248 comments

[ 6.1 ms ] story [ 249 ms ] thread
(comment deleted)
It's worse when it has access to your picture because a friend thought it'd be funny. In that situation the App gets my picture without my consent.
Do friends need to enter the name along with the picture? How about the age?

I haven't tested the app myself yet and probably will not.

This is the reason I have just stopped bothering about privacy. I meticulously guard which apps I share my phonebook with, while other idiots share their entire contacts folder (including my details) en-masse to apps like TrueCaller.

It just feels so futile to even care.

You're right, facebook and others can (and do!) infer people based on contact lists, even if you don't have a facebook account, if all your friends do then Facebook already knows who you are, who your friends are, you're likely interests (based off friends), etc.

The best I figure I can do is to keep the apps I used locked down if possible - and to avoid "stupid" apps that clearly have little purpose other then dataharvesting.

Cool Selfy app? Ehh pass.

Can a friend agree to these terms when it is my face, my name, and my private data though?
In many countries including the US, yes. If the right mixture of you, the company, and your friend are located in or deal with Europe or similar places, possibly not, but it very much depends on the details.
Define private, you walk in public in front of security cameras wearing your face in public. your face is now public information.

Your name is on your mail, your census, your driving licence, you provide your name and address to companies all the time. your name and address is now public information.

If someone can tie your public face to your public name then thats public information.

you dont like it, get a PO box and wear a mask all the time.

Didn't Facebook face tagging work the same for a long time? It would ask people to provide names for other people in their photos
Still does, at least partially. Facebook's always asking me if I want to tag certain people in their images... No Facebook, am no a grass
Hmm. Would it be possible to run these Apps in a VM like container? allow it access a dummy, empty folder to read from somewhat of a container for all apps? then there would be a manual transfer process between the shared folders after you've saved an image?

So when downloading an App it will ask would you want to run this in an isolated environment? and you can, so if it tries to scan over your photo gallery it will have an empty folder etc..

This is a scoping issue. On iOS devices at least no app has access to your photo gallery unless they explicitly prompt you for permission.

That said, many apps need access to the photo gallery - say I want to put a screenshot into discord. The issue is that now Discord has access to ALL of my photos.

There needs to be more scoping options. "Allow access to previous 12 photos while you're using the app" kinda deal.

On iOS is't possible to ask the system to present a photo picker on behalf of the app without requiring a permission to look into your photos.
So I’ve heard about this feature before but I’m not sure it actually exists? From the Photos app you can only share specific photos with specific apps that add themselves to the popout menu. If you disable Photos access to any of these apps they will just ask that you re-enable full photo access.
It does exist, I have an app that manipulates photos and if you reject photos permission you can still use the photo picker and get access to one photo of the user's choice. You can't directly save to the photos library, but you can save it via a system share sheet.

Most apps don't make that obvious though, and imply that they need full photos access to work (Or they don't give options to use the system picker/system share sheet.)

I'm not an iOS developer but if it does exist not many apps use it. Snapchat, MS Teams, Discord, and a few others don't do it by default at least.
The iOS-native UI is not customizable, that should be the main reason.
Apple really should force their hand and mandate that this is the only way to get a photo upload. I hate all the sweeping permissions nearly every app for iOS demands. Where's the sandboxing?
I just checked with Teams, when you click on the image it brings up the image picker.
It’s not ideal, but most iOS apps that take images will accept pasted images. You can avoid giving them photos access, and instead copy/paste from the Photos app.
This works with many messaging apps, but I don't find it works with apps that don't have a textbox meant for pasting photos; the UI assumes the only way the user wants to share photos is by enabling Photos access.
You can view the photo in Gallery, and then select to share with one of the actions at the bottom, and the app only gets access to the photo you select.
I think Apple wouldn't be too happy in the App Store Review process if they find out your app is uploading pictures without user interaction.
Or make it even simpler - split read and write access. Camera/Photos are already split, but I should have the ability to let an app save a photo without having to grant it complete access to my photo library.
There are a number of ways around that.

- Discord can have a share sheet extension that is accessible from the popup that appears when you take a screenshot.

- You can copy and paste the image.

- the app can bring up a photo picker.

> to run these Apps in a VM like container?

That's what Xposed Framework does exactly.

> allow it access a dummy, empty folder to read from

That's what Xposed XPrivacyLua plugin does exactly.

https://github.com/M66B/XPrivacyLua

Aren't contracts with unlimited time periods non-binding? I was under the impression that any contract that said perpetual anything could be trivially disregarded. Or is that a regional thing?
It's almost certainly depends on the juridiction but I am curious on this.

Also if any lawyers read this - If "perpetual" isn't binding, would say "The next 200 years" be binding? It's an explicit time period but effectively still "indefinite" for the lifetime of an individual.

The language from their terms of service (https://faceapp.com/terms) is this:

> You grant FaceApp a perpetual, irrevocable, nonexclusive, royalty-free, worldwide, fully-paid, transferable sub-licensable license to use, reproduce, modify, adapt, publish, translate, create derivative works from, distribute, publicly perform and display your User Content and any name, username or likeness provided in connection with your User Content in all media formats and channels now known or later developed, without compensation to you. When you post or otherwise share User Content on or through our Services, you understand that your User Content and any associated information (such as your [username], location or profile photo) will be visible to the public.

This is standard language that is generally enforceable. It is the license that is perpetual, not the contract.

Not in Europe. I’m sure lawyers are excited.
Can you elaborate? I was under the impression that you can give permanent content licenses, is there something stopping that in general, or something related to apps, or pictures?
I am not a lawyer, but dear gawd, how would that even work? I can imagine a huge number of domains where a time limit would make interaction unfeasible.

- I am buying my house for perpetuity, not leasing it for a limited period

- I'm a photographer, you're a model, I want a model release that's unlimited or it's not worth my time and risk to deal with you (this is usually framed as "rights" or "license", but signed in form of a "contract", similar to what the FaceApp would likely do?)

See DinkDink's reply for what I was thinking of.

You're buying a house for as long as you can afford property taxes. :P

>contracts with unlimited time periods non-binding?

I've noticed in countries with Natural Rights frame works for their law that typically contracts that commit /an individual/ to work when it's not "bonded" in some way are interpreted as slavery and nullified.

e.g. If I agree to get paid $100k lump-sum today to work for you for 10 years at no more compensation, and at year 2 I decide to renege on the contract, no Natural-Rights framework court is going to enforce that.

But if I sell my house to you (relinquishing ownership to you for an "unlimited time period") and I try to renege on the sale, it is going to be enforced.

It should be worth millions to have pictures of 150M faces and associate them with names. If I had that I would sell it to the people running the in-store camera networks that identify customers into demographic categories and offer them this so that they can associate real identities.

Another data broker, now of people's faces. I am surprised that this isn't yet done by the free make-up apps or even by snap chat.

I guess there are people crawling Facebook and probably other profile services like LinkedIn, etc. But probably crawling these is not legal to resell.

The coverage on FaceApp and the way they talk about it is ridiculous. When it comes for instance to Snapchat's numbers, the coverage is about the success of the company.

How is FaceApp different than all other apps and social networks that are storing all your photos with location and tags to your friends except that FaceApp is a Russian company?

I'm not defending FaceApp. I don't use social networks either for the same reasons. But this double standards in media is ridiculous in my opinion.

the only real difference between snap and faceapp is the media gave faceapp the russian tie in so now they're using it as that combined with federal investigation titles [1]

snap is a scarier but most people dont care since its so ingrained into their lives... for whatever reason I never understood.. but my friends used love it even while I warned them how stupid it was so use snap in the first place if you cared about privacy

what happens to snap.inc/your data when the userbase drops off completely.. inevitably like every other social media..

1. https://techcrunch.com/2019/07/17/faceapp-gets-federal-atten...

On top of that, FaceApp doesn't request Geolocation permissions while Snap integrates a map of friends in the app itself.
The app doesn't request Geolocation data, but might the geographic info still be in the EXIF data in the photo that gets uploaded?
Yep this is correct, location history can be scraped from the EXIF data in the photos in your camera roll.
Does Apple allow disabling the exif feature in the camera app like Android?
You can disable Location Service for the Camera app in the Privacy Settings.
(comment deleted)
One is owned and operated in a country of authoritarian-level data-collection and massive public propaganda and the other is owned and operated by a company in Russian which isn't any better but still determines the media narrative.
You forgot MSQRD owned by Facebook. It's a US company, therefore their data can be requested by FBI, NSA and others upon request without opposition.
Exactly. The lack of warrant canaries shows us just how cozy the relationship is.
Especially after Cambridge Analytica, it honestly wouldn't be too much of a tin foil hat theory to imagine a world where state actors such as the IRA would come up with a viral app like this to scoop up data and influence the elections again.
Heh, I was kind of expecting that. But it was still amusing to read.
One people brush off and another people don't.

So if you want to teach people about how and why data is important it is easier to do so when using Russia an an example (assuming you're a Westerner). Most people still have a fair amount of trust in US companies and don't believe they would abuse their power. Call it tribalism it whatever, but that's how it is.

But to us in tech it's pretty obvious that even if Snapchat or Facebook never abused their power (lol, I know) that that kind of data is likely to end up in the hands of the Russians anyway. So it's just easier to talk about data when the big bad wolf abuses it. But I'd also use this opportunity to talk to others about the parallels that we have here and the responsibility of the tech giants.

It's because Russia has been demonised in USA's propaganda over decades. They're selling trying to do the same with China now, except it's more for direct commercial reasons than to protect the ideal of Capitalism as it was before.

I grew up getting a lot of "evil commies" messages in US American media and I'm not even in USA (I'm from UK).

> I grew up getting a lot of "evil commies" messages in US American media and I'm not even in USA

There's more than one reason for that, here is one that might be easy to overlook when someone is critizising USA with good reason:

America is not perfect but as a citizen and compared to the bad old commies it was mostly really good.

See https://en.m.wikipedia.org/wiki/The_Gulag_Archipelago

> There is also https://en.wikipedia.org/wiki/Guantanamo_Bay_detention_camp

Between this:

>> ... when someone is critizising USA with good reason:

and this:

>> ... but as a citizen and compared to the bad old commies it was mostly ...

I feel my comment is still pretty safe.

You see, there is often a reason I use all those weasel words; otherwise it would be hard to poknt out that something can be far from ideal and something else can still be really much worse.

I mean China does have connection camps and quite an Orwellian society.

Saying this doesn't mean I condone what the US is doing with Latin Americans right now, but the way you frame it suggests that China and Russia aren't doing things that many of us in the West find reprehensible. They are authoritarian regimes after all. (Again, that's not saying the West doesn't also do these things, but I do think there is a clear difference in degrees. I don't think my belief is uncommon either).

More importantly, the comment comes off like we shouldn't criticize them. Why not? (We should also criticize the West, because frankly that an essential part of democracy)

All governments use the same playbook, and one of the plays is concentration camps. The US media shows us the worst of China and the Chinese media shows the Chinese people the worst of the US.

Our greatest responsibility is our own nation. Those who try to engender righteous indignation in us about other nations are usually the ones who benefit most from our own worst deeds and practices.

> I grew up getting a lot of "evil commies" messages in US American media and I'm not even in USA (I'm from UK).

And even then, the propaganda can turn on a dime. Rambo III, where Stallone more or less single-handedly beats the Russians in Afghanistan, has this message in their closing credits:

> "This film is dedicated to the gallant mujahedeen of Afghanistan"

Blatant ignorance of the divisions within the militant groups fighting Russian presence, not to mention rivalries between clan leaders who actually lived in Afghanistan and Saudi-funded foreign fighters looking to establish a foothold in the country.

After 9/11, that message was removed from VHS and DVDs of the film. I remember seeing the TV syndicated version many years back that had the message intact.

it hasn't been demonized enough, if anything, commies are very evil, I promise you that

source: grew up in USSR

Side point, I also don’t use social media app but at this point it doesn’t matter. 3 of my friends sent me my faceapp photo. No way to escape this.
I had this same problem. Except it was my wife who uploaded my face. How do I receive compensation!? /s
If you wanted to escape it you could use something like This Person Does Not Exist and submit large numbers of fake people with your name to the app such that nobody would be able to tell which was the real you.

