28 July 2019

FaceApp’s Russia Link Is the Latest Alarm in an Ongoing Digital Red Scare

By Alyssa Newcomb

Last week, in the epitome of an about-face, A.I.-driven photo editing app FaceApp went from trending on Twitter to a spot on the Democratic National Committee's "do not use" list in the span of just a few days. But the viral app isn't alone in falling out of favor with users. A variety of Russian-developed tech has set off alarms in recent years, leaving Americans to wonder how safe it is to give foreign apps and services access to their data.

Popular—and controversial—for years, FaceApp caught the eye of social media users again last week, and the app's ubiquitous old age photos also caused experts to take a closer look at the app's privacy policy. A furor broke out, and before the end of the week, the app made changes alerting users to how their data was being used.

But Democrats, still smarting after Russian hackers leaked emails from the DNC in 2016, aren't taking any chances with cybersecurity—especially when it comes to Russian apps. Last Wednesday, Bob Lord, chief security officer of the DNC, sent an email to campaigns, urging them to not use FaceApp, and to delete it if they already have. His email did not give a specific reason as to why the app might be a risk, other than a fear of the unknown.

"It’s not clear at this point what the privacy risks are, but what is clear is that the benefits of avoiding the app outweigh the risks," Lord says in the email.

Sen. Chuck Schumer (D-NY) took the fear of FaceApp a step further, warning all Americans about the app in a video posted to social media last Thursday night.

A warning for all Americans:

Millions downloaded #FaceApp from a Russia-based company.

Warn friends and family about the deeply troubling risk that your facial data could fall into the hands of something like Russian intelligence or military. pic.twitter.com/mnhlEeNU58— Chuck Schumer (@SenSchumer) July 19, 2019

"What seems like a benign new social media fad may actually not be benign at all," Schumer says, speaking directly to the camera. "The risk that your facial data could also fall into the hands of something like Russian intelligence or the Russian military apparatus is disturbing."

An enemy app within

FaceApp isn't the first bit of Russian tech with questionable data gathering chops—it wasn't even the only one to cause a stir last week. On Wednesday, Google removed seven apps believed to be stalkerware from the Google Play Store. The Russian-developed programs allegedly gave users the ability to get information about a target's text message history, call logs, and location, among other bits of personal data.

The apps weren't removed from the Google Play Store because they were Russian, but because they were unethical. "They promote criminal behavior, and can be abused by employers, stalkers or abusive partners to spy on their victims," said Nikolaos Chrysaidos, head of mobile threat intelligence and security at Avast, which discovered the apps.

Russia has been behind several other technology scares in recent years. In 2015, U.S. officials expressed concerns about Russian submarines getting dangerously close to undersea cables, which would potentially allow them to attack Internet connections.

In another instance, Russia was accused of creating a counterfeit app to mimic one developed by an officer in the Ukraine military. That app processed targeting data for a particular weapon. While the Russian app appeared to work the same way, it contained malware that gave hackers access to text messages, location, and other data from Ukrainian soldiers who were duped into downloading it, according to a report from cybersecurity company Crowdstrike. The result was an advantage on the battlefield.

In 2017, the Russian group linked to hacking the DNC created malware designed to attack Mac computers and operating systems, according to two cybersecurity companies.

Russia's cyber warfare expertise also set off alarm bells about Kaspersky Lab, a cybersecurity company headquartered in Moscow that has a reputation for being a leader in detecting cyber threats. In 2017, the Department of Homeland Security banned government employees from using software made by Kaspersky Lab out of concern it could have ties to the Kremlin.

"Obviously the U.S. has always had a contentious relationship with Russia—the current political climate makes it even worse," says Robert Siciliano, CEO of security education company Safr.me, who also notes that he's not convinced Kaspersky acted in a malicious manner.
Do your apps have Russian roots?

With surreptitious data collection concerns at the forefront of many peoples' minds, Siciliano says people should take the time to do their research before downloading a free app, and that includes finding out where the developer is located.

Siciliano says he's "no fan of [FaceApp] or that it has Russian roots." However, he says more Americans are waking up to the risks of government surveillance through seemingly innocuous apps.

"It is never good when domestic governments, corporations, or foreign government force companies to provide backdoor access to their software," he says.

Yet when it comes to FaceApp, there are plenty of unanswered questions. Schumer is asking the FBI and the FTC to investigate the company and how it uses data. The company's privacy policy reserves the write to use "an individual's name, likeness, voice or persona," according to the fine print. In the wrong hands, legally speaking, owning that rights to that information can be troublesome.

FaceApp creator Yaroslav Goncharov did not respond to an interview request regarding whether he thinks his company has been unfairly swept up in worries over Russian hacking in the U.S. Last Wednesday, he sent Fortune a statement clarifying some of the privacy questions about the app.

While FaceApp and its parent company, Wireless Labs, are based in Russia, none of the data uploaded by users is transferred to the country, Goncharov said last week, adding "most" of the photos are deleted within 48 hours. Privacy-conscious users can also request their data be scrubbed from FaceApp's servers by going to settings, support, and choosing "report a bug." Users should type the word "privacy" in the subject line to send their request.

Another misconception was where the AI image processing takes place after users upload photos, Goncharov said. According to him, the app doesn't process photos on a person's device, and instead uploads the images to one of two cloud providers―AWS or Google Cloud―for processing.

But the DNC's FaceApp warning wasn't just for campaigns, Daniel Wessel, the committee's deputy war room director tells Fortune. It should serve as a good reminder for everyone to follow cybersecurity best practices.

"We know that foreign adversaries are trying to interfere in elections," he says. "We are aware of the risks and taking the steps to make it more difficult for them."

No comments: