Face Off: Privacy Issues Not Confined to FaceApp
The internet and the security community is up in arms and shocked, shocked to see that a web developer is collecting data that you share with them and processing that data in the cloud. In this case, the app is FaceApp, an application developed by an entity in Russia that takes photos you upload and uses an algorithm in the cloud to “age” these pictures to show what you would look like if you were—well, if you were as old as me.
As with everything else, it’s all fun and games until someone gets hurt. In the case of FaceApp, the problem seems to be that the app’s privacy policy does not tell people that their photos (either the ones that they share or the ones that might be accessed by the app) are taken off the phone, processed in the cloud and potentially maintained by the developer. The developer reportedly indicated that the photos are processed in-country (not in Russia), that only those photos shared are processed and that almost all of the photographs (hmmm, almost all?) are deleted from the cloud server after processing.
In response to the criticism, FaceApp now contains the warning, “Cloud Photo Processing: Each photo you select for editing will be uploaded to our servers for imaging processing and face transformation.” So now, you click first and the same exact thing happens.
Cloud Smoud
Boiling down the controversy, it seems the issue was that users did not realize their pictures were being processed in the cloud as opposed to on some other server or on their own devices. Right. Like users of Siri, OK Google and Alexa don’t realize that their voice is processed in the cloud. The cloud can be good, not good or downright evil, from both a privacy and security standpoint. But it’s just another computer (or computer network). From a privacy standpoint, the issue is use—who “owns” the photo and what rights does the app developer have to use the photo? In this regard, FaceApp’s privacy policy, while by no means a model of clarity, seems to suggest that the company doesn’t sell, share or otherwise use the picture except for internal use. Whatever that is. Considering that Facebook stores, scans, indexes and uses facial recognition not only on pictures of me that I upload but also on pictures of me that others upload, FaceApp’s privacy policy—if it says what I think—ain’t terrible.
Security is another issue. Anytime you access a file, transfer it, process it, store it and re-transfer it, there are opportunities for abuse. So the fact that the processing is “in the cloud” could be an issue. Or not. We will see if people are dissuaded from using FaceApp and aging themselves ‘cause they are aging in the cloud.
Consent
The real problem here is that, at least in the United States, your privacy and security are not dictated by some standard of reasonableness, but primarily (except for certain defined data) by contract. In Europe and other places, there are standards for data collection, storage, processing and use—data must be collected for a “lawful purpose” and used that way.
In the U.S., it’s primarily a question of what the consumer agreed to. And I use the term “agreed to” loosely. If a Terms of Use, Terms of Service, Software License Agreement or Privacy policy puts you on notice that, by using the site you have agreed that your data can be—I don’t know—sold to Russian hackers, well, then expect it to be sold to Russian hackers. It’s not my fault that you didn’t read the fine print.
There are many problems with the contract model, not the least of which is the fact that most people can’t read, can’t understand and can’t negotiate these agreements. They just want to use the site, the app or the data. As Ellen Barkin’s Beth Schreiber said in Diner, “Shrevie, who cares about what’s on the flip side about the record?” They just want to listen to the music.
Years ago spyware developers got wise to this and started putting Software License Agreements in their spyware, getting unwitting downloaders to agree to the installation of malicious code and to the collection of data. The contract model would permit such a bargain.
In the end, whether your face is processed on the cloud, in the air, on a server or on a device, the processing should be secure, and the use of your pictures and data should be reasonable, irrespective of what the fine print says. Some rights are too precious to be signed away with a click.