceApp only has access to the photos you edit in the app, and says it only retains those for a few days. You can request to have your information removed but, as Budington points out, there's no way for an individual user to verify that this has been done.

Other information, however, is used for targeted advertising and its fate is less clear. What is shared and what isn't shared is not clear, and the privacy policy appears to say that some information is in the hands of other companies and can't be taken back.

It's Not Just FaceApp

The scrutiny of FaceApp is an unusual confluence of events. It started with an incorrect accusation and was exacerbated by the intense—albeit justified—paranoia related to nefarious online activity from Russia. However, what FaceApp does is not so different from activities of more familiar apps like Facebook, Instagram, Snapchat, Twitter, and many, many others.

FaceApp may not be a big bad, but we shouldn't forget this lesson: Free apps want something. Maybe it's your face, maybe it's your excitement on social media, maybe it's your phone number, maybe it's "anonymized" personal information, or maybe it's something nefarious like stealing your Social Security Number. The level of concern and scrutiny being given to FaceApp should be given to every single app, site, service, and software you use. Ask what it wants, and if it's not clear what it wants, ask yourself if it's worth using the app at all.

We are very deep into the surveillance economy, where we are monitored constantly for the benefit of corporations harvesting our data. I've been writing about this for years and after so many data breaches and privacy gaffes from major players (looking at you, Facebook) it's hard to imagine that we could ever escape this data harvesting. Yet, the response to FaceApp has demonstrated that people aren't really comfortable with how these companies operate—or are perceived to operate—and that gives me hope we can get our privacy back.

Further Reading

Security Reviews