FaceApp—the AI-powered photo-morphing app that recently gone viral for its age filter but hit the headlines for its controversial privacy policy—has been found collecting the list of your Facebook friends for no reason.
The Russian-made FaceApp has been around since the spring of 2017 but taken social media by storm over the course of the past few weeks as millions of people downloaded the app to see how they would look when they are older or younger, or swap genders.
The app also contains a feature that allows users to download and edit photos from their Facebook accounts, which only works when a user enables FaceApp to access the social media account via the 'Login with Facebook' option.
As you can see in the screenshot above, besides requesting for access to your basic profile information and photos, FaceApp also fetches the list of your Facebook friends "who also use and have shared their friends' lists with FaceApp."
Have you yet asked yourself why this app asks for permission it unlikely need to perform its intended function?
Indian security researcher Athul Jayaram recently contacted The Hacker News raising a huge red flag about the collection of users' Facebook friend list data that FaceApp currently doesn't use in any way to function itself or power any of its features.
We also tried to find if FaceApp in someway is using this data to "enhance the user experience," but we failed to find one that justifies the collection of this particular data.
Upon being contacted, FaceApp CEO Yaroslav Goncharov told The Hacker News that FaceApp had a feature called "Social Stylist," that was designed to let users invite their Facebook friends to vote for their best style.
Apparently, the feature has now been discontinued, but the app still collects your friend list when you choose to Login with Facebook.
It's a concerning issue considering the fact that the app has recently gone viral worldwide, crushing the App Store in 81 countries in just 6 days and climbing to number 1 spot from 1,370 on the top free apps chart in the US in only 5 days.
The Hacker News has also contacted Facebook, informing them about this FaceApp practice and asking them to comment on the matter.
No doubt, "Login with Facebook" service makes logging in and creating accounts for various third-party online services, apps and games easier, but most of the times developers request access to a lot of your data unnecessarily.
FaceApp works completely fine without even connecting your Facebook account with the photo-editing app when you choose to select photos from your device storage, but if you still want to use the app to download Facebook photos, you can do it without revealing your Friends List.
For those unaware, Facebook already has an option that allows users to edit and explicitly choose what permissions they want to grant an app from a list of requested permissions pre-defined by its developer.
While connecting your Facebook account with FaceApp or any other third-party service, Facebook displays a page with an edit button, allowing users to toggle OFF permissions they don't want third-party apps to access.
However, if you have already given FaceApp permission to access your Friend list or any other unnecessary permission, you can also edit it in your Facebook account settings under "Apps and Website" section.
It should be noted that just removing the app or restricting permissions would not erase your data from the FaceApp servers.
FaceApp CEO Goncharov suggests that users can request the company to delete all data from FaceApp's servers by using 'Settings→Support→Report a bug' with the word 'Privacy' in the subject line.
It is not the first time when FaceApp has been under scrutiny related to privacy issues.
Just after a week of going viral, privacy advocates and media raised concerns surrounding FaceApp's loosely-phrased privacy policy, which says that the use of the app grants the Russian-made app a "perpetual" license to your photos, allowing it to use your likeness, name, and username, for any purpose, without your consent, forever, even if you delete it.
Besides this, during the same time, another concern was raised that FaceApp wasn't just accessing users' submitted photos but also grabbing the entire camera roll from users' phones.
However, it was not the case, as French security researcher Baptiste Robert, who goes by Elliot Alderson on Twitter, refuted the speculation through his technical investigation, confirming that the app only uploads a photo selected by a user to its server for editing.
The Russian-made FaceApp has been around since the spring of 2017 but taken social media by storm over the course of the past few weeks as millions of people downloaded the app to see how they would look when they are older or younger, or swap genders.
The app also contains a feature that allows users to download and edit photos from their Facebook accounts, which only works when a user enables FaceApp to access the social media account via the 'Login with Facebook' option.
As you can see in the screenshot above, besides requesting for access to your basic profile information and photos, FaceApp also fetches the list of your Facebook friends "who also use and have shared their friends' lists with FaceApp."
