FaceApp Stirs Up Privacy Concerns; Emergency Meeting Called in Wake of Desjardins Data Breach
This week, FaceApp - a photo-altering smartphone app - found itself at the center of a popular social media challenge.
In a letter on Wednesday, Senator Chuck Schumer, Democrat of New York, asked both the F.B.I. and the Federal Trade Commission to investigate the app, citing “serious concerns” about security, data retention and transparency.
The app, which was created by Wireless Lab of St. Petersburg, Russia, and was ranking among the top free offerings in both the Apple and Android app stores on Wednesday, was uploading much more data than users realized, one Twitter user contended in a widely shared, since deleted post. “Russians now own all your old photos,” The New York Post proclaimed in a headline.
The company did not respond to multiple requests for comment, but it explained how the software works in a lengthy statement published on Wednesday by TechCrunch. When a user of the app selects a photograph to alter, that image — and only that image — is uploaded to FaceApp servers for processing, it said.
Baptiste Robert, a French security researcher who specializes in smartphone apps that abuse user data, and two other researchers who investigated the issue all said they had found no evidence on Apple or Android phones that FaceApp was secretly uploading entire photo galleries. But each voiced concern that the app, like many others, failed to alert users that their data was being uploaded to remote servers.
“If they don’t take privacy seriously, how seriously do they take security?” asked Will Strafach, the founder and chief executive of Guardian Firewall. “If they don’t take security seriously, what’s the risk of either an insider threat or their company being breached?”
MPs on the House of Commons Public Safety and National Security Committee convened in Ottawa on Monday for an emergency summer meeting on the breach of millions of Canadians’ personal information at Quebec-based credit union Desjardins.
In June, the major financial institution revealed that a since-fired employee had improperly accessed and shared the personal information of 2.7 million Canadians and 173,000 businesses. The leaked information included the names, addresses, birth dates, social insurance numbers, email addresses, and transaction habits of Desjardins clients.
On the joint request of opposition members, the Commons committee met on Parliament Hill Monday afternoon and quickly agreed to begin hours of hearings to discuss the breach and possible remedies, including issuing new Social Insurance Numbers (SIN) for all impacted clients. Public hearings with witnesses will continue into the early evening.
Over the course of the meeting, MPs heard from officials from several relevant federal agencies and departments, including the Canada Revenue Agency, as well as from representatives for Desjardins.
Desjardins CEO Guy Cormier told the committee that he felt it was too premature for a post-mortem on what happened in this case as investigations are ongoing, but that he hopes lessons for all Canadian organizations can be learned from this situation.
No doubt I wasn’t the only one whose eyes widened when the United Kingdom’s Ambassador to the United States Sir Nigel Kim Darroch’s assessment of the U.S. president was leaked to media.
What was missing until most recently was the underlying problem: The UK had an insider threat which had become a reality. Someone violated their secrecy agreement and perhaps the U.K.’s Official Secrets Act.
The classified cables (messages) which were leaked should have never seen the light of day. An insider took it upon themselves to break trust and exposed the insider threat to the world.
The UK’s Cabinet Office took two investigative paths – was it an insider who had a bone to pick with Darroch, or perhaps a hostile intelligence organization who was attempting to put a spanner in the wheels of the US-UK relationship.
Last week the Metropolitan Police announced that they were opening an investigation.