The latest viral sensation to come out of the Internet is undoubtedly FaceApp. Downloaded on a mobile device, FaceApp takes control of your camera, snaps a picture of you and then proceeds to age you… it is a sensation that I just cannot wrap my head around. I didn’t think we wanted to see ourselves old and wrinkly, but thanks to a few celebrities, we now need to know what we would look like 50 or 60 years from now. While it sounds fun and like any other viral app, SnapChat, etc… FaceApp has posed a privacy concern for everyone that uses it. While many security offices have begun warning employees of the privacy implications, it wasn’t before many – including a number of security clearance holders – had already used the app.
FaceApp is currently the #1 downloaded app in the Apple App Store and has been downloaded by some 150 million users around the globe. Of those 150 million users, how many have read the fine print terms of use? If you are a user, and have not read the terms of use, here they are in not so fine print:
“You grant FaceApp a perpetual, irrevocable, nonexclusive, royalty-free, worldwide, fully-paid, transferable sub-licensable license to use, reproduce, modify, adapt, publish, translate, create derivative works from, distribute, publicly perform and display your User Content and any name, username or likeness provided in connection with your User Content in all media formats and channels now known or later developed, without compensation to you. When you post or otherwise share User Content on or through our Services, you understand that your User Content and any associated information (such as your [username], location or profile photo) will be visible to the public. –FaceApp Terms of Use”
There are users who will think, “it’s just my face, what’s the big deal?” The problem with that thought process is it’s NOT just your face. It is more than just one piece of the puzzle.
Social Engineering at its Finest
The ability to log into websites, connect to WiFi and order items online has become so easy. The de facto process by which hackers are stealing personal data these days is through social engineering. Social engineering is a method of gathering personal data from a user while posing as a trusted source or through human interactions. When signing up for FaceApp, you give them access to your entire photo library. You can also take pictures within the app for immediate uploading. What does this have to do with social engineering?
Social engineering is all about gathering pieces of the overall puzzle. FaceApp gives the hacker your face, and likely your name since you have to download and launch the app on your personal mobile device. Other pieces of the puzzle come with accounts you sign up for to get free Starbucks on your birthday, or an entry to win that BMW at the mall. While one piece of the puzzle might not get anyone much by itself, when they start gathering multiple pieces of the puzzle it starts to get scary. With FaceApp’s terms of use indicating they can use your likeness essentially any way they wish, along with other pieces of your personal puzzle available online, you can see how a hacker could easily imitate you to meet their needs.
Situational Awareness and Infosec
This article is being posted on ClearanceJobs.com and is primarily aimed at individuals who are looking for or currently maintaining a government clearance. It is crucial, as a cleared individual, that we do not participate in any online activity that could be a threat to our standing with the US Government or jeopardize our clearance status. FaceApp’s parent company, Wireless Labs, is a Russian owned entity. The current state of affairs between our country and Russia being what they are, should be the first red flag when contemplating downloading FaceApp simply so you can make yourself look older and share it with your friends.
Situational awareness is key and the elements of Information Security (Infosec) should be taken into consideration. By definition, InfoSec is the practice of protecting information by mitigating information risks. Risk management plays a big role in InfoSec, and we all have a responsibility to mitigate any risks we can and avoiding them completely where possible. The more we can reduce the probability of unauthorized disclosure, corruption or modification of our private data, the better.
Unfortunately, the technology we live with and its demand for our private data is ever increasing. As a cybersecurity professional and member of the cleared government space for over 20 years, it is my opinion that we should do all we can to avoid utilizing apps such as FaceApp. The risk far outweighs the fleeting entertainment it may provide.