Of course, to do it well, you'd probably want to start doing it before anybody submitted your real photo, then just submit a fake picture at random intervals for perpetuity.

An alternate variation on this is flooding them with fake people and fake names to make their real database worth less.

Surely that's not going to work. You'd create many fake people linked to your name, but your own face will still be one. You'd have to create enough "face hashes" to DDoS a recognition computer .. seems unlikely.
Well, maybe it should be the other way round. You should link many faces of yourself to the people that legally exist but have no social media presence but are registered and exist. You can find those kinds of people in countries like Germany
generally, they're also going to have your connection/friend data as well. You might submit 300 "ALittleLight" name/face combos, but only one ALittleLight will be connected to a similar group of people you know who know each other to some degree.
yeah thats a real concern. not only do you have to worry about your own security but that of your friends and family.
Out of curiosity, how different were the three pictures in their prediction?
Two wrongs don't make a right. Your point may be valid that Snapchat deserves the same or even more criticism, but then perhaps the fact that they don't is the real problem.
More importantly we have legislation and public support that has been pushing companies like Snapchat to change. Such as they say they delete photos now. As an American I think I have some influence in Europe, but at minimum I think Europe has similar values to me. With their democratic processes I believe things can change and will, same with America. Look how GDPR changed things.

Conversely in Russia and China they are authoritarian and the cultures don't tend to speak out as much about these things. Hence where they are at. FaceApp might just use my data for advertising, but I don't know that. It's harder to find out post hoc. There is no legal means for me to ensure things are done properly. There is no way for me to push for data to be used in better ways. There is no accountability.

And that's the big difference. Accountability.

Snapchat already had their "end of the world" moment when they were brand new around underage sexting.

It's just what happens when you're a new hot social app.

>except that FaceApp is a Russian company?

Well, I mean, nothing. Except that FaceApp is a Russian company.

What was different about Huawei? Except that it was a Chinese company.

And here's the thing, I don't even necessarily disagree with the worry around these foreign companies. They are outside of our jurisdiction and these countries have been known to use companies on the behalf of their governments to perform intelligence/psy-op activities.

Why is this different than the US? It's not. But it's like nuclear weapons, yeah? We are the only ones who can be trusted with them. Therein lies the rub, as they say.

Either you buy into post WWI America runs the world and our military prevented an apocalypse and got every American a car and garage by rigging the world markets and protecting the world with our Navy and every country has to go through us to technologically advance, or you are un-American? Tongue and cheek here, but this is seriously the proposition.

This is the exact decision that was made and accelerated by our military during wartime. This is our playbook.

The Cold War never ended
Yes, it did.

What's happening now is going on under a different set of paradigms. If you approach today's geopolitics or military considerations with a cold war mindset you will miss things out. Globalization has happened and that changes a lot of things.

"Globalization has happened and that changes a lot of things."

This is exactly what they said before WWI.

> Why is this different than the US? It's not. But it's like nuclear weapons, yeah? We are the only ones who can be trusted with them. Therein lies the rub, as they say.

Yeah, well, no, stop. Facebook and social networks are regularly taking punches in the face and the US never prevented vkontact, mastodon or other clone to develop. There isn't a moratorium on social networks and public agreement to "limit the scope of our arsenal".

My only point is that we are not perfect. Can I point to the number of private/government partnerships that cross ethical lines?

Mercenary groups (ie blackwater), Palantir, for-profit prisons, Tech companies complying with federal warrants, so-on. I will give you that it's not 1:1, and I think that's a fair counterpoint to people who don't trust the US.

> My only point is that we are not perfect. Can I point to the number of private/government partnerships that cross ethical lines?

That's whataboutism.

> What was different about Huawei? Except that it was a Chinese company.

Well that and they blatantly steal from other companies, disregard copyrights and patents, and have the backing of the Chinese government protecting them from any real repercussions.

They don’t even try to hide it with their product naming. Take the “MateBook X Pro” for example - https://consumer.huawei.com/en/laptops/matebook-x-pro/

> "But it's like nuclear weapons, yeah? We are the only ones who can be trusted with them."

i assume this is part of the tongue-in-cheek, as ours is the only country to use nuclear bombs in war, so history is against trusting "our side" (generally don't like dichotomizing, but doing so here for expediency). with that said, our political institutions have so far been resiliant enough to resist the "mad man with red button" scenario, even with some poor choices of chief executives.

in any case, i generally agree that none of these companies really deserves our trust, regardless of political or geographic affiliation. like tv/internet providers or mobile telecom, vigilance is warranted as they should be considered hostile actors (in that they don't share your interests, not literally violence).

> This is the exact decision that was made and accelerated by our military during wartime. This is our playbook.

I think journalists publish these articles not because they're (consciously) following the playbook, but because it's what sells.

Maybe people want to read stories about Russian "enemies" more than they want to see stories about American "enemies".

Or maybe journalists have the best intentions and they know the privacy battle is lost against Facebook, Instagram, Amazon. but it's not yet lost against the Russians etc.

> But it's like nuclear weapons, yeah? We are the only ones who can be trusted with them.

Like bombing Japan with nuclear weapons and murdering thousands of people?

Turns out that as long as the all powerful companies spying on you are located in California then it's totally fine.
Then why have US tech companies like Facebook taken so much flack in the past year for privacy issues? The fact that that has been the case, contradicts your underlying point. Further, on a personal level it likely depends on where you're located.

As an American, it matters to me whether the company doing the spying is located in California or Russia. If you're Russian, you might particularly care if the company in question is in California instead of Russia.

Russia is a hyper regressive, anti liberal, anti democratic, low human rights, dictatorship. My interests are particularly not served by allowing companies from Russia to spy on me.

> Then why have US tech companies like Facebook taken so much flack in the past year for privacy issues?

Because they've also mishandled the private data of Americans. Similarly to the NSA stuff, Americans appear to be fine with it if it is done on their behalf to the rest of the world, but are outraged when they experience it. If FB operated differently in the US, I'm sure the US press would be much more sympathetic with regards to their shenanigans in Europe.

Because they got caught up in this last Red Scare. No outrage after Snowden leaks, no outrage for Google. It has nothing to do with privacy. It has to do with Russia.

But anyway, Russia can't hurt me as much as the US can, so I take the opposite stance from you. I'm much more wary of my own government spying on me, since they can hurt me a lot more easily than some country on the other side of the Earth.

> Russia is a hyper regressive, anti liberal, anti democratic, low human rights, dictatorship. My interests are particularly not served by allowing companies from Russia to spy on me.

Russia is also on the other side of the globe, has a GDP that is less than Italy (despite having way more people and land), and is, essentially, irrelevant outside of online trolling and Agi-Prop.

Meanwhile the person who is going to kick down my door is a US citizen, as is the person who is going to vote to take away my healthcare.

if Russia is so irrelevant, what's with all this hysteria about Trump colluding with Russians?
Because if the centrists in the Democratic party divert to Russian collusion, they don't have to take the long hard look in the mirror wrt to why they lost in 2016.
Coming from a person that did not take issue with the “Russia aspect” - The only part that sticks out to me is when the article implied you have to give it access to all of your photos.

In my brief usage of other social media apps like Snapchat, Instagram, and Facebook. Each photo you decide to share is opt-in.

The article also mentioned they run a job to continuously check in. Not sure if that’s to capture current GPS info, or to continually grab new photos. That seems a bit overzealous for what the app reportedly does. (editing pictures of your face)

"Each photo you decide to share is opt-in" - I don't think that is really how permissions work on either Android or iOS. Once you have given the app permissions to access your photos, they can do so - with or without the user explicitly choosing which ones (please, someone correct me if I am wrong on this). So Snapchat/Instagram/Facebook might actually be doing stuff with your photos "behind the scenes", and you wouldn't necessarily know it (assuming you granted the "Photos" permission in the first place).
also, you don't have to give it access to your photos... it works perfectly fine with just camera access
>How is FaceApp different than all other apps and social networks that are storing all your photos with location and tags to your friends except that FaceApp is a Russian company?

This is a pretty nonsense statement to make.

Maybe the fact they are Russian.

> Maybe the fact they are Russian.

Xenophobic much?

Why is it a non sense statement, and why does it matter that they are Russian, when US companies are already known to do the same?
Russia is uniquely evil.

Clapper told me it's in their DNA.

it's 13 August 1961, you are in Berlin, and they are starting to build the wall. Where would you rather be, in the West, or in the East? This is why it matters that they are Russian
But it's not 1961 anymore. The East and the West have very closely converged in terms of privacy violations.
> How is FaceApp different than all other apps and social networks that are storing all your photos with location and tags to your friends

Do the other social networks give themselves permission to display your photo anywhere they want? Or only via the channels you specifically request (i.e. to your friends)?

That seems like a huge difference to me.

The issue is with the terms:

“You grant FaceApp a perpetual, irrevocable, nonexclusive, royalty-free, worldwide, fully-paid, transferable sub-licensable license to use, reproduce, modify, adapt, publish, translate, create derivative works from, distribute, publicly perform and display your User Content and any name, username or likeness provided in connection with your User Content in all media formats and channels now known or later developed, without compensation to you.”

Social media networks like Facebook and Snapchat aren't like this.

> Social media networks like Facebook and Snapchat aren't like this.

Correct. They're not that terse with their terms. You'd have to read so. many. paragraphs. to figure out they're doing the same thing.

But they are, Facebook has exactly the same rights to use any photo you upload royalty free or to share it with the 3rd parties as they find suitable... perhaps the legal wording is a bit different, but the rights are the same...
Instagram's terms of use have essentially the same clause:

> We do not claim ownership of your content that you post on or through the Service. Instead, when you share, post, or upload content that is covered by intellectual property rights (like photos or videos) on or in connection with our Service, you hereby grant to us a non-exclusive, royalty-free, transferable, sub-licensable, worldwide license to host, use, distribute, modify, run, copy, publicly perform or display, translate, and create derivative works of your content (consistent with your privacy and application settings).[1]

[1]: https://help.instagram.com/581066165581870

I denied FaceApp access to my photo library and all apps are denied access to “Background refresh”. I didn’t post pictures directly to any social media. So exactly what does FaceApp have access to besides a few selfies? I was more interested in seeing how good the machine learning was than anything else. It was pretty good, it recognized different angles, it didn’t try to put glasses on my face when I was already wearing glasses and didn’t try to add a beard when it saw I had one.
I’m imagining a wave of fake accounts using people’s names and faces happening, maybe even fraudulent blog posts come next election with legal indemnity. They own the name and face after all, no? Same as putting you in a billboard
We keep harping on about privacy, and then shit like this happens.

There are two possible conclusions to draw.

One is that the general public actually doesn’t care about privacy at all. It’s a niche concern.

The other is that the general public cares but is completely and utterly clueless about how to defend themselves, to the point that an app can literally say “give us your name and face and we can do whatever we want with it in perpetuity throughout the universe” and people will happily oblige.

I don’t know which one is correct but neither one is great.

Consider the stupidity of the average human.

Then consider that half of the population is stupider than that

Option 3: No one read the terms of services, and 99% of the app users are not even aware of that, didn't even give it a passing thought.
This. Caught me by surprise but in retrospect, of course an app is going to slip this in.
That falls under the second option. Being capable of defending your privacy means understanding that you shouldn’t willingly give your personal info to random apps.
They didn't 'willingly' give anything.

Like any app, you launch it and you accept the EULA. Then it asks you for permission to use your camera and for your contacts: it makes sense you want to take selfies and share them.

That's it, now all your data belong to them. There is no functional difference between an app that will siphon all your private data and an app that won't.

for the vast majority of users, at no point did they stop and ponder whether they were ok giving up their 'face' for a filter app.

The only way to know would be to read the terms, and even then if you are not a lawyer you won't see the traps (e.g. understanding that "User Content" actually refers to your face).

Assuming that the app is available in the EU, I wonder how this squares with the GDPR.
This still lines up exactly with what I’m saying. Defending your privacy means you need to stop and ponder these things. People don’t know that they need to do this.

You don’t need to read the terms. You “just” need to assume nefarious intent unless demonstrated otherwise.

People have reasonable expectations of privacy.

They expect their phone calls not to be recorded. They expect that their emails are treated with the same inviolability as their letters were. They expect their letters to be as they were before the advent of technologies that governments are now using to mass record the contents of letters without opening them, of which technologies and practices they have no knowledge.

