The National Privacy Commission, the Philippine data privacy watchdog, looked into the latest version of FaceApp after people raised concerns over its privacy policy. The app resurfaced again a few weeks ago when internet users posted their gender-swapping versions on social media.

FaceApp is a photo and video editing application developed by Wireless Lab, a company based in Russia. The app has been around for some time but caught the eyes of privacy advocates last year and NPC responded by conducting an assessment around August 2019.

In its latest assessment, NPC said it found significant differences between the 2019 and 2020 versions of FaceApp’s privacy policies.

NPC to meet with Facebook to discuss cloned accounts

NPC works with DOH on COVID-19 contact tracing, issues privacy guidelines

“In the current version, it is noticeable that both the European Union’s General Data Protection Regulation and the California Consumer Privacy Act required the developers to improve their privacy policy and provide specific legal bases for processing personal data as well as stipulate applicable data subject rights,” said NPC in a statement. “Whereas in the 2019 version, there was no mention of data subject rights and it only directed users to send it an e-mail if they have questions about the app’s privacy policy.”

Cloud providers

The NPC also found that FaceApp had full disclosure of using third-party cloud providers: Google Cloud Platform and Amazon Web Services.

“Only photographs specifically selected for editing are uploaded to the cloud, where they are temporarily cached during the editing process and encrypted using a key stored locally on the user’s mobile device,” the statement said. “The assessment has also found that the 2020 FaceApp version no longer requires users to disclose their mobile number and Facebook login information for identity verification.”

The latest version gives users more choices in what data they want to provide as well as permissions on the data they provided.

Cybersecurity companies also said it didn’t find any malicious elements but still cautions on sharing images as facial recognition is now used as passwords.

Caution in image upload

The NPC shares the same sentiment.

“Do not be afraid to explore new technologies but use it with caution. Report abuse if any.” Privacy Commissioner Raymund E. Liboro said. “The public must not immediately give in to privacy panics. Rather, we should read and learn how to analyze privacy notices and policies. Ask yourself, is the app and developer being fair by providing choices and notices? These privacy notices are the window to transparency on how companies and developers will protect your data and rights.” he added.

In general, the NPC reminds users to take precautions before uploading selfies and other photos to social media. If abused or misused, these seemingly harmless actions may expose users to data privacy risks, such as unauthorized access, processing, and malicious disclosure due to negligence.

The NPC is also reminding companies of their responsibilities over face- recognition activities on their platforms, including preventing the abuse or misuse of their customers’ personal data.