Democrats Issue Warnings Against Viral Russia-Based Face-Morphing App
Speaker 1: 00:00 It was last week's tech craze with millions of new users downloading face app to their smartphone. The app allows users to upload a selfie and transform it to add or even subtract years using artificial intelligence technology. It was all fun until concerns about data security and access surfaced. You see, face app is owned by a Russian based company. There are fears that company could ultimately expose your data to a country that interfered in the 2016 election. Democratic Senator Chuck Schumer has even called for a federal investigation into the company. So is there a risk and his face app, the only app we should be concerned about? Well, we found a certified ethical hacker to weigh in. Steven Andres teaches at SDSU in their homeland security graduate program. He joins US via Skype. Stephen, welcome. Speaker 2: 00:49 My pleasure. Speaker 1: 00:50 So why do you think Senator Chuck Schumer and the DNC are so concerned about the access this app has two data? Is there a reason for alarm? Speaker 2: 01:00 Well, it's not a reason with this app in particular, but I believe the concern is with Americans giving up access to their personal information so easily. As long as it does something that makes us laugh, we will throw caution to the wind and install pretty much anything and important to realize that the Cambridge Analytica scandal all started with an innocent personality quiz. Speaker 1: 01:20 Hmm. What information does face app have access to on on mobile devices? Speaker 2: 01:26 Well, we don't know for certain, but from what we can tell from what researchers have told us is they have the access to your photo album. Although it's appears that they only extract one picture at a time, the one that you select to give them, um, they might add more permissions later, in which case you would get a prompt for those permissions at the time that the app is updated. But what sneaky about mobile apps in particular is they might come in and say, hey, we're only doing this photo thing today, maybe six months from now or perhaps right before the election, they update their app to ask for additional permissions. You see it, you download the new update and you're like, oh yeah, this is the funny face app thing and now it's looking at your contact list. So it doesn't do that today, but it could in the future. Speaker 1: 02:09 Hmm. Is there a way to delete that information off the app servers? Speaker 2: 02:13 Once the information is off of your phone and it goes to their servers, it's really in their hands. So you can ask them to delete it and you'd have to trust them. But they actually did. Speaker 1: 02:22 I mean there are some people who will look at the access that these apps have and they say, well, so what? I mean, what are they going to do with an image of my face? I mean it's just an image of my face. So how could that information be used? Speaker 2: 02:37 Well, they could be used to build an identity profile of you. Perhaps the most innocent way would be just to target. We you with advertising at many sites do that. But maybe there's a target that they, that somebody in maliciously wants to go after and they can say, I think this will be a way to cast a wide net and we can find the person that we actually want access to and this to get their information. Sort of like a Trojan horse. Speaker 1: 03:01 Okay. And so I know much of the talk has been around face app, but uh, you know, is face app any different than other apps people commonly have on their devices, like Facebook or snapchat or any other app that adds filters, even to pictures. Speaker 2: 03:17 It doesn't appear to be. So some of the mystery lies with the origins of the app coming from a, a Russian software development firm and a, you know, that's a, a buzz word these days, but uh, there's another video app called ticktock and that's very popular with the high school age kids and that's owned by a Chinese national company. So it really depends on what are we, uh, investigating here, the origins of the app or what it does with your data. We, we lower our guard when it comes in the form of a mobile app because we're social creatures and we want to be in on the joke. Everybody else is doing it. Somebody else must've checked the validity of this. So I can just be part of the group. Speaker 1: 03:56 And, and I think that that's an assumption a lot of people make is that someone must've checked the validity of this app. Is there an agency or anything that regulates or checks those things? Speaker 2: 04:08 I wouldn't say a government agency, but at least on the apple app store, they do check that the app does what it says it does up into a point, right? So the app could be doing what it says it does when they submit the app for certification into the store. That might change six months down the road and it's not so certain that they're going to catch a change that happens later on. Speaker 1: 04:30 Do androids have that same protection? Speaker 2: 04:33 It's a little bit different on the Google play store because they don't prevent the app from being listed before the review. Google says that they'll do the review a as a trailing process after it's already been posted. So there's a little window of attack there or somebody could sneak in and malicious app on the Google store that would be blocked by the apple store. Speaker 1: 04:51 Hmm. So what should we all look for before downloading a new app? Speaker 2: 04:55 Once you do install that app, especially on the apple platform, when that app wants to use a permission, it will prompt you. So take a second, that prompt is important and think to yourself, is it important for this app to have access to it? A, sometimes you'll get a game and it says, I need access to your address book. And you might say, well why is that? And I say, Oh, don't worry about it. We just want to see who else that you know is also playing the game. But along with that, it's sending all of your contact information to this other server. And that might be birthdays, addresses, street addresses, email addresses for all of your friends. Speaker 1: 05:30 Hmm. And so you, as you mentioned earlier, there's no way to delete the information that's been collected once it goes to an app server. Uh, what about when you delete the app off of your device? Is that something that people should be in the practice of doing? Speaker 2: 05:44 Yeah, once you're done with an app, it's certainly a good idea to delete it from your phone and that will get rid of any local storage that that app had. But these days, most of the apps will send the information that they want into a centralized server because it's easier for the company, not necessarily easier for you. Somebody could make a version of this face app that does all the aging process locally on your phone and never sends any data to the cloud and that would be a much safer alternative. Speaker 1: 06:10 Why do you think they haven't? Speaker 2: 06:12 It's a lot easier to do with the way that they did with cloud based servers because all the difficult uh, uh, image processing happens in the cloud versus happening on each one of your phones. Speaker 1: 06:22 Would that take up space on devices? Is that why? Or Speaker 2: 06:25 it would take up space on your device. It might also take a quite a long time, more than you're willing to wait to get the result. So if you do it in the cloud, might be instantaneous. A couple of seconds on your phone with the computing power of your phone. It might take 20 seconds, maybe a minute on an older phone. And it's just not as fun. Speaker 1: 06:44 Some cyber security experts say if face app was a test, America failed first. Do you agree with that? Speaker 2: 06:51 I would say so. If it was a test, we definitely took the bait and didn't think twice. Speaker 1: 06:56 Ah, so what, what should people do moving forward? Speaker 2: 07:00 I think folks should be more concerned about what data they're giving and what is the tradeoff. So your data is currency. These apps are generally free so that you don't have actual dollars out of your pocket, but you are paying with your data so your image can be used by other people. What are you getting in return? You're just getting an older image of yourself that might not be a fair trade. Speaker 1: 07:20 And so what can legislators do? I mean are, is there any regulation that could be put in place? Speaker 2: 07:26 We might see some sort of fair warning labels, a kind of nutritional information for an app that goes beyond what the app stores already do. And hold publishers to account for a deletion policy, for example. So in the European Union, the GDPR laws state that if an EU resident wants the data deleted, it is backed by law that you must delete the data within a certain amount of hours. We don't have that production here, so that might be a good first step towards a full blown consumer privacy. Speaker 1: 07:55 I've been speaking with Steven Andres, who teaches at SDSU homeland security graduate program and is also a certified ethical hacker. Stephen, thank you so much for joining us. Pleasure's all mine.