All of these expectations, and many more, are now ritually violated in the most outrageous manner.

It isn’t the responsibility of the individual to combat every violation of his person. Not only is it an unreasonable expectation for society’s “default setting” to be the casual violation of its citizens, but it’s also literally impossible for even the richest, smartest, and most diligent among us to avoid getting screwed... in some way... when there are so, so, SO many ways to get screwed.

Because, in 2019, if your highest priority is NOT getting screwed, you might literally have to live alone in a cabin in the mountains.

Which is why you can take your atomic-individual libertarian “oh you “just” need to somehow avoid every omnipresent feature of contemporary life” and take a fucking hike.

I demand the right to walk to the grocery, buy a sandwich, walk to the park, eat the sandwich, and walk home, without having my minute-by-minute location invisibly and undetectably recorded and sent to ANY corp/gov, my purchase recorded and sent to ANY corp/gov, my face/gait/person scanned and analyzed by ANY corp/gov, etc. and so forth.

And I should have to take no special action for any of this, because this is the default setting.

Are terms of service somewhat consistent in their language? And if that's the case, couldn't someone build something that scans Terms across products and summarize what exactly it is you are giving up by accepting the Terms?
It sounds like you got a product idea.

I know my uncle Doug would pay for it.

Option 4: what can you do with my face and name? That's just like you taking a picture of me in public.

I know plenty of people that think this way.

I think the problem is these systems are much more complex than the people realize. Technically minded people like those of us here understand the implications but they might not. That or they have too much trust in an increasingly untrustworthy world. It's just naivety really.
Even if they did read it, there's no legal recourse for a state sponsored company that decides to write a good looking ToS and then just ignore it completely.

Or, it's not hard to imagine this even bring a completely legit company. I'm sure it's easy enough now for the Russian government to find something wrong they did and demand to see all the data they collected.

And finally, even if it's a legit company and they somehow have enough legal protection in Russia to about sharing data with the government, they're probably not the hardest security target in the world for any rogue operator to steal their data.

Bottom line, don't put all your trust in a ToS.

Is there evidence they are actually state sponsored?
There should be a rule that if a ToS is longer than 200 words then it requires a bullet point summary list at the top.
The trouble is, what happens when the summary is inaccurate or incomplete? If the summary takes precedence in that case, then the full ToS is meaningless and can be omitted, so you could simplify this to a rule requiring ToSs to be under 200 words. If the ToS takes precedence then the summary is meaningless.
Instead of summarizing the terms, it could be like nutrition facts warnings. Cross certain lines in the actual terms and you're required to put "See full terms for what your personal data can be used for" or something. If the terms cross lines without putting the warnings, they can't be enforced.

It would have to be not overly restrictive limits, or you'd end up with a prop-65-like scenario.

Or hell, just make a standardized "Privacy Facts" panel.

> the general public actually doesn’t care about privacy at all

It's not that people don't care; privacy is probably undervalued in the context of making privacy vs. convenience/utility decisions. (Digital) privacy's value isn't really tangible until it's actively used against you.

It’s somewhere in the middle. The cultural shift is happening though. And once the market is ready, they’ll need tools. Right now it’s simply too complicated to not only understand what an application can do with your data, but then taking actions on that data (right to be forgotten, etc.) in the future. If you’re at all interested in this space feel free to email me. I’m working on something that isn’t quite ready to discuss publicly yet.
It's because there's not been a lot of scary things happening yet. Or if they have, it's been on individuals - like someone seeing themselves on a billboard or advert. But because the datasets are so massive, people are reduced to statistics which is a lot less scary.

Of course, if you look at history that can change overnight. Or actually it won't, it's more likely a "boiling frog" kinda thing where nobody's aware of anything bad happening until it's too late.

The psyops conducted by Cambridge Analytica and similar organizations in the US, England, and around the world is pretty scary
No need to pay someone for their likeness when you can generate the average face of your targeted market
> someone seeing themselves on a billboard or advert

I just pictured 4chan hacking into a photo database and putting people's faces on a bunch of billboards.

Surely if this happened to more people, the public would become more privacy-conscious, no?

Or option 3. They care about privacy but only when terrible thing X happens.

They post their name and picture to Instagram 12 times a day. Most people have public profiles so there is no new risk. Of course by the time every street corner has facial recognition running "for our safety", it will be too late.

Even as someone who knows the risks, this doesn't scare me as much as DNA testing. Even worse is that if any of my relatives do it, I'm just as screwed. There is also the "let's all install hackable video cameras on our front doors" problem. Clever fear mongering to prevent a random package being stolen that is already insured and will be resent automatically. Instead we paid to create our own surveillance state.

The general public doesn't have the knowledge or even imagination to understand that sharing your information with nameless/faceless organizations may have downsides re: privacy. The others have been brainwashed well enough to believe that only criminals need privacy, so they don't care. By now using the "I have nothing to hide" example is cliche but it's literally the response I _always_ get when I bring up privacy concerns. Takes me about 12 seconds to prove to them how wrong they are.
What argument do you use to prove them wrong?
I usually say something to the tune of "everyone has something to hide, that's why we put clothes on; that's why we don't go around broadcasting our medical test results; that's why we don't reveal our salaries and benefits to our colleagues (or anyone); that's why we don't give our address to anyone that asks for it. It doesn't mean we've done something bad or we're criminals, it just means we're human. But if you have a gmail account, you've probably given one of the world's largest corporation all this knowledge."

Usually the medical test thing is enough to shut them up.

Anyway there are many such example arguments around the internet, just DuckDuckGo "nothing to hide". There's even a Wikipedia article about it [1].

Edit: Oh, I often give Uber's deleted posts about how they know their users had one-night stands as an example too. See [2] and [3] for one of the deleted posts.

[1] https://en.wikipedia.org/wiki/Nothing_to_hide_argument [2] https://money.cnn.com/2014/11/25/technology/uber-prostitutes... [3] https://web.archive.org/web/20140827195715/http://blog.uber....

