Last month there was a huge furore around FaceApp, the mobile application that ages your photographs to show you what you might look like as you get older. This was caused by a rapid cycle of misinformation and conjecture.
It was thanks to cybersecurity researcher Elliot Alderson – who you might remember from last week’s podcast episode – that the world was able to get beyond speculation and find out what was really going on.
We got in touch with Elliot shortly after the story broke. He was kind enough to speak to us about the FaceApp furore, and explained what caused the confusion and how he managed to get to the bottom of what was actually going on.
You can listen to what he had to say in this special short bonus episode:
Elliot says that although FaceApp is problematic, it isn’t unique. It poses exactly the same threat to our privacy as the platforms and applications that millions of people use every day. “There is an issue with FaceApp, he tells us. “But there is an issue with Facebook, with SnapChat, with Twitter – it’s never a good idea for someone to upload a photo of your face to a random application.”
This line of argument can be found elsewhere. Arguably the most important lesson we can learn. In this article from Wired, journalist Brian Barrett writes “should you be worried about FaceApp? Sure. But not necessarily more than any other app you let into your photo library.”
Should you use FaceApp?
However, although you might assume that a security professional would simply warn everyone against using these sorts of applications, Elliot says “this application is really trendy. You can see a lot of stars using it on social media, so this is normal – you want to use this application.”
What you need to consider if want to use FaceApp
However, if you do want to use it, you should be careful. “You have to step back a little bit before using it and ask yourself a question” about how money is being made. “this is a free application… there are developers behind this application, they need to live, they need to eat, they need to live, they need to eat – they need to earn money – and in general the answer is with your data.”
“You are the information.” Elliot says. “You can decide to use it, and say okay, I’m ready to lose this part of my privacy in order to use this cool service… or you will… think no, it’s not worth it. FaceApp seems to be cool, but my privacy is more important than something trendy like this.”
The key, then, is to check the terms and conditions of the application. “You have to know that you will have lost a part of your privacy, And if you’re okay with that then – okay, go for it, and use the application.”
“Developers need to say no sometimes.”
Developer responsibility and code ethics
There are clearly question marks for users about FaceApp, or, indeed, any other free application that has access to your data.
But what about the developers building these applications? Do they have a part to play in ensuring that applications respect user consent and privacy?
“It’s complicated for a developer to say no to their project manager” says Elliot. However, this doesn’t mean developers should be content to follow orders from management.
“Developers need to raise their level… and say okay, but ethics is also important…” Elliot continues, “as a technical guy I need to spread the message internally in my company, and say to the project manager, to the business, to the marketing department okay this is a cool feature but no, we won’t do that because this is against our user’.”
“Developers need to say no sometimes – and companies need to understand that it’s not okay to dump as much data as possible from their users.”
How did Elliot Alderson uncover the truth about FaceApp?
One thing that is often forgotten in these stories are the technical processes through which the truth is uncovered. Sure, that might be a little dry or complicated for some, but the fact that there is real detective work in understanding what’s actually going on inside an application is incredibly interesting.
It also highlights that while software might sometimes appear mysterious or even impenetrable, with the right skills and tools we can see how things actually work. That’s not only useful from a technical perspective, it’s also a way for all of us to retrieve a small sense of power back from applications built and owned by companies worth billions of dollars.
“It’s not that easy, but it’s not super complicated too,” says Elliot. Although he tells us that “the first time you want to do it you need to spend some time on it for sure,” once you’re set up and ready to go you can find things out remarkably fast.
Using a tool called Burp Suite, the whole process was complete in a matter of moments. “Checking FaceApp took literally 5 minutes for me, because everything is already set up on my computer and I just have to install the application and look at the network request.”
Learn more about Burp Suite with Packt’s selection of eBooks and videos here.
Follow Elliot Alderson on Twitter: @fs0c131y
*** This is a Security Bloggers Network syndicated blog from Security News – Packt Hub authored by Richard Gall. Read the original post at: https://hub.packtpub.com/developers-need-to-say-no-elliot-alderson-on-the-faceapp-controversy-in-a-bonus-podcast-episode-podcast/