We all know about those dreaded terms and conditions… they are lengthy, complicated central thesis requiring a PhD in Law to comprehend. We constantly agree to be bound by terms without realising it. The question is… whom do the terms and conditions provide protection for; you whom owns your data, or the organisation whom wants your data? FaceApp has hit the media with a storm recently and not because it’s virtually making the world population much older. Read on to see if the terms truly protect you, the user or the organisation.
What are Terms and Conditions?
There is a myth regarding the purpose of terms and conditions circulating the 3rd rock from the sun. It is important to clear this up instantly before continuing:
Terms and Conditions form legally binding contracts between two or more parties. This means you are legally bound to all the clauses within the terms, not just the ones you read or were told about.ThinkOgram (2019)
Contracts are a key element for organisations operating within any country. These contractual terms and conditions layout the grounds in which a company operates, the sale of products, the delivery of services, how your data is processed, and the company expectations of you, the customer.
The standard contents forming a contractual agreement can include the following:
- How a contract between involved parties is formed
- Payment terms and charges
- How delivery will take place
- Policies regarding returns and refunds
- Policies for defective goods or services
- Your personal liabilities
- Description of the goods or services
- The price and potential for price change
- Any other terms specific to a transaction or interaction
The last bullet point above is really important because this can cover many different aspects of a contractual relationship. You don’t see any mention of how a company can use your data, or how a company will store information on your devices (Privacy Policies and Cookie Policies respectively). These are covered within the scope of ‘any other terms specific to a transaction or interaction‘.
Terms and Conditions are lengthy, complicated central thesis requiring a PhD in Law to comprehend.ThinkOgram (2019)
Are Terms and Conditions Complicated?
This is where things get a little sticky in relation to how legally binding a contractual agreement between two or more parties could be! If you’ve ever read a terms and conditions document, you will know how insecure those terms can make you feel. As we begin to read, most terms and conditions can end up making us feel like uneducated cave dwellers, whom haven’t grasped the power and comprehension of words.
Research completed in 2019 which attempted to assess plain and intelligible language in the Consumer Rights Act 2015, and the use of reading scores was conducted. The use of reading scores was a method in which one could establish whether the terms and conditions are persented in plain and intelligible language (a requirement of the Consumer Rights Act 2015).
Looking at insurance policies within the experiment, it was found some terms and conditions would required the reader to be educated to a PhD level (roughly nineteen years of education). It was found even a first year degree education was required to read most of the terms examined.
What does this have to do with FaceApp?
This is the confusing aspect in comparrison. We have just established terms and conditions can be very complicated documents to navigate. However, let us have a look at a few segments of the FaceApp terms and conditions:
- You assign FaceApp irrevocable global rights to use your images or data as it sees fit without any need to compensate or inform you.
- FaceApp can continue to hold your images and data even after you have requested your information be deleted.
- The company reserves the right to share the data with any third party it chooses without any need to inform you.
- It reserves the right to host the data in any country it chooses.
I am betting you understood every single word of those terms. Not difficult to understand really… give me all your data and we will do as we please with it, regardless of what you say. Let’s face it though, with the introduction of the General Data Protection Act (GDPR), these terms are not even law abiding. You clearly understood those terms yet many people are still using the mobile application.
Most companies have similar terms and conditions but they are not as clearly written as FaceApp. They generally use more complicated terminology and sentence structures. We can understand sometimes, reading the terms can still leave you clueless as to what happens with your data. Yet here… we have a mobile application clearly stating the obvious. They are not even trying to hide or disguise how they want to use your data.
Does it really make a difference?
I guess to answer this question we need to first know what data they are collecting from us. With the terms and conditions being so damned obvious, let’s see exactly what data they do collect:
- Your photos and contextual personal information.
- Your phone information (browser, serial number, IP address, configuration information, some location information). Notice they take the hard coded ID of your device? This is so not matter what, they can identify you as the user. I write about this and the concept of Pointless Privacy in more depth in this article: Controlling Ad-IDs: Pointless Privacy.
- Details about your other apps, the OS on your phone, social media accounts and apps.
- Cookies, sign-in tokens, and any authentication information you share with it (for example, if you choose to log in with Facebook, it gets access to your Facebook access tokens and profile information).
- If the app is downloaded on Android, it can access your call history, contacts, logs, more-detailed location information, messages, and more.
As you can see from the list of data collection points above, it’s not all about a simple photo being morphed into an older version of yourself (which uses quite generic methods when you look at a number of different photos). It’s about all the additional information it wants to scrape from your device. It wants to know about all your phone information, details about other applications you have installed and which ones you use, the operating system running on your device, your social media accounts and which social media applications you’re using, and God forbid if you authenticated with your Facebook account because the app would get access to your Facebook access tokens, and all your profile information. Yet that’s not it, depending on which device you install the application on (Android, and we all know Google is not interested in protecting your privacy until they’ve made a hefty profit from your data), the app can see all your call history. That’s right, it wants to know whom you’ve been calling? It also wants to see your contacts and whom you have communications with. It also wants to check your phone logs, and it’s requested more detailed information about the locations you’re at or have visited. It even wants to read all your messages you’ve sent to people. Do you get it yet? This is a simple photo manipulation app designed to be a little bit of fun. However, where is the line between a little bit of fun and the boundaries of privacy infringement?
