The Key Point Everyone is Missing About FaceApp

Much has been written in recent weeks about the widely publicized privacy concerns with FaceApp, the app that uses artificial intelligence (AI) and augmented reality algorithms to take the images FaceApp users upload and allow the users to change them in a wide variety of ways. Just a few of the very real risks and concerns, which exist in most other apps beyond FaceApp, include:

1. The nation-state connection (in this case, Russia)
2. Unabashed, unlimited third-party sharing of your personal data
3. Terms of use give unrestricted license for FaceApp to use your photos
4. Your data will exist forever … in possibly many different places
5. Data from the apps are being used for surveillance
6. Data from the apps are used for profiling
7. Apps are being used in ways that bully and/or inflict mental anguish
8. Using the images for authentication to your accounts
9. Your image can easily be used in deep fake videos
10. Look-alike apps are spreading malware

I could go on, but this should provide you with a good idea of the range of risks involved. Here is an important key point not within this list that has not been highlighted in the three or four dozen articles I’ve read on the topic: the FaceApp uproar highlights a long-time problem that is getting even worse in the way that privacy policies are written.

Evolution of Privacy Policies to Anti-Privacy Policies
I’ve been delivering privacy management classes since 2002. One of the topics I’ve emphasized is the importance of organizations actually doing what they say they will do in their website privacy policies, and not using misleading and vague language to actually limit the privacy protections and increase sharing with third parties. (Privacy policies are also often referenced as privacy notices; for the purposes of this article, consider them to be one and the same.) Organizations should not use privacy policies as a way to remove privacy protections from individuals. The US Federal Trade Commission (FTC) actually published a substantive report detailing these problems in May, 2000, entitled, “Privacy Online: Fair Information Practices in the Electronic Marketplace a Report to Congress.” The advice within this report is as valid today as it was back then; in many ways even more so.

A key point made within that FTC report emphasized the need to provide clarity for collections, uses and disclosures of, and choices related to, personal data. In particular there were three significant problem areas for the findings of the FTC’s research of website privacy policies that highlighted:

1) using of contradictory language;
2) offering unclear descriptions of how consumers can exercise choice; and
3) including statements indicating the possibility of changes to the policy at any time.

From 2000 to around 2010, I saw many websites that actually tried to address these issues. This was a fairly hot topic at information security and privacy conferences then, during which time I delivered keynotes and classes specific to addressing privacy within privacy policies, and then implementing the supporting controls within the organization to meet compliance with those privacy policies.

What happened around 2011 and after? A perfect anti-privacy storm involving increased use of search engine optimization (SEO) in ways that included communicating deceptive statements in websites and their privacy policies, and a huge jump in use by the general global population into a larger number of social media sites and blogging. This led to thousands of headlines over the past decade demonstrating increasing incorporation of non-friendly privacy practices. This was soon followed by apps that integrated with virtually every type of device, server, social media site and cloud service. To succeed in these areas, rank the highest in searches, gather the most personal data to subsequently monetize, get the most likes, and get the most online amplification through partnering and sharing data with as many other organizations as possible, marketing practices were used that incorporated creative (actually deceptive) modification of privacy policies. This in large part led to why so many of the current posted privacy policies tip toward being mostly anti-privacy in the manner in which they are written, often in ways that allow for as much data to be shared with as many other third parties as possible.

FaceApp’s Privacy Policy Problems
There are many vague and problematic areas within the FaceApp posted privacy policy; take a moment to read it. See what I mean? Let’s consider the “Parties with whom we may share your information” section in particular.

• FaceApp can share unlimited types and amounts of your information (of all types) with “businesses that are legally part of the same group of companies that FaceApp is part of, or that become part of that group (“Affiliates”).” What businesses do those include? It doesn’t say in the FaceApp privacy policy.
• So, digging deeper, according to the FaceApp Terms page, FaceApp’s “Designated Agent” is “Wireless Lab Ltd.” with an address in Saint-Petersburg, Russia. I did not find a privacy policy or terms of use on the Wireless Lab Ltd. page. It is interesting to see their email contact listed as info@faceapp.com. So, the businesses that are “legally part of the same group of companies that FaceApp is part of” is a mystery, based on what the websites communicate.
• Moving on to others outside of their “group of companies,” FaceApp indicates that they “also may share your information as well as information from tools like cookies, log files, and device identifiers and location data, with third-party organizations that help us provide the Service to you (“Service Providers”). Our Service Providers will be given access to your information as is reasonably necessary to provide the Service under reasonable confidentiality terms.” So, do you now know who FaceApp is sharing data with? No. Do you know the specific data that is being shared to unknown others? No.
• Moving on … they also state: “We may remove parts of data that can identify you and share anonymized data with other parties. We may also combine your information with other information in a way that it is no longer associated with you and share that aggregated information.” Does this give you assurance? No. Why? Because the way this is written they may be sending your personal data and so-called “anonymized data” to other parties, and that information may also be combined with other information that actually could re-identify you.

This section of the FaceApp privacy policy could be reworded to have basically the same meaning as: FaceApp may share any of your information with anyone else to use however they wish. Does this sound like a “privacy” policy to you? This type of non-privacy pledge is far too common on websites.

It is also worth noting that there was:

• Just a single sentence (“We use commercially reasonable safeguards to help keep the information collected through the Service secure and take reasonable steps (such as requesting a unique password) to verify your identity before granting you access to your account.”) describing security, and a disclaimer of any responsibility for even securing your information and preventing others from getting access to your data.
• No apparent information about how you can access and view all your data that they’ve collected or derived from what you provided to them.

Privacy Policy Problems Not Unique to FaceApp
If you reviewed your own organization’s privacy policy, would you identify similar problems? If you find that everything does look good from a privacy standpoint, is your organization fulfilling all the promises made in your posted privacy policy? In my experience doing privacy policy PIAs over the past couple of decades, roughly 90-95 percent of organizations are NOT in compliance with their own posted privacy policy. Every organization needs to realize that they are legally obligated to fulfill the promises they make within their own posted privacy policies, in addition to all their applicable laws and regulations.

It is a good practice for every IT audit, information security and privacy officer to put an audit of their posted privacy policy on their annual plan. If you don’t, you may be added to the growing list of organizations that have been slapped within increasingly larger FTC fines for not fulfilling privacy policy promises.