(comment deleted)
Your links are truncated.
Oops, my bad, fixed.
Neither of the links to deleted blog posts appear to be working
These arguments are exactly why most people I meet say they don't care how much info they give to random apps. They assume since Google has all the info already anyway, why should they care if one more nameless faceless corp gets it? Plus companies have had all this personal data for a long time now and nothing bad has happened.

The only argument I've had even a little success with is "it makes it easier for identity thieves to get and use your CC / bank info". That usually get a pause before "oh well my bank has fraud protection".

I feel it's very easy to counter this argument too. A person can choose to trust specific persons/organizations/governments with their personal information. For example they'll share secrets with some friends but not with all of them. But from there to go to "oh well I've given it to one <insert entity here> I might as well just give it to all of them" is very naive and I would even say defeatist.
Defeatist in what sense though? No one I've spoken to feels "defeated" by paying for social media with their data. Most people have experienced exactly zero negative consequences for giving out all their personal info in exchange for access to social media or whatever app is currently popular. So why bother fighting every app for control of info that's already out there and has caused no harm in the past?
I definitely agree with this, although even for the "zero negative consequences" argument I usually counter with "one of your friends loaded all their contacts into some app that shows them who's calling them, and now you're bombarded with text messages offering you black market loans, tons of marketing calls, etc." (which is actually true in Israel).

Anyway, I was going with "defeatist" mostly because it reminded me of an attitude I personally sometimes display when it comes to being overweight: "I already ate above my maintenance window today, I might as well just eat everything in the pantry and fridge and order some family-size pizzas". So, "I've already failed once, might as well keep failing."

The average person does not understand the implications of their actions vis-à-vis IT companies and their personal information.

Moreover, their actions do not affect only themselves, but also all of the people with whom they regularly interact, regardless of whether or not those people themselves have “chosen” to “opt in”.

There is only one solution to this problem, and it is political in nature.

Side note, but sharing salaries with colleagues is actually a good idea, due to the unfairness that can arise from salaries being kept secret.

Example article: https://www.nytimes.com/2018/08/31/smarter-living/pay-secrec...

Interesting article and interesting opinion. I particularly like this quote: "Employers can get away with paying workers less when those workers don’t talk about money." I find it to be very true.
(comment deleted)
The general public may have the knowledge and imagination - they just don't give a shit. Life is complicated enough to be worried about someone being able to match my face to my name. As if this weren't possible today with social media. Who knows?

Am I really going to change whatever is going on in my day because maybe, someday, some evil corporations will match my likes on twitter to my real-life preferences?

I'm aware of all that can be done with the data. I program for a living and have an 'internet' business. It's just that the claims made here in HN make it sound as if everyone is retarded for giving away their 'privacy'.

We are asking the general population to give up tangible benefits for hypothetical downsides. It's just not convincing enough for people to change their habits. Get in their shoes. HNers mostly can't because we cannot imagine what it's like to see technical details as a burden. Most people don't have the knowledge to make safeguarding their privacy 'a breeze' (multiple identities/passwords/oss/avoiding gmail/etc).

In fairness, when you use an app like this, why would you (as the avg user) ever think they would be doing something nefarious with it? Especially digital products where the "magic" happens out of sight in the bg.

People DO want privacy and I bet there will be lawsuits about this.

I'd say it's a lot more like an addict that, while smoking a cigarette, says things like "yea I know these things are killing me".

No harm, no foul until the signs are visible, and it's probably too late.

The general public doesn't understand. They're not steeped in it like we are. And we're failing to simplify the discussion to the level in which they will understand. Until then, they'll use apps like this.

I think the devs of this app need a slap on the wrist for being party to this nonsense as well.

It’s both but the second one scares me more than the first as nothing stops one of your friends from giving access to a trove of photos and information about you. It could be as easy as granting access to your camera roll (oh there’s tags! We’ll take those too!) or just holding up your photo to the camera.
How soon the public forgets about Equifax data breaches, but goes into a panic when they opt-in for face filters.
People got very upset about Equifax, it’s just that there’s approximately nothing we can do about them. Our choice is for Equifax to have all our info, or refrain from partitipating in the modern financial system.
I think we're not giving the general public enough credit. These discussions always seem to come down to "no one cares about privacy" or "they care but they're idiots." I think many people care about privacy and generally understand the issues, but are making conscious trade-offs that make sense for them.

For the vast majority of people—who are boring, non-activist, law-abiding citizens—the value they assign to privacy of things like name/face/products they're interested in is nonzero, but very low. They know their name/face, along with far more sensitive information, is already in a lot of databases that matter more than anything some random app developer can do, and they get some greater value from the marginal privacy impact of that same information ending up in one more place.

There's a good bit of research to support this. For example, there is a study showing you'd have to pay someone on average $1,000+ [1] to give up their Facebook account for year, suggesting that's the value they assign to the service. At the same time, if you ask them how much they'd be willing to pay for an ads-free, more privacy conscious version of Facebook, studies show only a small fraction would pay even $15/month [2]. In other words, people are making a conscious assessment that their privacy is less valuable than the services they can get by giving it up.

We make these kind of trade-offs and decisions every day. It's much the same reason people can be both deeply concerned about child labor in the Global South, but still make the decision to buy the cheaper version of a product rather than the one they know is ethically sourced, even if they could afford the latter. These decisions certainly have societal impacts that are worth contemplating and being concerned about, but it's wrong and infantilizing to simply dismiss people's conscious and rational (for them) choices.

[1] https://journals.plos.org/plosone/article?id=10.1371/journal... [2] https://www.vox.com/2018/4/11/17225328/facebook-ads-free-pai...

What is the difference between “people don’t care about privacy” and “people value Facebook highly, wouldn’t pay much of anything for an ad-free, privacy conscious version of Facebook, and are making a conscious assessment that their privacy is less valuable than the service,” other than the additional detail?

It seems to me that you’re complaining about infantilizing people’s choices while simultaneously telling us that, yes, people indeed don’t care about privacy very much.

The difference between "I don't care at all" and "I'm making a trade-off" is that in the former case no one is giving up something for nothing.

There is no such thing as an "ad-free, privacy conscious" version of Facebook. If Facebook offered such a product, we'd have a rough idea about what privacy is worth to people in terms of money. All the Facebook "alternatives" are not Facebook.

Bit if A, bit of B.

People don't care that much, but also don't realise the implications that would make them care marginally more in some instances.

