FaceApp, the viral sensation that takes images of users’ faces and morphs them into older or younger versions (or even different genders), topped the charts in Apple and Google’s app stores. In July, the app hit close to 30 million downloads in July. Even celebrities uploaded their facial data.
Then the bubble burst. Privacy advocates voiced their concerns about the app. Many accused the app of uploading, storing, and potentially reusing user photos without permission. In addition, since the app is based out of Russia, U.S. politicians called for investigations as to whether the app was siphoning user data back to Russian intelligence.
"3 critical takeaways from the #FaceApp privacy controversy. What every CTO should know to keep your app from making headlines (for the wrong reasons)"
While FaceApp denied these charges, explaining that it only uploads pictures after users consent, and that it stores these in AWS and Google Cloud (U.S.-based servers), the incident highlights what a challenging time it is to be developing and deploying technology that relies on user (specifically biometric) data. If you’re creating a consumer-facing app that does rely on user data, what can you learn from the FaceApp backlash?
We’ve outlined three essential takeaways below.
1) You Must Have a Clear Communication Policy in Place for User Data
Today’s users demand (and deserve) transparency when it comes to how their personal data is handled. The best way to distinguish yourself from nefarious apps is by being straightforward and comprehensible about your policies at every customer touchpoint.
FaceApp’s biggest mistake wasn’t necessarily in designing a particularly irresponsible app; it was in creating the perception that they were untrustworthy. For example, a major source of concern was the revelation that FaceApp uploads photos to the cloud for alteration rather than working only on a user’s device. The company conceded that it “might” store photos for a short time, but “most images are deleted from our servers within 48 hours from the upload date.” Obviously, “might” and “most” don’t strike the correct tone to reassure worried customers that their data is being handled properly.
Additionally, FaceApp’s terms and conditions were widely perceived to be too far-reaching. Worst of all, they failed to provide a simple avenue for users who wanted to remove their data. (The company’s statement recommends “sending the requests from the FaceApp mobile app using ‘Settings→Support→Report a bug’ with the word ‘privacy’ in the subject line.”)
"FaceApp’s biggest mistake wasn’t necessarily in designing a particularly irresponsible app; it was in creating the perception that they were untrustworthy."
Any company that doesn’t want to be tarred with the same brush as FaceApp should develop clear, easy-to-understand policies for handling data and should then proactively communicate those protocols to users. It’s also important to recognize that developing a culture of transparency and security starts at home, so begin with employee training on these critical subjects. Familiarize yourself with — and address — your users’ concerns without waiting for a data breach. Above all, be sure that your user management system is organized so that you can be responsive and efficient in addressing user requests.
2) Biometrics Are Popular — But They Demand Caution
Consumers are largely open to using biometric data to replace password-centric logins. But this excitement quickly turns to alarm if users fear that this highly personal class of data is being mishandled. A 2018 IBM study cited 67% of consumers being comfortable with the technology today — and a 2019 Veridium report, cited in DarkReading, found that 70% of consumers prefer biometrics over passwords to authenticate at work. So how can a business capitalize on this highly convenient technology without risking a backlash? Simply put, using biometrics carefully and responsibly requires staying at the forefront of industry best practices.
In FaceApp’s case, a confusing login and authorization protocol made some users suspicious that their photos could be misused. Despite the company’s statement to the contrary, it didn’t stop public outcry against the app.
Even if FaceApp isn’t as malicious as many make it seem, the issue underscores the need for a bulletproof authorization system that reassures users — from the start — that their information is in safe hands.
A solution like Auth0’s multifactor authentication(MFA) can deliver this sense of security. It gives companies the option to use biometrics, but in ways that increase data security rather than compromising it. For users, the clean, professional user interface, starting with the login box, communicates the message that their information is securely stored on the the back end.
Auth0’s platform enables companies to create a login process that makes users feel comfortable, even when requesting their biometric information. Furthermore, MFA with Auth0 allows teams to immediately centralize this sensitive user data and keep clearer activity logs. If a consumer asks how his or her information is being used — or how to delete it altogether — it’s a simple process for admins to respond.
With Auth0, you also can add customizable conditions that will prompt additional authentication challenges. For example, if an American customer suddenly tries to access their account from a new or suspicious device or location, the system will request additional data.
Employing biometrics conscientiously is not an easy task — particularly when regulations are constantly changing, and the threat environment is quickly evolving. However, Auth0 maintains the industry’s most rigorous security accreditations and adheres to best-in-class compliance frameworks. This proactive approach to security is at the core of Auth0’s user management system, ensuring that your customers trust that when they share their biometric information with you, it’s safe.
3) You Can’t Afford to Take Data Privacy Lightly
Having a lax attitude toward data privacy puts your company at risk not only for a PR nightmare but also for serious legal trouble. As the laws governing personal data evolve, staying compliant means that every application that touches user identity must be up to date and secure.
FaceApp’s policy of uploading photos to the cloud wasn’t just a failure of communication. Multiple privacy experts have attested that these policies are clearly in violation of the EU’s GDPR, which could subject FaceApp to fines or an outright ban in the EU.
Maintaining visibility and control over customer data is the key to earning regulatory compliance and the public’s confidence. Implementing a dashboard solution gives you a real-time, centralized view of everyone who has access to your end customers’ data.
You can leverage Auth0's RBAC (Role-Based Access Control) feature to handle end-user authorization.
The ability to identify who is accessing data, from where, and for what purpose is critical for proving good-faith regulatory compliance. With Auth0’s dashboard, you have a bird’s-eye view of users, making it easy to spot suspicious behavior and revoke privileges. Easily control permissions for third-party partners or vendors to ensure your customer data isn’t unnecessarily exposed. From the dashboard, you can also quickly respond to customers who wish to modify, access, or delete their data, so they always feel that control over their privacy ultimately belongs to them.
Don’t Wait for a Scandal to Prioritize Privacy
The controversy surrounding FaceApp illustrates how quickly concerns about privacy can turn a company from a viral success story to a cautionary tale. The lesson for CTOs and other technical team leads is that every part of your system that touches on user identity must be watertight, from your regulatory compliance to your ability to spot and respond to anomalies to every piece of customer-facing communication. The cost of a mistake like FaceApp’s can be immeasurable in terms of lost revenue, fines, and customer trust. Partnering with a security-oriented identity management platform like Auth0 can offer peace of mind and an impressive ROI. Don’t wait until it’s too late to save face.
The Auth0 Identity Platform, a product unit within Okta, takes a modern approach to identity and enables organizations to provide secure access to any application, for any user. Auth0 is a highly customizable platform that is as simple as development teams want, and as flexible as they need. Safeguarding billions of login transactions each month, Auth0 delivers convenience, privacy, and security so customers can focus on innovation. For more information, visit https://auth0.com.