Have you yet asked yourself why this app asks for permission it unlikely need to perform its intended function?
FaceApp Unnecessarily Access Your Facebook Friends Lists
Indian security researcher Athul Jayaram recently contacted The Hacker News raising a huge red flag about the collection of users' Facebook friend list data that FaceApp currently doesn't use in any way to function itself or power any of its features.
"When an app asks for permissions that are unnecessary to its functioning, you should think twice before downloading it."
We also tried to find if FaceApp in someway is using this data to "enhance the user experience," but we failed to find one that justifies the collection of this particular data.
Upon being contacted, FaceApp CEO Yaroslav Goncharov told The Hacker News that FaceApp had a feature called "Social Stylist," that was designed to let users invite their Facebook friends to vote for their best style.
Apparently, the feature has now been discontinued, but the app still collects your friend list when you choose to Login with Facebook.
"We don't have this data anymore and planning not to request this permission soon. We used to have some social features (Social Stylist: you could invite your friends to vote for the best style, have a feed, etc.), those features needed this permission," Goncharov told The Hacker News.
"Please note that don't require a Facebook login for FaceApp to work, so only a few users are logged in."
It's a concerning issue considering the fact that the app has recently gone viral worldwide, crushing the App Store in 81 countries in just 6 days and climbing to number 1 spot from 1,370 on the top free apps chart in the US in only 5 days.
The Hacker News has also contacted Facebook, informing them about this FaceApp practice and asking them to comment on the matter.
How to Stop FaceApp From Accessing Irrelevant Personal Data
No doubt, "Login with Facebook" service makes logging in and creating accounts for various third-party online services, apps and games easier, but most of the times developers request access to a lot of your data unnecessarily.
FaceApp works completely fine without even connecting your Facebook account with the photo-editing app when you choose to select photos from your device storage, but if you still want to use the app to download Facebook photos, you can do it without revealing your Friends List.
For those unaware, Facebook already has an option that allows users to edit and explicitly choose what permissions they want to grant an app from a list of requested permissions pre-defined by its developer.
While connecting your Facebook account with FaceApp or any other third-party service, Facebook displays a page with an edit button, allowing users to toggle OFF permissions they don't want third-party apps to access.
However, if you have already given FaceApp permission to access your Friend list or any other unnecessary permission, you can also edit it in your Facebook account settings under "Apps and Website" section.
It should be noted that just removing the app or restricting permissions would not erase your data from the FaceApp servers.
FaceApp CEO Goncharov suggests that users can request the company to delete all data from FaceApp's servers by using 'Settings→Support→Report a bug' with the word 'Privacy' in the subject line.
Other Recent FaceApp Privacy Concerns
It is not the first time when FaceApp has been under scrutiny related to privacy issues.
Just after a week of going viral, privacy advocates and media raised concerns surrounding FaceApp's loosely-phrased privacy policy, which says that the use of the app grants the Russian-made app a "perpetual" license to your photos, allowing it to use your likeness, name, and username, for any purpose, without your consent, forever, even if you delete it.
"You grant FaceApp a perpetual, irrevocable, nonexclusive, royalty-free, worldwide, fully-paid, transferable sub-licensable license to use, reproduce, modify, adapt, publish, translate, create derivative works from, distribute, publicly perform and display your User Content and any name, username or likeness provided in connection with your User Content in all media formats and channels now known or later developed, without compensation to you. When you post or otherwise share User Content on or through our Services, you understand that your User Content and any associated information (such as your [username], location or profile photo) will be visible to the public," FaceApp's 'Terms of Use' agreement says.
Besides this, during the same time, another concern was raised that FaceApp wasn't just accessing users' submitted photos but also grabbing the entire camera roll from users' phones.
However, it was not the case, as French security researcher Baptiste Robert, who goes by Elliot Alderson on Twitter, refuted the speculation through his technical investigation, confirming that the app only uploads a photo selected by a user to its server for editing.