In a world which is becoming increasingly concerned with the privacy and use of personal data, the rise in mobile applications ("App(s)") which utilise people's biometrics is somewhat surprising. Take FaceApp, the latest App to, once again, rise to viral popularity which allows users to utilise "artificial intelligence algorithms to transform your photos" so that we may take a disconcerting glimpse into the possible faces of our future selves. Douglas Adams may have been right about our inability to telephone ourselves in the past, but he didn't anticipate our ability to use our phones to come face to face with a (possible) version of ourselves in the future.
FaceApp, which has found itself under the public spotlight numerous times (not least for its 'ethnicity filters' which were quickly removed) since its incorporation in 2017, is not unique in its use of personal data. This article aims to address several issues which appear to be at the forefront of the public's mind:
1. How exactly is FaceApp transforming me into a Methuselahn version of myself?
The App does not appear to use a filter, which many of us will be familiar with from our use of other Apps such as Snapchat. Instead, it uses an artificial intelligence photo-altering algorithm. Although the underlying technology has not itself been disclosed, the general understanding is that the algorithm is keying in on the general traits we use when judging the relative age, femininity or masculinity of faces.
2. Cloud storage, is this really a problem?
Public backlash against FaceApp appears to have arisen from two issues:
- Claims that the App immediately uploads users' entire camera rolls without consent; and
- Uncertainty as to whether users' photos are being uploaded to a remote server.
FaceApp has vehemently denied both claims, additionally stating it deletes "most" images from its servers within 48 hours of uploading; however, it is worth understanding that in order for such Apps to work, the App will need to upload the photo you want to transform. Apple's rules for managing photos does appear to be adhered to here, as although FaceApp appears to be headquartered at the Skolkovo Foundation, Saint-Petersburg, it has confirmed that they do not transfer any user data to Russia (or any other third parties).
Similarly to most other Apps, FaceApp use Amazon Web Services ("AWS"). This is understandable when considering the processing power required to transform your face. Considering users have varying models of devices, some which will have up to date machine learning capabilities imbedded into their hardware and others which will not, it is much more manageable to avoid incompatibility issues by dealing with the process in the Cloud. FaceApp has confirmed it utilises AWS data servers based in the U.S. and although the App does use third-party code and as such will reach out to their servers, these have been confirmed to be based in the U.S. and Australia.
"You grant FaceApp a perpetual, irrevocable, nonexclusive, royalty-free, worldwide, fully-paid, transferable sub-licensable license to use, reproduce, modify, adapt, publish, translate, create derivative works from, distribute, publicly perform and display your User Content and any name, username or likeness provided in connection with your User Content in all media formats and channels now known or later developed, without compensation to you."
"[...] You grant FaceApp consent to use the User Content, regardless of whether it includes an individual's name, likeness, voice or persona, sufficient to indicate the individual's identity. By using the Services, you agree that the User Content may be used for commercial purposes."
In a much broader context, where technology has developed to allow for Deepfake videos and AI generated facial images, the usage of Apps such as these allows for a differing cause of concern. Considering the viral use of these kinds of Apps and the wide range of users who upload their photos/ videos, the question arises as to whether allowing organisations to use their data under very broad terms, will result in your work colleagues all of a sudden seeming to endorse a particular brand or product (or even political affiliation?). This may be a bit of an exaggeration, however the thought is still worth considering.
"[...] You acknowledge that some of the Services are supported by advertising revenue and may display advertisements and promotions, and you hereby agree that FaceApp may place such advertising and promotions on the Services or on, about, or in conjunction with your User Content. The manner, mode and extent of such advertising and promotions are subject to change without specific notice to you."
This is also not too dissimilar to what is allowed in other similar kinds of Apps. This form of targeted marking is a product of today, in which people are arguably best influenced by organisations hoping to sell users their goods/services through user's interaction with the internet.
"FaceApp and the other FaceApp Parties will not be liable to you under any theory of liability—whether based in contract, tort, negligence, strict liability, warranty, or otherwise—for any indirect, consequential, exemplary, incidental, punitive or special damages or lost profits, even if FaceApp or the other FaceApp Parties have been advised of the possibility of such damages."
"The total liability of FaceApp and the other FaceApp Parties, for any claim arising out of or relating to these Terms or our Services, regardless of the form of the action, is limited to the amount paid, if any, by you to access or use our Services"
FaceApp confirm they "will not rent or sell your information to third parties outside FaceApp (or the group of companies of which FaceApp is a part) without your consent", which again is not uncommon. However, there is nothing to indicate what the FaceApp group of companies comprises. Effective privacy policies will generally specify who comes under any such "group of companies" in order to further transparency of their data use.
"FaceApp, its Affiliates, or Service Providers may transfer information that we collect about you, including personal information across borders and from your country or jurisdiction to other countries or jurisdictions around the world. If you are located in the European Union or other regions with laws governing data collection and use that may differ from U.S. law, please note that we may transfer information, including personal information, to a country and jurisdiction that does not have the same data protection laws as your jurisdiction.
As I will address further below, this clause would seem to contradict AWS's approach to privacy. However, the deliberate inclusion of such wording does raise red flags as it could indicate an intention to transfer User Data outside countries with what would be considered "adequate" levels of data protection laws.
5. But what about the GDPR?
Alongside its confirmation that it does not transfer any User Content to Russia nor sell/ share any User Content with third parties, FaceApp has also included within its statement that it accepts requests from users for removing all their data from its servers. Although they state their support team is currently overloaded, they stress that such requests have their priority. FaceApp recommends that users send the requests from the App using "Settings->Support->Report a bug" with the word "privacy" in the subject line. They continue to state they are working on a better user interface for this, which in all, suggests that they are conscious in bettering their internal data protection procedures.
Article 3.2 of the GDPR states that it shall apply to organisations that are not in the EU if two conditions are met: the organisation offers goods or services to people in the EU, or the organisation monitors their online behaviour. This would certainly cover the activities conducted by FaceApp and therefore they could be subject to fines should a breach of the GDPR principles be proven to have occurred.
Should FaceApp not have a physical presence within the EU, EU regulators would still have the ability, by virtue of international law, to issue fines. Considering the relationship between U.S and EU data protection authorities (and assuming FaceApp has a physical presence within the U.S), the ICO would be able to pursue FaceApp in the U.S. Failing that, the EU authorities would need to work with the Russian Roscomnadzor to bring action against FaceApp in Saint-Petersburg.
Is this a part of an inevitable future in which technology plays a larger part in our everyday lives or more so a "hilarious" decent into an Orwellian future? In either case, people should be always be conscientious of the terms of which they agree to when using Apps such as these and also the privacy implications involved when considered the usage of their personal data. The passage of time, in this context, will certainly tell the tale.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.