Cassandra - Online Image Conversions by FaceApp and More: Who Owns What and Should We Care

By Graham K. Rogers

I have been following the contradictions involving FaceApp for several days, originally intending to include it as a comment in one of the occasional Review articles I put online. As the weekend wore on, it was clear there were more implications to the use of data by the app. While some questions have been covered to an extent, there are certain aspects that have not been given the reassurance I think is needed.

One of the most popular apps in the last week or so has been FaceApp which among other conversions, can produce an aged face from a photograph submitted. Some of us don't need such apps of course, but I have been generally dismayed by the results I have seen online. What a miserable trend this is. The app has caused some concern because the image (and any metadata I presume) is sent to servers and the company is based in St. Petersburg in Russia. There is a free version, but in-app subscriptions run from $3.99 for a month up to $39.99 for life.

While some have been concerned about the potential for abuse of data, security persons have had a look and suggest that the initial alarms sounded may not be valid. Sen Chuck Schumer was alarmed about the Russian connection and has demanded that the FBI have a look. However, Devin Coldewey (TechCrunch) is not convinced and takes the explanation of the developer at face value: "user data is not in fact sent to Russia, the company doesn't track users and usually can't, doesn't sell data to third parties, and deletes "most" photos within 48 hours."

There is however the problem that T&C concedes ownership to the developer until the end of time, which is slightly less than Facebook or Twitter when it comes to user images. When the TechCrunch comment appeared I was not wholly convinced as the only assurances were coming from the developer spokesman and (in the spirit of MRC), He would say that, wouldn't he?

In the Guardian, Arwa Mahdawi took this a little further, noting that "this is a fault in the way it is allowed to access images" and, despite earlier fears, it is only uploading the selected images. The article also added information from the developers that "[although the] core R&D team is located in Russia, the user data is not transferred to Russia". Again, that was on the say-so of the spokesman.

Schumer was not convinced and is right to be concerned about such methods of manipulating images. Why does it need a server: surely if the developers are that smart, there could be in-app processing. When a user sends an image, unless the metadata is specifically stripped out, there is a lot of information that could be useful for marketing (at best) or for other purposes. As an example, in a simple image (a closeup of work on an oil painting I saw last week) I can use the Investigator app installed on my iOS devices, to show the embedded metadata as in the 4 screenshots here:

As the app may also have access to user data and other information, each individual image can provide much information. Multiply that by millions of images worldwide and the data being sent to the servers is considerable. I noticed this a couple of years back with the app Prisma which does a beautiful job of converting a photograph from an iOS or Android device.

By Monday, more input was available from Angle News who had some information from independent security experts. They seemed to say that any fears about the camera roll access appeared ungrounded and the app has about the same access as Facebook or Twitter. A security person from Checkpoint said that "It seems that the fact that it originated in Russia is at the root of the concerns." I would not disagree with that; but the concerns are real; and the information in the Angle News article goes little further than the single source (the spokesman) with the comment that "while . . . the core R&D team is located in Russia, the user data is not transferred to Russia." I am still not wholly convinced.

Commenting on the wider issue of privacy and granting access to photographs, Sidney Fussell (The Atlantic) suggests this is a symptom of the times and few look at the potential for abuse that is authorized by users who want to use these apps, including Facebook. Most users are unaware of the potential for abuse when opening up apps to access data on devices. Worse: most users don't care.

I looked at Prisma when it was first released in 2016 along with several other similar image manipulation apps that were then available. Like many others I was impressed with the output: both variety and quality. I had used artistic conversion apps before, like Waterlogue and others, but this appeared to be something special and many users were attracted to it. With the odd connections we suffer here from time to time, there were occasional delays when Prisma was used, but overall it worked well. I eventually moved on, although did buy the Mac version of Waterlogue when it appeared a few months ago.

In his 2016 article Daniel Bader (Android Central), outlined some of the T&C concerning image ownership and data use, but there is no mention that the AI conversions were taking place in Russia. Not many read the T&C and I often criticize my students for this. I do, and I note also that in the T&C for Prisma there is the comment that, You will need to use your credentials (e.g., username and password) from a third-party online platform to access some or all of our Services. It is not clear if the password is provided to Prisma, but I would hope not.

Note also the wide conditions in the iOS Terms & Conditions concerning ownership of output:

You grant Prisma a perpetual, irrevocable, nonexclusive, royalty-free, worldwide, fully-paid, transferable sub-licensable license to use, reproduce, modify, adapt, publish, translate, create derivative works from, distribute, publicly perform and display your User Content and any name, username or likeness provided in connection with your User Content in all media formats and channels now known or later developed, without compensation to you.

It would seem to be theirs and not yours.

Note that when the developer first set up, there was an operation that could receive, convert and send back thousands of images from worldwide users, all using (then) a free app. This appears to have changed from its initial version and there is now a 3-day trial period after which there are subscriptions. I may be a little cynical, but no one seemed to question who paid for that or what would be happening to the data. Doubtless income from the subscriptions have now recovered the initial costs.

I do not know the answer to the questions Chuck Schumer has about the images and the ways they may be used when sent (or not) to Moscow. His concern is about face data - the images themselves - and he has not mentioned the metadata that is involved. In my view this would be of far more value overall. Russian operations are not always considered reliable. For example Kaspersky Labs has caused some concern in the USA (and elsewhere) with the authorities putting out a warning for electricity grid use (Blake Sobczak, et al, E&E News). There have been other concerns reported about Kaspersky.

I look forward to confirmation (one way or another) from the FBI, or from any other security organizations that are looking into questions surrounding the FaceApp and its use of data. Mind you, the access to photographs of the few million or so who signed up for this app pales in comparison with the amount of information that was vacuumed up and then used to sway public opinion by Cambridge Analytica and Facebook. This is still being done.

Graham K. Rogers teaches at the Faculty of Engineering, Mahidol University in Thailand. He wrote in the Bangkok Post, Database supplement on IT subjects. For the last seven years of Database he wrote a column on Apple and Macs. After 3 years writing a column in the Life supplement, he is now no longer associated with the Bangkok Post. He can be followed on Twitter (@extensions_th)