Last week, hundreds of millions of people uploaded pictures of themselves to FaceApp. You, your friends, your parents, comedians, athletes, the Avengers. It was all fun, until Senator Chuck Schumer tweeted last week that FaceApp might constitute a national security threat. His argument had very little to do with the app itself, and almost everything to do with a larger, more significant trend in geopolitical cyberwarfare.
BIG: Share if you used #FaceApp:
Because millions of Americans have used it
It’s owned by a Russia-based company
And users are required to provide full, irrevocable access to their personal photos & data pic.twitter.com/cejLLwBQcr
— Chuck Schumer (@SenSchumer) July 18, 2019
In the Spring of 2017, the U.S. Senate made a startling declaration: that a program running on computers throughout Washington D.C. was, potentially, being used as a tool for Russian cyber espionage.
The program was called Kaspersky Antivirus. It ran on the computers of staffers and congressmen alike, on Capitol Hill and in department buildings scattered about the city. And it wasn’t only a popular program, it was root-level. Antivirus scans have to reach the deepest depths of your computer, in order to fish out any potential threats that may have burrowed in. Therefore, Kaspersky had limitless power over the machines in which it was installed.
Over the summer that followed, amid media and FBI investigations, Kaspersky Antivirus was gradually pushed out of Washington. By the end of the year, Donald Trump signed a bill officially banning all Kaspersky Lab products from U.S. government use. Problem solved.
Yet what was the basis for this change? Precious little detail was released to the public. Even today, evidence against Kaspersky Antivirus is hard to come by. Back in April, for example, months after banning it from their own computers, the EU publicly admitted they had no proof that Kaspersky is malicious.
And yet, even in lieu of hard evidence, we should consider the potential risks.
The U.S. government knows just how easy it would be for Russia to use Kaspersky for its own gain, because the U.S. government itself has been known to build backdoors into popular homegrown software for surveillance purposes. It’s only logical, then, to assume that a program with unlimited access to sensitive, high-level government computers wouldn’t go unexploited.
What about a database with hundreds of millions of faces, without restriction on how those images can be used? From the FaceApp terms of service:
You grant FaceApp a perpetual, irrevocable, nonexclusive, royalty-free, worldwide, fully-paid, transferable sub-licensable license to use, reproduce, modify, adapt, publish, translate, create derivative works from, distribute, publicly perform and display your User Content and any name, username or likeness provided in connection with your User Content in all media formats and channels now known or later developed, without compensation to you.
FaceApp owns the photos you upload to it. That’s not necessarily any different than any other app you upload photos to, but because this company is based out of St. Petersburg, Senator Chuck Schumer raised an alarm. Was he right to do so? Well, it depends on how you view the larger narrative.
On one hand, it’s easy to empathize with the developers. If FaceApp is innocent, then they’re being cast out as pawns in a cyber war they never signed up for. On the other side, although a tweet like his might ring of hype and hysteria in lieu of any real evidence, it seems like a smart move because there is a general cause for concern, even without definitive proof. Cyber threats can be extremely difficult to understand, because malicious actors have a bevy of methods available to hide what they’re doing, and that they’re the ones doing it. In U.S. constitutional law, the going rule is “innocent until proven guilty”. But what if “proving” is impossible, or takes years? Cyber threats of this scale can cause irreparable damage in weeks, even seconds.
So here we are: none the wiser, with more questions than answers. Kaspersky Antivirus 2019 is one of the most highly-lauded computer security solutions on the market today. FaceApp, as of this writing, is the number one app on iTunes, Google Play, et al, with millions upon millions of downloads each passing day. Are these apps cover for Russian cyber espionage? It’s both entirely conceivable, and highly doubtful. Still, being cautious about your cyber activities is always a good idea.
Being cautious isn’t always as easy as you might think, though. Say you wanted to try FaceApp’s aging feature, but also heed the warnings of its privacy risks. Among the top ten most popular apps on iTunes, as of this writing, is another app called “Face Aging App – Oldify Camera”. Eureka! An app that does the same thing, but without the Russia part. Except cybersecurity isn’t that easy. Even more prevalent than Russian snooping are suspect organizations that seek to leech off the popularity of a trend, with lesser and potentially malicious knockoff products.
In all likelihood, nothing bad will come of FaceApp. But who knows? One thing is certain, just be careful out there, and use common sense with any app that deals with your personal data.
About the author:
Nathaniel Nelson writes the internationally top-ranked “Malicious Life” podcast on iTunes, hosts programs on blockchain and SCADA security, and contributes to AI and emerging tech blogs.