There’s a lot of attention on FaceApp, but is it warranted? Most people ask: just because I give a photo to you, does this mean you can use it for anything you like? But what’s so concerning about “anything you like”? Are we talking about far fetched fantasies? Well, the Black Mirror is here — It is playing out in Hong Kong.

FaceApp is hardly the worse offender out there#

Data sharing and transfer is normal#

FaceApp raises a lot of issues:

1. A clause that grants FaceApp extensive rights to user photographs
2. The parent company being based in Russia
3. Personal information was being uploaded to remote servers
4. Sharing of data with third parties

Many of these are hardly unique to FaceApp (Except perhaps the Russian Parent part). Modern app development uses third party tools and services. Data centers are located all over the world. There is bound to be sharing of data between partners and across borders.

The “super clause” persists#

Even the super clause is not unique. As late as 2012, Google sported a form of this super clause:

When you upload or otherwise submit content to our Services, you give Google (and those we work with) a worldwide license to use, host, store, reproduce, modify, create derivative works (such as those resulting from translations, adaptations or other changes we make so that your content works better with our Services), communicate, publish, publicly perform, publicly display and distribute such content.

Google’s 4,000-Word Privacy Policy Is a Secret History of the Internet (10 July 2019): https://www.nytimes.com/interactive/2019/07/10/opinion/google-privacy-policy.html

Closer to home, the super clause is also used very liberally. Check out the “Singapore Government Agency Privacy Statement” (see an example here):

If you provide us with personally identifiable data… where appropriate, we may share necessary data with other Government agencies, so as to improve the discharge of public functions, and to serve you in the most efficient and effective way unless such sharing is prohibited by law.

Purpose Limitation is Limited#

Thanks to the Personal Data Protection Act, a Singaporean company cannot use data for purposes which you have not consented to. Most Singaporean companies, if they do have a privacy policy, state the purposes which information is collected. However, a company may be able to request consent for an unreasonable purpose. How narrowly a purpose is read, or how “reasonable” a purpose needs to be, is still uncertain.

To conclude, data sharing and data transfer happens a lot. Are we able to police this behaviour with the current state of our laws?

When it all goes wrong in Hong Kong#

Hong Kong is at an important juncture of its history. Protesters are testing the limits of the Chinese government on the 30th anniversary of the Tiananmen incident. China is also well known for perfecting the art of the surveillance state. A study of data collection and sharing practices in Xinjiang reveal a social credit system using extensive security cameras and monitoring.

Against such a backdrop, all bets are off in Hong Kong.

• Many protesters now cover their faces. They fear that the police are using cameras and possibly other tools to single them out for arrest.
• Police officers are also removing their identification. Police officers claim they do not wish to be doxxed. Protesters take this as a sign that police officers are no longer accountable.
• A protester claimed the police tried to force him to unlock his phone using the phone’s facial recognition. I don’t know how he did it but he managed to disable it in time.

Since reading this report, I have thought twice about using my face to unlock my phone. Or using my fingerprint either.

It is startling how the breakdown in trust between the government and the people can lead to dangerous results. Hong Kong was regarded as safe for a long time. While the situation is still developing. we should be careful about the information we share in public.

The attention is helpful#

The FaceApp does not say anything new. Lots of what was complained about is already happening on the Internet. However, the incident does show what we may be giving up for our simple pleasures. People are starting to sit up.

“I’m quite happy, to be honest, because people are starting to be interested by this kind of question,” Mr. Robert said, “and they start to understand that, O.K., maybe there are some privacy concerns.”

FaceApp Lets You ‘Age’ a Photo by Decades. Does It Also Violate Your Privacy? (NYT, 17 July 2019)

Coupled with the events in Hong Kong, we get a stark reminder of how our data can be used against us. Black Mirror is not just a show on Netflix. Technology and the state’s motivations made it a reality. We should ask ourselves to be more careful. I wouldn’t use FaceApp, and I encourage you not to.

Do you agree that the events in Hong Kong is a bigger privacy news? Or that our fears are still overblown at this stage? Feel free to comment!