Friday, July 19, 2019

Viral Russian App's Suspicious Terms Deciphered

Since 2017, FaceApp has been used by those who wanted to make their social media photos to look old. After the Russia-based app had collected 150 million faces, somebody finally read its Terms of Use and Privacy Policy, and hit the panic button. Mainstream media jumped on the story. Yesterday the Democratic National Committee requested its staffers and campaigns to delete the app.    Why?

Turns out boilerplate provisions of the aforementioned documents give the app the right to use your face and other personal data for whatever they want, including advertising, without compensation to you. Even though countless other apps use the same exact boilerplate verbiage in Terms and Privacies, FaceApp drew disproportionate amount of suspicion due to it being headquartered in Russia when the memories of Russian state hackers helping Mr. Trump get elected are still very fresh. 

I will now translate FaceApp's legalese to plain English. So that, when you see your face in Russian propaganda ads or stock photos, you will understand how this is legally possible under US law. In fact, you can even end up owing FaceApp some money if there are problems with your face.

Most of the controversial provisions are in FaceApp Terms of Use, Section 5 "User Content."

"You grant FaceApp a perpetual, irrevocable, nonexclusive, royalty-free, worldwide, fully-paid, transferable sub-licensable license to use, reproduce, modify, adapt, publish, translate, create derivative works from, distribute, publicly perform and display your User Content and any name, username or likeness provided in connection with your User Content in all media formats and channels now known or later developed, without compensation to you..."

Plain English translation: "You agree that we and our affiliates can use anything you upload however we want, for free, forever, anywhere. You can't change your mind later after you uploaded smth."

"You grant FaceApp consent to use the User Content, regardless of whether it includes an individual’s name, likeness, voice or persona, sufficient to indicate the individual’s identity. By using the Services, you agree that the User Content may be used for commercial purposes. You further acknowledge that FaceApp’s use of the User Content for commercial purposes will not result in any injury to you or to any person you authorized to act on its behalf."

Translation. "We can use your stuff even for commercial purposes and even if it includes your name, voice and nicknames. You can't later claim that this caused you any harm."

"You acknowledge that some of the Services are supported by advertising revenue and may display advertisements and promotions, and you hereby agree that FaceApp may place such advertising and promotions on the Services or on, about, or in conjunction with your User Content. The manner, mode and extent of such advertising and promotions are subject to change without specific notice to you. You acknowledge that we may not always identify paid services, sponsored content, or commercial communications as such."

Translation. "We can feed you and other users secret ads, maybe even right next to your content." This provision is legally vulnerable and, most likely unenforceable, b/c the FTC, Google Play Store do not allow secret ads.

You represent and warrant that: (i) you own the User Content modified by you on or through the Services or otherwise have the right to grant the rights and licenses set forth in these Terms; (ii) you agree to pay for all royalties, fees, and any other monies owed by reason of User Content you stylize on or through the Services; and (iii) you have the legal right and capacity to enter into these Terms in your jurisdiction...

10. Indemnification. To the fullest extent permitted by applicable law, you will indemnify, defend, and hold harmless FaceApp… from and against any loss, liability, claim, demand, damages, expenses or costs (“Claims”) arising out of or related to… (b) your User Content or Feedback; (c) your violation of these Terms; (d) your violation, misappropriation or infringement of any rights of another (including intellectual property rights or privacy rights)...

You agree to promptly notify FaceApp Parties of any third party Claims, cooperate with FaceApp Parties in defending such Claims and pay all fees, costs and expenses associated with defending such Claims (including, but not limited to, attorneys’ fees). 

Translation: "If it later turns out that you didn't have full rights to the stuff you uploaded and we get sued, then you'll have to pay for all damages plus our attorneys' fees." You don't always hold copyright to the photos of your face. Normally, whoever clicked the shutter release button owns copyright, unless you paid them for this work. It is so even if it's your camera and you set up the exposure and everything else. 

"User Content removed from the Services may continue to be stored by FaceApp, including, without limitation, in order to comply with certain legal obligations."

Translation. "We get to keep your stuff even after you delete it from the app for any purpose."

"12. Limitation of Liability
The total liability of FaceApp and the other FaceApp Parties, for any claim arising out of or relating to these Terms or our Services, regardless of the form of the action, is limited to the amount paid, if any, by you to access or use our Services."

Translation: "Even if you prove any wrongdoing by us, you won't be able to get anything other than the fees you paid us." Later it is clarified that this limitation does not apply to cases of gross negligence, fraud or intentional misconduct of FaceApp.

"14. Transfer and Processing Data
By accessing or using our Services, you consent to the processing, transfer and storage of information about you in and to the United States and other countries, where you may not have the same rights and protections as you do under local law."

Self-explanatory. They can send your data to the US, Russia or any other country. Unenforceable against EU users b/c GDPR requires explicit informed consent for transfers outside the EU, meaning consent request has to be in your face, not buried among other provisions. 

15. Dispute Resolution; Binding Arbitration
..., you and FaceApp waive your rights to a jury trial and to have any dispute arising out of or related to these Terms or our Services resolved in court. Instead, all disputes arising out of or relating to these Terms or our Services will be resolved through confidential binding arbitration held in Santa Clara County, California...


You have the right to opt out of binding arbitration within 30 days of the date you first accepted the terms of this Section 15 by notifying FaceApp in writing. The notification must be sent to:

Wireless Lab OOO
16 Avtovskaya 401
Saint-Petersburg, 198096, Russia

Translation: "You won't be able to sue us in court and have a jury trial unless you send a notice to our Russian office within 30 days from when you clicked to accept our Terms without reading them. Without that written notice you'll have to arbitrate in private in California instead of going to public court. Either way, the deadline to bring a claim is one year."

Is all of the above legal? In the US and much of the rest of the world, yes, except for the secret ads. Not only most of the above is legal, it is also widely used by many other apps. Just check your phone. In the EU, however, the privacy law is a lot stricter and it's against the GDPR to have users click through to such terms without unbundled affirmative consent. 

To sum up, FaceApp's terms are pretty terrible but not any more so than what lots of other apps have. Most of this verbiage is boilerplate and legal. While there is a lot of potential for abuse, it's because of how lax US online privacy law is, not because of anything sneaky the Russian developers did.