FaceApp and Tinder Cases
A few months ago, a smartphone app named FaceSwap became viral because of its “Gender Swap” features.
Recently, they went viral again, thanks to the age filter, which will show you how you will supposedly look like when you are old.
On the surface, it just looks like a fun, harmless app. You just pop in your photo and then it will show you how you’d look like as the opposite gender or when you are old. However, underneath the surface, there are serious privacy concerns. FaceApp is not alone when it comes to compromising their user’s privacy.
You may be aware of this app:
That happens to be Tinder, the most widely-used dating app in the whole world. The concept is simple, if you like someone then swipe right, otherwise swipe left. Unfortunately, Tinder has also repeatedly come under the spotlight for not being responsible with user data.
In this article, we are going to give you a brief idea of how both these companies misuse user data. After that, we will show you how blockchain-based decentralized applications, particularly VID, won’t make the same mistakes.
Many cybersecurity experts raised red flags about the company behind the app, the Russia-based “Wireless Lab.” As per their terms and conditions, they have the full freedom to use your photos in any way they want. Security awareness expert at Safr.Me, Robert Siciliano feels that such apps are not accountable for taking chunks of your data.
“Consumers just think it’s fun and blindly share. There has been a lot of worry regarding Russian-based companies whose hands are being forced by the Russian government [when] they require a backdoor access to the companies’ data and servers.”
Every time you upload your picture to the cloud in FaceApp, the photo could be used overseas in various countries, such as Russia. While their servers are reportedly located in the United States, the firm’s privacy policies don’t explain how exactly it safeguards user data.
Exploiting data for facial recognition
Since FaceApp owns the images uploaded to its service, and they have the freedom to use them in any way they please. They can use the sell the photos to advertisers, splash them across billboards, and most worryingly, use it in the development of facial recognition technology. By using the app, you are giving the company the right “to use, reproduce, modify, adapt, publish, translate, create derivative works from, distribute, publicly perform and display your User Content and any name, username or likeness provided in connection with your User Content in all media formats and channels now known or later developed.”
Siciliano added, “Any app gathering data points that could lead to facial recognition should be of concern especially when it’s being used by government agencies, foreign companies or foreign intelligence.”
As per researchers from cybersecurity firm Checkmarx, Tinder’s iOS and Android apps have two distinct security flaws. These flaws will give hackers a way to see:
- Which profile photos a user is looking at.
- If they are positively and negatively reacting to a particular image.
Having said that, the names and other personal information are encrypted, so they are not at risk.
Deeper look into Tinder’s vulnerabilities
As per Checkmarx, Tinder’s vulnerabilities are related to the inefficient use of encryption. Since the apps don’t use the secure HTTPs protocol to encrypt the profile pictures. Due to this, the attacker can intercept traffic between the user’s mobile device and the company’s servers. This gives them the power to:
- See the user’s profile picture.
- See all the pictures he or she reviews.
By using this data, the attackers can replace an image with a different photo, an advertisement, or link out a website which contains malware or a call-to-action designed to steal personal information. Tinder released a statement saying that while its desktop and mobile encrypts the profile images, they are working towards encrypting the images on their apps too.
However, according to Justin Brookman, director of consumer privacy and technology policy for Consumers Union, the policy and mobilization division of Consumer Reports, this may now be enough. Brookman said, “Apps really should be encrypting all traffic by default — especially for something as sensitive as online dating.”
Brookman also stated that the problem gets even worse when you consider the fact that it is difficult for the average person to determine whether a mobile app uses encryption. With a website, you can simply look for the “HTTPS” at the start of the internet address. There is no simple way to do that in a mobile app.
Another security issue for Tinder stems from its very architecture. Different data is sent from its servers depending on whether the user is swiping left or right. While the data itself is encrypted, the researchers can tell the difference between the two responses by just looking at the length of the encrypted text. What this means is that just by looking at the size of the text, the attacker can figure out how the user responded to a particular image.
So, we can conclude that an attacker can see the images the user is looking at, and how they are responding to those images.
Amit Ashbel, Checkmarx’s cybersecurity evangelist and director of product marketing, said, “You’re using an app you think is private, but you actually have someone standing over your shoulder looking at everything.”
How VID will not make the same mistakes
VID is a privacy-focused AI video journal app that allows you to remember your life and monetize your memories. The AI will collect all these meta-data from all the popular apps. After that, it will auto-tag them, create a nice little video package, and then organize them in a calendar to give you your own personal journal.
Obviously, this raises the question — what is preventing VID from misusing your data?
VID’s architecture has incorporated zero-knowledge encryption within its ecosystem, which imparts privacy to its users. Using cryptography, VID users can safely allow the app to access their data, knowing that VID itself will not be able to access it. This will prevent VID from harvesting your data, giving you full ownership over it in the process. Your data is yours and yours alone.
Apps like FaceApp and Tinder shows us what companies can do with our private data if we just choose to expect them to do the right thing. Using the blockchain will give allow the company and the users to interact in a trustless environment. VID will help disrupt the social media paradigm by incorporating cryptography and decentralization.