FaceApp stole all your data – here’s how they did it and how you could have protected against them

It was last week’s craze.

You’ve seen it on Instagram, in the news, everywhere.

An app to make you look older named FaceApp got viral – and everyone seemed to love it. Until people realized a subtle detail: they were stealing all of your data.

"FaceApp" which has recently gone viral for its age filter, now owns access to more than 150 million people's faces and names.

According to their user agreement, the company owns a never-ending, irrevocable royalty-free license to do almost anything they wish with them.

— UberFacts (@UberFacts) July 17, 2019

Apparently they got access to a vast amount of pictures, tagged with their owners’ names – and they now own them forever. Part of the controversy comes from the fact that the developers –and now owners of this data– are based in Russia, which sparked very interesting conversations about security. But that’s for another post.

The most important question now is – how did they do it?

The answer is actually really simple: by asking you.

You see, the operating system (iOS or Android) can only do so much for you. It tries to protect you from all harms, but you ultimately have the last word on every decision.

If an app, whichever it is, asks you for permission to read your photo gallery and you grant them, they now theoretically have unlimited access to all of your pictures, past and present (and if you don’t revoke permissions, also future).

The only thing stopping them from doing anything they want with your pictures is their actual privacy practices, declared in their privacy policy.

So before granting unlimited access to your privacy to an unknown developer, you should probably read their privacy policy.

The problem is, you guessed it: nobody reads privacy policies.

Here’s what FaceApp actually said about what are they planning to do to your photos:

This is my favorite part of faceapp's terms of service. pic.twitter.com/iIwHqNAzoL

— Justin Reynolds (@justinsocial) July 17, 2019

No, for real: nobody reads privacy policies. It’s not just some intuitive fact or notion. Studies have shown that only 0.001% of all internet users even start reading privacy policies – and the amount of people that actually finish reading them has to be much, much lower than that.

Which is understandable, because if you were to read all the privacy policies you accepted just in the last 5 years, you would need at least 3.040 hours to read through them all.

Of course, companies and malicious agents are exploiting this situation. They know nobody reads them, so they throw in them the most questionable of practices.

Here’s another example. Do you have a Twitter account? According to statistics, most of you do. Did you know you’ve allowed them to sell your data? No, we’re not kidding, this is an excerpt from their actual privacy policy:

In the event that we are involved in a bankruptcy, merger, acquisition, reorganization, or sale of assets, your personal data may be sold or transferred as part of that transaction.

Twitter’s Privacy Policy

The worst part is that even if you delete whichever data it is from your device, or from your account, they already own a copy. There’s literally nothing you can do to ensure they will delete all copies of your data from all their servers. Once you’ve accepted their privacy policy, it’s all done.

What can you do to protect yourself against such privacy threats, then?

Well, read all the privacy policies from all the services you use to ensure first they will treat your data respectfully and ethically.

We’re kidding. We know this is not humanly possible.

That’s why we’re building Guard, an Artificial Intelligence that will read every single privacy policy for you and let you know when it finds potential threats. Apart from warning you, it will suggest privacy-friendly alternatives and actions you can take to get yourself protected.

So you can be safe when the next FaceApp comes (and be sure – it will come)

The problem is this new Artificial Intelligence is like a newborn baby. It knows nothing about the world, it needs to learn. Particularly, we need to teach it what do we humans understand as privacy-friendly and ethical.

And believe it or not, you can help. A lot. We’ve designed a very simple game you can play to help the machine understand what privacy means.

Teach Guard what privacy means

With every selection you make, Guard will learn a little bit more what’s privacy for us.

And when Guard “grows up” and becomes knowledgeable… well, then it will protect us all from all kinds of privacy threats.