Incident Of The Week: FaceApp Now Viral For Security Risks

FaceApp has become wildly popular for its ability to take a photo of anyone’s face and age it, or transform its features. Developed by a Russian-based company however, it has recently gone viral because many are questioning the security and privacy risks that may come for millions of Americans who have already used this app.

In fact, Democratic Sen. Chuck Schumer has called for a federal investigation into the company as he notes that there are potential national security risks to the data captured within the app.

See Related: “Nation-State Security Trends Report 2019”

"It would be deeply troubling if the sensitive personal information of U.S. citizens was provided to a hostile foreign power actively engaged in cyber hostilities against the United States," Schumer said in a letter to the FBI and the Federal Trade Commission.

"I ask that the FTC consider whether there are adequate safeguards in place to prevent the privacy of Americans using this application, including government personnel and military service members, from being compromised," the senator wrote.

While the average consumer may not realize the implications for giving up facial recognition data to an organization based in a country that launched a hacking campaign during the 2016 election, cyber security professionals have been warning of the use of artificial intelligence technology like this for some time.

The DNC is now expanded its cyber security efforts to include Chief Security Officer, Bob Lord who has already sent an email to 2020 presidential campaign staff urging “people in the Democratic ecosystem” against using the app that could have access to its users’ photos.

"It's not clear at this point what the privacy risks are, but what is clear is that the benefits of avoiding the app outweigh the risks," Lord said in a notice first reported by CNN. "If you or any of your staff have already used the app, we recommend that they delete the app immediately."

At this time, the company that created FaceApp (Wireless Labs) says that most images are deleted from its servers within 48 hours from the upload date.

The Security Concerns With The App

Dr. Rebecca Wynn, Head of Information Security & Data Protection Officer for Matrix Medical Network recently wrote about the major cause for concern from Russia in general. “We will continue to see Russia controlling media and using covert online social media personas, in order to generate ‘anti-U.S. political views,’” she predicted.

In February 2018, the United States and Britain blamed the Russian military for the "NotPetya" ransomware, calling it a Kremlin effort to destabilize Ukraine which spun out of control.

According to the Cyber Risk Outlook 2018 Report, during the U.S. presidential election of 2016, the three largest social media companies — Google, Facebook and Twitter— were exploited with both fake accounts and paid advertisements, spreading misinformation that could quickly go viral. Up to 120 Facebook pages with some 80,000 posts are thought to have been created by actors aligned with the Russian state. These posts are thought to have reached at least 29 million people who then exposed the content to 126 million others.

Attributed to Russian intelligence agencies, the misinformation campaign was conducted in conjunction with the targeted data exfiltration of key campaign officials, the strategic leaking of information to public front organizations and the probing of the electoral infrastructure. The same activities have been observed in elections throughout Western Europe. Besides undermining democratic ideals, a trend in supporting opposing movements throughout the target states has become standard practice.

In May 2018, a Latvian citizen, was found guilty in Alexandria federal court, and sentenced to 14 years in prison for designing a program that helped hackers improve malware — including some used in the 2013 Target breach. During the trial a co-conspirator revealed the pair had worked with Russian law enforcement.

Very unnerving was that in July 2018 Russian hackers gained illicit access to the control rooms of U.S. power companies which was cited as a specific high-profile threat. Though nothing came of it, a spokesman for the U.S. Department of Homeland Security went on the record as saying that the hackers had the ability to “throw switches” had they desired.

While we’ll have to wait and watch what will come of the data privacy issues and potential investigations with the app, Wynn offered four ways for the enterprise to protect itself from any potential nation-state attacks. She recommends cyber insurance, updating software, demanding removal of any nation-state exclusions in your cyber policies, and enlisting coverage counsel to review your company’s cyber risk management program.

See Related: “4 Ways To Defend The Enterprise From Nation-State Attacks”