The issue at hand here is our common behaviour to dismiss the terms and conditions and simply check the tick box and move on. However, some companies are trying their best to use complex wording and structures to hide their true intensions, while others just like FaceApp as basically telling you your data is ours to do as we see fit.
FaceApp as basically telling you your data is theirs to do as they see fit.ThinkOgram (2019)
Google is not interested in protecting your privacy until they’ve made a hefty profit from your data.ThinkOgram (2019)
Where is the line between a little bit of fun (free apps) and the boundaries of privacy infringement?ThinkOgram (2019)
Are the Terms and Conditions really PROTECTING YOU?
Here is the crunch of it all surely… these fun simplistic mobile applications such as FaceApp are wanting to scrape more than what would be required for the app to function. It’s what they are doing with your data they have that should be concerning you. The terms for FaceApp clearly demonstrate those terms were written to allow the business to do anything with your data regardless of what your opinion is (yet we are still using these applications by the thousands with millions installing them). Facebook terms and conditions are all about how you are signing over the rights to your data and not actually what your rights are in relation to your data.
I recently wrote an article about Cloud Storage and the Myth surrounding whom has responsiblity for your data (read it hear: Cloud Storage: Is it Safe or just a Myth?). I point out such places as Google Drive wanting to scan your files, scrape the data, and still use those files even when you’ve stopped using the service. Does this sound familiar? FaceApp clearly states in their terms and conditions above, even if you request to have your data deleted, they won’t delete it. They’ll continue to use it without your consent, and not inform you when they are passing anything on to other parties.
The purpose of this data collection
I guess now you know how much data is actually being scraped by such a simplistic application coming across as innocent and fun concept, you have to wonder what potential purposes this data could be used for. Let’s Face(App) it (sorry for the pun), there is an ever growing market for artificial intelligence. What do we hear about all the time in the media…? Face Recognition. Companies are well aware this will grow into a massive market. The ones who’ll win are the ones that hold the most data surely?
FaceApp has already accumulated data on over 150 million people. Just by allowing them to manipulate a photo to see if they look as good as grandma or grandpa. This data is worth millions in terms of advertising scope. However, this would not be my personal concern. Face Recognition would be my concern for this data. By using the FaceApp, you will have legally granted and given consent (which according to their terms can’t be taken back) to use your data with anybody, in anyway they see fit, without the need to notify you. As the Face Recognition industry grows, so will the sharing of such data without the need to notify you. Soon, you will find yourself being placed on criminal databases for comparrisons, your face will be linked to all sorts of data points relating to you… your internet service provider records, your phone records, bills, social media messages and more.
You’ll soon be walking down the street and your local police officer will know whom you are and where you’re from. They’ll have software on mobile devices pinned to their chests that would have already scanned your face, compared it to a central processing database, linked it to all your account and profile information, and sent that data to the police officer before you even know they’re there.
Is this the sort of world you envisage for yourself or for children? By using these free, fun but privacy infringing mobile apps, you are promoting a behaviour change by dismissing those terms and conditions. These terms and conditions are not written with your data privacy and protection in mind, but actually to take away any control you could potentially have. By continuing you’ll be relinquishing all your rights and controls of your own personal data. Remember, data is whom you are… it’s your identity and defines you to an outsider.
Terms and Conditions are lengthy, complicated central thesis requiring a PhD in Law to comprehend.ThinkOgram (2019)
Yes, FaceApp Really Could Be Sending Your Data to Russia [WWW Document], n.d. . Dark Reading. URL https://www.darkreading.com/endpoint/yes-faceapp-really-could-be-sending-your-data-to-russia/a/d-id/1335429 (accessed 8.9.19).
Olavario, D., 2019. FaceApp: Are security concerns around viral app founded? | #TheCube [WWW Document]. euronews. URL https://www.euronews.com/2019/07/17/faceapp-are-security-concerns-around-viral-app-founded-thecube (accessed 8.9.19).
Terms and conditions [WWW Document], n.d. . Rocket Lawyer. URL https://www.rocketlawyer.co.uk/article/terms-and-conditions.rl (accessed 8.9.19).
Conklin, K., Hyde, R., n.d. If small print ‘terms and conditions’ require a PhD to read, should they be legally binding? [WWW Document]. The Conversation. URL http://theconversation.com/if-small-print-terms-and-conditions-require-a-phd-to-read-should-they-be-legally-binding-75101 (accessed 8.9.19).
Conklin, K., Hyde, R., Parente, F., 2019. Assessing plain and intelligible language in the Consumer Rights Act: a role for reading scores? Legal Studies. https://doi.org/10.1017/lst.2018.25
Terms And Conditions Are The Biggest Lie Of Our Industry, n.d. . TechCrunch. URL http://social.techcrunch.com/2015/08/21/agree-to-disagree/ (accessed 8.9.19).
Terms – FaceApp [WWW Document], n.d. URL https://www.faceapp.com/terms (accessed 8.9.19).