Oops

I was Wrong on The Internet when I raised alarm over FaceApp. It blew up. People got mad. Here’re the highlights.

What Happened?

Just before 11PM (and bedtime) on July 15, 2019, I tweeted in anger over what I truly believed to be nefarious behavior from the popular FaceApp (the aging/de-aging app that apparently let you try on black-face in 2017 – talk about “oops”). Here’s a screenshot because I’m not sure what I’m going to do about the misinformation (more on that later).

I posted this, was angry about it for a bit, then went to bed.

I woke up and got out of bed. I went about my business, noticing some mild activity over night, but nothing major. Then … holy shit! 9to5Mac picked up the “story” and ran with it. Then TechCrunch. Then a day later Forbes had their own … unique take.

Full Disclosure

First let me say this: I was wrong. I was wrong about what I thought the app was doing (uploading all pics once granted access), and I was wrong to have posted the accusation without testing it first. Full stop.

Others have done the research and, let’s face it, I deserve the criticism that accompanied some of it. It doesn’t appear any pics are uploaded unless you choose them, at which point FaceApp’s servers do the processing “in the cloud”. I formally and unconditionally apologize to FaceApp’s creators and to the Internet in general for the unfounded accusation.

Legitimate Concerns Remain

Now that this is out of the way, I stand by my warning to be careful with this app and other fad apps just like it. I’d like to address a few issues that are still very real.

The biggest oddity is that the app asks for full, unfettered access to your photos (on iOS) without really needing to. It then begins doing … something … with them that takes time, as they appear a few at a time, and rather slowly. The fact is, it doesn’t need access to your photos at all. In iOS, apps can invoke the system’s photo picker, a system-managed panel that lets users choose the images they wish to “give” to an app without granting it wholesale access to all your photos. Indeed, you can refuse it access to your photos and still use the button near the bottom to invoke this photo picker to give it just the photo(s) you want it to have. What are they doing with full access? What might they do in the future? Why request it at all?

Perhaps more onerous still is their terms of use. User @WFBrother replied to me with this highlighted excerpt:

You grant FaceApp consent to use the User Content, regardless of whether it includes an individual’s name, likeness, voice or persona, sufficient to indicate the individual’s identity. By using the Services, you agree that the User Content may be used for commercial purposes. You further acknowledge that FaceApp’s use of the User Content for commercial purposes will not result in any injury to you or to any person you authorized to act on its behalf. You acknowledge that some of the Services are supported by advertising revenue and may display advertisements and promotions, and you hereby agree that FaceApp may place such advertising and promotions on the Services or on, about, or in conjunction with your User Content. The manner, mode and extent of such advertising and promotions are subject to change without specific notice to you. You acknowledge that we may not always identify paid services, sponsored content, or commercial communications as such.

Emphasis mine. That’s particularly troublesome wording. Especially the emphasized part. It gives credence to the multitude of responses to my original tweet that express concern over what they might do with their unnecessary level of access to your photos.

The app also connects to Facebook whether you want it to or not. This I did find after playing around with a proxy app (Charles Proxy) last evening. I’m not claiming it shares your photos (I saw no evidence of this), but it does use their API to identify itself and the device to Facebook even if you don’t tap the Facebook share button (I didn’t).

Considering:

  • the audacious terms of use
  • the completely unnecessary level of photos access it requests (without explaining either why they want it or that you don’t need to grant it for the app to work)
  • contacting Facebook without asking permission
  • not warning the user beforehand that selecting a pic will send that pic to their servers (“the cloud”) for processing instead of keeping it on-device
  • and thinking it was a good idea to include a goddamned blackface filter

…I stand by my original warning to be careful and upgrade it to “avoid at all cost if you value privacy even a little”. Yes, I overreacted and made an assumption I did not verify. I regret that. What I don’t regret in the slightest is having called attention to the privacy concerns surrounding this app.

Many others have responded to me agreeing that it’s still a pretty nefarious app given the above factors. It even brought up a discussion about how to improve the privacy and security of iOS regarding an app’s access to photos and iOS privacy in general. To wit: developers should have to pass an extra hurdle to justify even requesting wholesale access to photos vs. the photo picker before being approved into the App Store. Similarly, social media integrations shouldn’t be allowed to communicate with their platforms unless and until the user asks and authorizes it.

Overreactions

There’s Just No Pleasing Some People

Speaking of overreactions, mine wasn’t the only one, however. Some of the responses have been downright hilarious. Take this one from “Retweeted”, for example. The Superman bit was a nice touch, but seriously, what the hell is wrong with people? I suspect what’s wrong with this “person” is that she doesn’t exist. Very few tweets over the years the account existed and zero followers. I have suspicions.

Some overreactions were a little more shit-posty than others. Take Forbes. Please. Their headline reads, “FaceApp: Is The Russian Face-Aging App A Danger To Your Privacy?

No, FaceApp isn’t taking photos of your face and taking them back to Russia for some nefarious project. At least that’s what current evidence suggests.

Forbes’ Top-Notch Takes

First of all, you shit-stirring, sensationalist assholes, where in my warning did I mention the Russians? The wording and flow of your article strongly suggests I’m engaging in some sort of Red Scare over FaceApp. For that, I unreservedly say: Fuck you and fuck your reductionist stance. Especially considering the kind of “sky-is-falling” shit-posting in which you regularly engage about the latest slight movement by Apple spelling its impending doom. Several times a week. Year after year. Great reporting, that.

What to Do Now?

So what do I do here? I’ve already been contacted by several reporters asking me for further comment. My original tweet just keeps being retweeted and none of those retweeters are reading the thread that follows or any of the other attempts I’ve made to post others’ findings, no matter how embarrassingly they refute my erroneous claim about the mass uploading of photos.

I’m definitely tweeting this blog post, but do I delete the original tweet to stop the spread of my disinformation or do I let it stand because it happened and it’s been cited in news articles? I’d rather delete it to prevent it being retweeted, and some have agreed (provided I post this retraction), but is it the right thing to do? I’m not prepared to make my life about correcting my own tweet to all who retweet it (it’s in the hundreds already), but I’d really like to stop that claim I made causing more trouble.

Anyway, that’s my story about how I was Wrong On The Internet.

Update 1: I’ve decided to delete the original tweets, as I’ve kept the screenshot of my words above in this blog post. Feel free to use it if you’ve already referenced the tweets in an article.

Update 2: No, members of press, I don’t want interviews, comments, or phone calls. Thanks, I think, but you’ve done so much for me already. Of all the tweets I’ve wished would go viral, it’s the one I least expected. Avoiding implying I’m blaming Russians or trying to become an Internet sensation will be quite sufficient, thank you. (rolls eyes)

Update 3: Speaking of crack journalism (as in crack-cocaine, I think), UNILAD has without any known or knowable source decided that I work for the Russians. I don’t. Great job.

Update 4: The Express is the latest repeating the false narrative of my involvement in FaceApp’s development. Much as it kills me inside to agree with anything Trump says, I’m beginning to believe much of Journalism today truly is “fake news.” I’m just some guy who tweeted something; these are supposedly professional journalists.

Update 5: The UNILAD article has been corrected after much tweet-shaming and an email to their editor. (They also asked me to remove mention of their journalist, which I’ve done, but won’t be removing mention of the fact they fucked up.)

Update 6: The Express took awhile but posted a well-written retraction.

Josh