The short answer…probably.
I don’t want to get too “tin foil hat” on you, but in the interest of discussing privacy and the interpretation of mobile app terms of service, I would be remiss if I failed to look at currently buzzworthy FaceApp. And yes, even a cursory look gives plenty of ammunition to the privacy alarmist interpretations.
The FaceApp artificial intelligence age-progression app is all the rage right now. If there’s a second most popular trending topic on social media at the moment, it’s probably some form of the question, “Is FaceApp just a way for some (Russian) agency to collect millions of people’s images for shadowy uses?”
We cannot know for certain the uses that the FaceApp developer will make of the information it collects since we do not have first-hand knowledge of the internal operations of the company. In order to formulate some theories and opinions, however, we can review the app’s Terms of Use and the Privacy Policy to which the Terms refer.
The Terms clearly state that the app is developed by Russian company Wireless Lab OOO, of Saint-Petersburg. A search of the associated phone number shows that there is a related FaceApp, Inc. registered in Delaware. But we should assume this is a company operating primarily out of Russia.
FaceApp Terms of Use:
The Terms of Use provide far-reaching rights to Wireless Lab in the use of the photos you provide to, and create with, the app. The Terms also permit access to significant technical data that the app may collect or even store on your device.
The license a user grants to FaceApp includes largely standard wording:
You grant FaceApp a perpetual, irrevocable, nonexclusive, royalty-free, worldwide, fully-paid, transferable sub-licensable license to use, reproduce, modify, adapt, publish, translate, create derivative works from, distribute, publicly perform and display your User Content and any name, username or likeness provided in connection with your User Content in all media formats and channels now known or later developed, without compensation to you. When you post or otherwise share User Content on or through our Services, you understand that your User Content and any associated information (such as your [username], location or profile photo) will be visible to the public.
However, it is worthy to note that the user, by agreeing to this language, also permits FaceApp is to make “derivative works” from your photos, which could include any media, such as video or creative images. By use of the app, you have granted FaceApp the right – forever – to display those derivative works publicly, including the right to do so with your name shown. At the very least this cedes a certain amount of the user’s privacy/publicity rights to the app maker. An imaginative person could come up with numerous more troubling scenarios that may be comprised in these rights, such as the right to place the images of the user in locations or situations that may not be desirable to the user.
And make no mistake that these permitted uses may expressly identify you. “You grant FaceApp consent to use the User Content, regardless of whether it includes an individual’s name, likeness, voice or persona, sufficient to indicate the individual’s identity.”
The FaceApp Terms expressly refer the user to the FaceApp Privacy Policy for further information on FaceApp/Wireless Lab’s use of images and data.
Privacy Policy:
A potentially troubling right the user gives to FaceApp states:
When you use a mobile device like a tablet or phone to access our Service, we may access, collect, monitor, store on your device, and/or remotely store one or more “device identifiers.” Device identifiers are small data files or similar data structures stored on or associated with your mobile device, which uniquely identify your mobile device.
In plain English, that section says that FaceApp may place information on your phone that allows FaceApp’s systems to uniquely identify your device. The “device identifier” may also be combined with “data sent to the device by FaceApp.” The Privacy Policy does not disclose what this data may be comprised of.
Further still, the “device identifier” that FaceApp places on your device is permitted to send information from your device, not just to FaceApp itself, but also to FaceApp’s “third party partners.”
Speaking of third parties, the FaceApp Privacy Policy goes on to include the following:
We may share User Content and your information (including but not limited to, information from cookies, log files, device identifiers, location data, and usage data) with businesses that are legally part of the same group of companies that FaceApp is part of, or that become part of that group. We also may share your information as well as information from tools like cookies, log files, and device identifiers and location data, with third-party organizations that help us provide the Service to you.
This means that FaceApp may be associated with other (here unnamed) companies, or can later merge, be acquired by, or form some other direct business relationship with other companies. In any of those scenarios, FaceApp can disclose your information, the data it has collected, etc. to those entities.
Similarly, FaceApp reserves the right to disclose your information in response to a legal request:
We may access, preserve and share your information in response to a legal request (like a search warrant, court order or subpoena) if we have a good faith belief that the law requires us to do so. This may include responding to legal requests from jurisdictions outside of the United States where we have a good faith belief that the response is required by law in that jurisdiction.
The user should note that: 1) The scope of “legal request” is unlimited. This may be a subpoena in a civil court, a warrant in a criminal investigation or proceeding, or any other form of legal request; 2) The legal requests expressly may include requests in countries other than the U.S. This may mean that the U.S. user finds him- or herself in a situation where a request is made for information relating to that user and that the law of the jurisdiction of the request does not require any notice to the user, or permit the user to fight such disclosure. Further still, if we return to the popular social media theme of Russian governmental ties, this language facially seems to expressly permit FaceApp to hand over the user’s data (including images, name, device information, usage information, and whatever comes from the “device identifier”) to any person or entity – including the Russian government – without further requirement to notify the user.
I should reiterate that my analysis does not suggest that the above scenario is going to happen and does not opine on whether such happenings are reasonable or unreasonable, or fall into the land of tin foil hat conspiracy theories. It does, however, mean that my reading of the FaceApp Terms of Use and Privacy Policy lead me to believe that Wireless Lab/FaceApp have seemingly positioned themselves to claim the right to do any of the above and more.
Related Article:
