COMMENT: In light of FaceApp controversy, users need to understand data privacy

LightRocket via Getty Images file photo

By Shashwat Khandelwal

Here’s a familiar story – a popular, viral app catches the user’s eye, and the app store they are using affirms that the app is secure and verified. They download and install the app.

The user then skims through the app’s overview to understand its functions. Notices appear, requesting for permission to access user’s location data, the camera, address book, and other device functions. The user grants all these permissions before using the app.

Sounds fine so far? It isn’t.

In most cases, the user is never prompted to review the Privacy Policy or Terms of Service of the app to check on how their data is handled, nor does the app explain why certain permissions are required.

The FaceApp furore

Recently, the internet has been up in arms over privacy concerns that have been raised over FaceApp, a viral image-editing app with multiple celebrity and influencer endorsements. It uploads photos to a cloud server and uses artificial intelligence to edit the photos. With the popularity of the app, watchdogs raised privacy concerns – the app could potentially extract images from users’ photo galleries.

In response, FaceApp released a statement, saying that the company would not “sell or share any data with third parties”. It was also found that the app only uploads photos which a user has consented to upload – that is, by selecting images for processing.

Yet, there is still concern over the intrusive terms of service: FaceApp users grant the company “irrevocable rights” to use or reproduce data that has been submitted to the app on any new or existing channels. Since photos are uploaded onto FaceApp’s cloud servers, the company can potentially use or reproduce the data that has been submitted to the app for their own gain.

What’s worse, it’s not just FaceApp. Nearly all social media and photo platforms have similar clauses in their terms of service, and privacy policies. Apps are an integral part of our life with their developers potentially privy to such information of their entire user base.

In a world where data is less private

It’s not enough to join in the outrage when user data is compromised – users need to better understand what data privacy is about.

Legislation such as the Personal Data Protection Act (PDPA) has been implemented internationally: The Act regulates the use of data by examining user consent, the purpose of data collection, and the reasonableness of data use.

The EU has similarly introduced the General Data Protection Regulation (GDPR), which mandates that users have a right to obtain confirmation from data collectors on how their personal data is being processed. Users also have a right to request to be ‘forgotten’ by having all their data erased from the database of data collectors, among other clauses.

Still, regulators and the industry can do more by implementing stringent rules, which require apps and services to disclose their terms and services to the end user as well as standardising and simplifying this complex space. Companies also need to be more responsible and transparent with their data collection practices.

In the meantime, user data is still at stake, and users need to be responsible by doing their due diligence in protecting their data.

Securing data with basic cybersecurity practices

While the ecosystem for apps and platforms is still evolving in how user privacy is ensured, there are steps that users can take to secure their data.

First, be aware of best practices to ensure that your smart devices and data are safe.

Before installing an app or service, do a simple audit: is the platform that the app is on trustworthy and secure? Has the app raised privacy or security concerns? What permissions does the app require and are the permissions logical? This information is easily accessible via a quick search.

For example, in April this year, 46 apps by Chinese developer DO Global were removed from Google Play. Of these, some camera apps required over 30 permissions, while other apps providing similar services required less than half. The apps used the devices they were installed on to commit ad fraud, while mining user data at the same time. The story was widely covered to raise awareness among users, with many publications warning about the apps.

Second, scrutinise the data disclosed, and permissions granted to apps.

Users have the right to disclose or keep their data private. If an app or service seems too intrusive or provide insufficient information on how user data will be utilised, it will be best to abstain from using it.

When using an app, users should minimally review the terms of service, paying particular attention to sections mentioning what data is collected and used. Knowing this, users must be selective of the data that they disclose to apps, to prevent sensitive information from being compromised.

To illustrate, user profiles and photos are kept on social media databases long after they are ‘deleted’. To prevent data from being compromised due to misuse, or in breaches, users should abstain from uploading any personally identifiable information.

There are also other practices to ensure data security.

Passwords are the key to plenty of user data and user’s digital identities; it is imperative to use strong passwords that are easy to remember for humans while being difficult for machines to brute force – this example illustrates it well. Alternatively, a trustworthy password manager is an option.

Last, but not least, use reliable security software, and schedule regular updates and scans to ensure that smart devices are clear of threats. As the world becomes more interconnected, it is not surprising for threats, such as phishing attacks for personal data, malware, and adware to enter undetected. Having a security software in place will allow users to detect threats in real time, and check systems for any malicious files. Users can also reduce the risk of these threats by not visiting suspicious sites, and not opening suspicious links or files from unverified sources.

Privacy is a right, and intrusiveness is not the new normal

Data is the new oil, and organisations all over the world are getting hungrier for user data. Against this backdrop, users need to remember that data privacy is a right and be selective about the data that they disclose on various platforms – they should even abstain from using a particular app or service unless they are satisfied by what they see. While data privacy regulations are being put in place, more needs to be done on the part of regulators and companies to protect end user data.

The uproar over the FaceApp privacy concerns shows that users are aware of their right to data privacy, which is a good start. When combined with a better understanding of how data can be misused, and adhering to best practices, they can cover more bases to ensure their data and personal information stay secure.


Shashwat Khandelwal is Head of Southeast Asia Consumer at McAfee.

Prior to joining McAfee, Shashwat was the Vice President of Business Development for tenCube, a Singapore mobile security startup that was subsequently acquired by McAfee. Before tenCube he served in various technical roles at Motorola ranging from solution architecture to system engineering.

Related stories:

The privacy panic over FaceApp

FaceApp challenge: Privacy experts warn over using Russian ‘ageing’ app