There has been a heightened surge of questions about data privacy in recent weeks, especially in light of the app called FaceApp. This app allows users to take pictures that can be filtered to either look multiple years younger or older, depending of your preference. The concern surrounding this application is the access users grant the developers of the application – full and irrevocable access to their images and associated data.
These concerns have raised several eyebrows, so much so that US Senate Minority Leader Chuck Schumer called upon the Federal Trade Commission (FTC) and the Federal Bureau of Investigation (FBI) to open up an investigation into the application in order to better understand the potential risks and impact it has due to the application’s alarming usage policy. The policy states that the user grants its creator “never-ending, irrevocable, nonexclusive, royalty-free worldwide ownership of images used in the application and the freedom to use, reproduce, modify, adapt, publish and translate them without providing compensation in any way.”
The associated data include usernames, photo albums and other information, like users’ location and messages. The policy is not novel, as most app developers including Facebook, have used similar statements in their policies, but it has raised concerns nonetheless, with geopolitical concerns (the data is being stored in Russia) surely factoring in.
As IT auditors and cybersecurity and governance professionals, I believe the duty falls on us to help educate and drive the conversation about the impact of data privacy, not just because of FaceApp, but because the impact and severity of a breach if and when it occurs can be catastrophic. The million-dollar question is how can this be accomplished?
We play a pivotal role in the design and implementation of how data are analyzed, received, stored and transferred. In most cases, we are involved in the design of the user content policy and also how data are extracted from users. We have to ensure that only the data required to perform a function and nothing else is collected from users. This is quite similar to the standards stipulated in GDPR and HIPAA. Once data is provided by users, the work continues for the entrusted data to be protected by risk-based industry best practices followed to the letter for optimum security. In addition to the establishment of standards, requiring companies to pay hefty fines for the mismanagement of data and other privacy missteps will cause more and more companies to think deeply about how they approach the handling of data entrusted to them. Data is now the new gold!
Consumers are starting to pay close attention to how their data is been managed and are interested in knowing more about data privacy. It is my recommendation that FaceApp should not be used and if it is already in use on one’s device, it should be deleted to avoid further data collection. If you choose to still use the app, make sure you understand more than the user content policy – know what the repercussions could be if you choose to move forward.