Google already have millions of face tags from Picasa, etc.; Facebook has had image tagging for ages; ... governments already have all that data from passports and driving licensee and ID cards ... so why not give it up again. It's a drop in the ocean situation.

Russia having my face data is likely to make much less difference to me than someone in UK having it, which might also make people not care. [But of course they can sell the data on.]

The general public didn't know that the application was saying "give us your name and face and we can do whatever we want with it..." They had no idea that this was even a thing.

I would bet hard earned money that the average person installed this application because a friend told them and they were curious. This bit about what happens to their image and what data does the app save locally verses pushing out to the network, etc. is something that never even crossed their mind. If there was a window with legalese they ignored it as they have been trained to do (by Microsoft, Apple and every other commercial software product they ever purchased). Certainly they didn't go clicking around and looking for it.

>> The general public didn't know that the application was saying "give us your name and face and we can do whatever we want with it..." They had no idea that this was even a thing.

Because EULAs and "terms of service" and "privacy policy" are all bullshit that nobody reads and should not have legally binding consequences or obligations. Peope have come to treat those things like a simple OK button but the law says otherwise. This company could produce deep-fakes with users heads on them and claim it's OK by their ToS and they might be right.

I don’t think the general public cares in the same way people on this forum do.

But, I do think they would care if their photos ended up on a billboard or used in marketing material without their explicit permission.

Most understand that the company needs some kind of access to photos for the app to actually do anything, but there is a limit.

I think as with most things it's a little of both. HN as a whole is concerned about a lot of privacy stuff that just doesn't bother everyone. Also privacy is hard, even if you buy things in cash companies can still track you if they want, they use cookies and fingerprinting techniques that even most people in tech don't really understand. It's not really possible to counteract tracking if large companies and governments make an effort for it.
> One is that the general public actually doesn’t care about privacy at all. It’s a niche concern.

There is an established term for this innate human trait: "dancing pigs".

> In computer security, the "dancing pigs" is a term or problem that describes computer users' attitudes to computer security. It states that users will continue to pick an amusing graphic even if they receive a warning from security software that it is potentially dangerous. In other words, users choose their primary desire features without considering the security.

https://en.wikipedia.org/wiki/Dancing_pigs

In aggregate, people's desire to be noticed is vastly larger than their desire for privacy.

The latest case -- going beyond anything I can parody -- is this first-person NYTimes tell-all about a married couple being overheard in the midst of a sexual morning.

https://www.nytimes.com/2019/07/12/well/family/when-our-daug...

Why bother sounding alarms about Alexa, Google Voice, etc. perhaps listening to our bedroom conversations? There's a slice of the public that will go to a lot of trouble (write article, etc.) to make sure that such moments become public.

Another: The general public cares about privacy but not more than they care about the perception of belonging and being a part of any sensation that has to do with social media.
People probably don't even realize that stuff moves to a server at all. People may think this is all happening and contained within their local app and therefore private and in their control. They probably also assume snapchats go from their phone to the recipient directly and aren't held anywhere in between.

This is I think the most scary possibility. If you think faceapp is processing this in the app with your phone's hardware, learning that they save all pictures sounds like a vast conspiracy and not so believable.

However, if you understand the technology and that most things online are not processed client side, the privacy implications are suddenly obvious because of course the company will keep that data that passes through their hardware. No shareholder will let money be left on the table so all data you put online should be assumed to be kept for later profit.

People have to be better educated on how the software they use every day actually works, at least in broad strokes. This can come in a high school media/technology literacy class or something.

Until that day comes, we have two classes of people: those who understand how the tech they use works and makes a company money, and those who will be forever manipulated by the first group so long as they have a dollar or a right to vote. It's a hard problem to overcome when so many technology companies are entirely dependent on profit from people's continued ignorance and tech illiteracy.

I care about privacy, but the state already knows my face, my fingerprint, etc. A private institution is, by definition, less hostile than the state of my country, so it's kind of pointless to try to hide my face.
Facebook owns access to your face, body, name, friends, family, trips, events, conversations, location, groups, interests, political orientation, estimated IQ, payments, workplace, other sites you visit, etc...

Yet, Forbes & others talk about FaceApp.

> Yet, Forbes chooses to talk about FaceApp.

https://www.forbes.com/search/?q=facebook

Obviously meant that there are many other elephants in the room and but they decided to promote an alarming article about this new app that records your photos!!! Is it so difficult for You to understand?
You want every article they put out to be about all the elephants at once? Because they've already put out articles about all the other elephants and continue to do so. This one just joined the zoo is all.
What is so alarming about another App doing the same? Why are major newspapers writing these overblown articles at the same time?
(comment deleted)
Is "what your face looks like" private information? You publicly display your face everywhere you go all the time. It's not really practical to hide it. Likewise your name you pretty much freely give out to anyone who asks. Is that private information?

So Faceapp knows "There's a person with this name who looks like this". Was that supposed to be a secret?

I'm concerned about privacy too, but it seems like some people just want to hide under a rock for their entire lives. I don't know how anyone manages to leave the house if having people see your face and know your name is a serious concern.

>Is "what your face looks like" private information?

I think it's the linkage of the name and the face. Either of those things alone don't seem like private information, but together, I would argue they are private. I can't provide a good reason as to why I think that yet though.

They publicly said that less than 1% of the users created an account and tied it to a name. Granted thats still hundreds of thousands but it nothing crazy.
Would a face be considered private in countries/cultures where women cover their face most of the time, or particularly in public? This is an honest question, I really do not know what I think.
Faceapp knows what 150M faces look like. That concentration of information is valuable. Google built a fortune by taking freely available information and organizing it for easy access. In the case of faceapp there are many nefarious actors who could serve as clients.
I'd also add that facial recognition is also becoming more common as a way to authenticate into systems. This might be a naive analogy, but, this feels like thousands of people providing a company with their name and their phone's lock screen combination.
> providing a company with their name and their phone's lock screen combination

In consumer devices the face data is stored only on-device, so any privacy concerns are defended by "it's not sending your face to the cloud" and/or "don't use it if you don't trust it"

But if they have your face from another source and it's good enough to authenticate, that doesn't matter. Your face is a good strong password, but what good is that if it leaks? You can't reset your face like a password, after all.

