July 23, 2019
Zero Trust

FaceApp Warns Us Once Again: Always Read the TOS

Corey Williams – Idaptive
Corey Williams Vice President, Marketing

Even Leon understands the appeal of FaceApp. 

FaceApp old Leon

If you’ve been anywhere near the internet the past two weeks, you’ve most likely heard about FaceApp. The cute little app that lets people see an AI-generated peek at their future selves became a viral sensation over the last couple of weeks, creating tidal waves of old faces crashing through social feeds – and with it, a lot of backlash about privacy and security. (Interestingly enough, this is actually the second time it’s shot through the cultural zeitgeist in as many years. Last time around, the app makers had to apologize for its poorly thought out “ethnicity filters.”)

Depending on what a person reads or how they approach security, FaceApp is either a proxy for Russian troll farms to subvert American democracy, or a throwaway app with some sketchy terms of service, but … you know, whatever.

The reality is neither – because FaceApp is developed in Russia doesn’t mean it’s an automatic information funnel to Vladimir Putin. The Democratic National Committee was perhaps a bit overzealous in sending out a panicked warning to staffers to delete the app (though the concern is understandable). Likewise, people should really pay more attention to what information they are blindly surrendering to developers in exchange for a quick hit of iPhone-induced dopamine.

Always Read the TOS!

As privacy and platform reporter Charlie Warzel wrote in the New York Times, FaceApp’s TOS are horrendous. With one or two clicks, every user is giving the developer complete and total control of images of their own faces, and probably some friends too. Warzel points out that by downloading FaceApp, the developers get “irrevocable, nonexclusive, royalty-free, worldwide, fully paid, transferable sub-licensable license” over each picture you use.

What does that mean? Well, that’s largely up to the people who made the app, and that’s the problem. FaceApp’s CEO Yaroslav Goncharov told the Washington Post that the company doesn’t “sell or share any user data with any third parties,” and that FaceApp deletes the photos on its server in 48 hours. This is all fine and good right now, but it also doesn’t mean that the company won’t turn around and start selling your data next week, next month or next year.

This is doubly important when it comes to our faces. Facial recognition capabilities are going to become a part of everyday life, whether it’s for unlocking our phones or buying things online, which could enhance our personal security, or to be used to train algorithms and feed databases for smarter surveillance capabilities, which could do the opposite. We as a nation and as individual users haven’t entirely come to grips with what’s being created right now and how we’re contributing to it by playing fast and loose with our personal data.

This is the massive, gaping privacy hole in our online lives right now. Our data – our faces, demographics, activity, likes and dislikes – is the most valuable commodity available. These harmless little clicks we all make every day are literally worth billions of dollars in aggregate and there’s no incentive for marketers, app makers, advertisers and whoever else can make money off it to play fair in gathering it beyond their own good faith.

That’s not enough.

Learn From Other’s Bad Faith

The lesson here is easy: Data is precious and should be protected at all costs. This applies to everyone and everything, whether it’s casual app users, people who live and work online, small businesses or worldwide conglomerates. Protect your data. Treat everything like a potential threat and only give up that suspicion once you’ve proven it to be untrue.

This is the fundamental philosophy underpinning Zero Trust – “never trust; always verify” – and why we talk about it so much. It’s the only way to know that the people who access your data, be they app or device makers, advertisers, employees, or contractors, are who they say they are, and the only way to truly know if they’re acting in good faith.

For companies, this consists of two basic steps. First, make sure security is a priority and that it’s organized around a coherent philosophy, and second, that the company is using a complete set of tools. We recommend a next-gen access model which wraps single sign-on, adaptive multi-factor authentication, workflow and lifecycle management and enterprise mobility management into a single package in order to reduce friction and avoid having to piece it together through a mishmash of vendors. We happen to know a place to find that, too.

For individuals, it’s much harder, but it all starts with the same defensive posture a business would take, combined with learning about where your data goes, how it’s shared and what you can do to keep as much of it in your own hands as possible.

It’s hard work and it absolutely should not be, but it will pay off.

Corey Williams

Corey Williams – Idaptive
Vice President, Marketing

Corey Williams is the Vice President of Marketing & Strategy and lead evangelist for Idaptive, leading all marketing functions, as well as market development and strategy. Corey served as the Senior Director of Products and Marketing for more than a decade at Centrify where he was the visionary behind, and the first product manager of, the set of products that were ultimately spun out of Centrify to become Idaptive, including leading SaaS services for Single Sign-on (SSO)Adaptive Multi-factor Authentication (MFA)endpoint and mobile context, and User Behavior and Risk Analytics (UBA).

 While at Centrify, Corey defined and brought to market seven net-new product offerings directly contributing to the growth of the existing customer base from less than 400 customers to over 5000 customers. He also led efforts with major industry analysts that directly resulted in Centrify being named as a leader in all of the major analyst reports including the Gartner Magic Quadrant and Critical Capabilities reports for Access Management, Worldwide; Forrester IDaaS Wave; KuppingerCole Cloud MFA Leadership Compass; and Network World Clear Choice Winner for Single Sign-on Solutions.

Corey is a frequent speaker and commentator on IT Security and IT Management. He has authored several publications, including “Zero Trust Security for Dummies”, a leading guide for enterprise managers.

Prior to Centrify, Corey led products and marketing for SpikeSource (acquired by Black Duck Software), Syndera (acquired by Tibco), and Journee Software (acquired by Initiate Systems). Earlier in his career, he managed pre- and post-sales consulting for Active Software (acquired by webMethods). 

Corey holds degrees in Mathematics (BS) and Computer Science (BS) from New Mexico State University, as well as an MS in Engineering and an MBA from San Jose State University. 


If Corey could have any chameleon-like superpower, it would be the chameleon's tongue, which is ridiculously fast. Some of the world's smallest chameleons have the world's fastest tongues. In automotive terms, the tongue could go from 0 to 60 miles per hour in a hundredth of a second! “I would be able to complete webinars in 4.5 seconds instead of 45 minutes!”