At least with fingerprints you have 9 extra passwords you can use if your index finger print leaks (I bet my prints are already out there just from getting pre employment background checks from workplaces with hulking old school IT bureaucracies and a workforce pounded daily by phishing attempts).

I think you've put that very well.

All I'm wondering is how this would play out in a dystopian future where I'm recognised by everyone wherever I go.

And in some cases they might even have additional information maybe in a probabilistic fashion. Like what kind of clothes I prefer or the kinds of food I like. And that would be the good version.

The worse scenario would be that some malicious actor puts all this together to play on others' fears.

The worst case, of course, being big brother!

FaceApp doesn’t know your name. How would it?
Every one I know is already using either Facebook Messenger (which has the same face scanning features) and/or Snapchat (which also has this feature).

This is not new.

I've been using FaceApp since its release.

There are a lot of other similar apps that I've used in the past. Especially makeup simulator apps. BeautyPlus, YouCal, InstaBeauty, BeautyCam, Facetune, Photo Plastic, Visage Lab, etc.

I think FaceApp in particular strikes a chord in the United States because it's owned by a Russian Company. Name + faces (and therefore age and gender and race) + Location is the kind of data that enabled a lot of granular facebook ad targeting in 2016.
As someone who is not an American citizen and does not live in the United-States, I get the same fears and issues from companies based in the US. I distrust the American and Russian governments and companies equally.
As a Mexican, I honestly distrust Trump more than Putin.
and that is a serious mistake, I believe
> I think FaceApp in particular strikes a chord in the United States because it's owned by a Russian Company.

So, it's purely Xenophobia then.

Hmm, perhaps - though I feel the distrust progressives in the US feel toward Russia is warranted given their (well investigated) efforts to meddle in US politics, etc. I think xenophobia is more of an /unwarranted/ fear + hatred.

It is unfortunate that this fear extends to private Russian businesses, but it's difficult to discern how separate entities really are in tightly managed countries.

I totally agree this is getting into some cold-war-era territory though... US vs. Huawei has a similar vibe.

Except they don't have names. Just a photo. And maybe an IP address.

Photos that could also easily be scraped from Facebook, LinkedIn, Twitter, Instagram etc.

I fully disagree. FaceApp value is that it does its job significantly better than the US competition. Users have the "old" filter on Snapchat and Facebook for years at this point, but FaceApp really has taken it to the next level. Their overnight success is not surprising. I'd tell you to try it for yourself, but I understand the hesitation.
As I said, I've been using it since its release. It's not any significantly better than it was back then.

Snapchat's are also very similar in quality. Before this whole craze about the old filter, people trended on the gender change filter. That one was on Snapchat and quickly became a meme. It was even more amazing since it was a video filter, so you could move around and stay as your opposite gender.

TL; DR

Russian company has the ability to identify the person.

My guess: Probably using already existing KGB software in the backend.

>To make FaceApp actually work, you have to give it permissions to access your photos - ALL of them. But it also gains access to Siri and Search .... Oh, and it has access to refreshing in the background - so even when you are not using it, it is using you.

This is false, you can just take a pic and never give it access to your gallery. If the authors are lying about something so trivial, what else do journalists lie about? That's why I don't trust them.

Is this true for both iOS and Android? It probably needs access to media to store images, and once you grant it that level of access, it can read media as well.
I speak for Android. It asked me for camera access, but if I want to "oldify" my gallery pics, it asks for a different set of permissions (which I deny).
It works on iOS without access to your photos. Parent is right.
When Fascism comes to America, it will be using the tears laughter emoji.
(comment deleted)
Interestingly, "look at all the photos on this device" is a permission that people may be uncomfortable granting to their closest friend. And yet, people will grant it to a complete stranger of a conscience-less corporation with nary a qualm.
Apple/Google need to start surfacing information regarding an apps privacy policy. If there is this large of a discrepancy between an app's functionality and it's privacy policy - why should it even be allowed?
I wonder if a neural network could be trained to recognise people who "look honest" or who "look like they'll repay their loans" (aka, profitable credit scoring data).
>I wonder if a neural network could be trained to recognise people... who "look like they'll repay their loans"

And that is how you get bigoted algorithms. This will just select for older white men due to various socioeconomic reasons.

Can someone explain how a company can claim the uploader gave them a license to an image when they do nothing to check if the person uploading the image had ownership in the first place? I have seen plenty of examples of people using the FaceApp on famous people with some image that the uploader clearly doesn't own.

Furthermore, don't people have rights over their likeness that overruled certain rights the copyright holder has over the image? For example, I would own the copyright if I met some celebrity on the street and took their photo. That doesn't mean I can freely use that image in my advertising.

"You have zero privacy anyway. Get over it." -- Scott McNealy 1999
Solid is a MIT project aiming to improve privacy and data ownership, founded with Prof. Tim Berners-Lee, inventor of the World Wide Web. Perhaps this kind of initiatives and blockchain will remind people what valuable data they are sharing.

Information Economy should directly incentivize those who share their identity, I couldnt imagine some stanger in the street asking me for all this information, and me giving it without a doubt. It is scary but it's normalized.

Some commentors point out that though they never put their faces into the app, their family and friends did upload their faces without consent. Literally nothing is stopping anyone from just fishing through public DBs and uploading just about anything into the app.

There are issues of consent, of what is 'personal' data, of who 'owns' that data, of public vs. private, etc.

We've all been on this ride for a while now and it's not getting any more clear. If anything, it's getting more and more murky. Deepfakes are now able to be done on a laptop, essentially. EULAs are basically ghosts, the public cannot understand/see them but is terrorized by them at random. Privacy is meaningless despite it's proven requirement for proper adolescent/human development.

I think we're in a time now where we need a new idea and a new way of doing things and thinking about our world, where a paradigm shift is required.

Our ideas of personal data, of public data, of private data, of consent, and of ownership are no long going to work. The ethics aside, the old ways of doing things are not workable anymore.

What does a flawed, yet workable, solution look like?

Can't you just scrap LinkedIn or something and have your own name to face db?
Sure can, doesn't make this app any less of an issue though.
This type of app should run on local hardware only. Apple and Google could enforce that.