FaceApp Lets You 'Age' a Photo by Decades. Does It Also Violate Your Privacy?

它让你“变老”了，你的隐私还安全吗？

A developer could not have asked for better publicity¹.

开发商期待的最好宣传莫过于此。

This week, two years after being widely panned for a filter that critics described as little more than "digital blackface," FaceApp, a photo-altering smartphone app, found itself at the center of a popular social media challenge.

两年前，一款名为FaceApp的修图移动应用曾因其中一个滤镜广受批评，批评者称其不过是“数字版白人黑脸秀”，而在这一周里，这款应用却成了一项广受欢迎的社交媒体挑战的焦点。

A range of celebrities² had been using the app's age filter to modify photographs of themselves and provide realistic glimpses of what they could look like decades in the future. But then the backlash started.

很多名人都使用这款应用的年龄滤镜来修改自己的照片，逼真展现出几十年后的自己。但随后，反弹开始了。

The app, which was created by Wireless³ Lab of St. Petersburg, Russia, and was ranking among the top free offerings in both the Apple and Android app stores on Wednesday, was uploading much more data than users realized, one Twitter user contended in a widely shared, since deleted post. "Russians now own all your old photos," The New York Post proclaimed in a headline.

这款应用由俄罗斯圣彼得堡的无线实验室(Wireless Lab)开发，周三在苹果和安卓应用商店的免费应用中都名列前茅。一条被大量转发但之后被删的推文称，这款应用上传的数据比用户意识到的要多得多。“你的所有老照片都在俄罗斯人手上，”《纽约邮报》(New York Post)的新闻标题宣称。

On Wednesday afternoon, the Democratic National Committee even sent out an alert, urging staff members on presidential campaigns to delete the app immediately, citing its ties to Russia.

周三下午，民主党全国委员会(Democratic National Committee)甚至发出警告，敦促总统竞选团队的工作人员立即删除这款应用，理由是它与俄罗斯有关。

But at least some of those concerns are overblown, according to several security researchers.

但据几名安全研究人员说，至少其中一些担忧被夸大了。

"The info sent by the application was only my device model, my device ID and Android version, which is very limited information and is quite common for an application," said Baptiste Robert, a French security researcher who specializes in smartphone apps that abuse user data.

“这款应用程序发送的信息只是我的设备型号、我的设备ID和安卓系统版本，这些信息非常有限，对于应用程序来说很常见，”研究智能手机应用的用户数据滥用问题的法国安全研究员巴蒂斯特·罗伯(Baptiste Robert)说。

Mr. Robert did find one other piece of data uploaded to FaceApp servers without user consent, though: the photograph that a user wanted to manipulate.

不过，罗伯确实发现了另一类未经用户同意就上传到FaceApp服务器的数据：用户想修改的照片。

The program says that its three age filters — two for younger-looking images, one for older — use "artificial intelligence" to produce plausible⁵ alterations⁶ to existing photos. Celebrities who have shared such manipulated images of themselves include Drake, Gordon Ramsay, the Jonas Brothers and Dwyane Wade⁷.

该应用称，它的三个年龄滤镜——两个用于让人物变年轻，一个用于人物变老——使用“人工智能”对现有照片做出逼真的修改。分享这种被修改的照片的名人包括德雷克(Drake)、戈登·拉姆齐(Gordon Ramsay)、乔纳斯兄弟(Jonas Brothers)和德维恩·韦德(Dwyane Wade)。

The company did not respond to multiple requests for comment, but it explained how the software works in a lengthy⁸ statement published on Wednesday by TechCrunch. When a user of the app selects a photograph to alter, that image — and only that image — is uploaded to FaceApp servers for processing, it said.

该公司没有回应多次置评请求，但它在TechCrunch周三发表的一份长篇声明中解释了软件的工作原理。该公司表示，当用户选择要修改的照片时，该图像——而且只有该图像——会被上传到FaceApp的服务器上进行处理。

"We might store an uploaded photo in the cloud," the statement read. "The main reason for that is performance and traffic: We want to make sure that the user doesn't upload the photo repeatedly for every edit operation. Most images are deleted from our servers within 48 hours from the upload date."“我们可能会把上传的照片存储在云端，”声明中写道。“主要是出于性能和流量方面的考虑：我们希望确保用户不会在每次编辑操作时重复上传照片。大多数图片会在上传后48小时内从我们的服务器上删除。”

FaceApp does not sell or share user data with third parties, the company said, though it reserves the right to share some information as outlined in its privacy policy. According to that agreement, the app uses "third-party analytics tools to help us measure traffic and usage trends."该公司表示，FaceApp不向第三方出售或共享用户数据，但它保留分享隐私政策中列出的部分信息的权利。根据协议，该应用程序使用“第三方分析工具来帮助我们测量流量和使用趋势”。

Even though its research-and-development team is based in Russia, the company said that user data was not transferred there. Photo processing is performed on servers operated by Amazon and Google, FaceApp's founder⁹, Yaroslav Goncharov, told TechCrunch.

尽管研发团队位于俄罗斯，但该公司表示，用户数据并未转移到俄罗斯。FaceApp的创始人雅罗斯拉夫·贡恰罗夫(Yaroslav Goncharov)告诉TechCrunch，照片处理是在亚马逊和谷歌运营的服务器上完成的。

In a letter on Wednesday, Senator Chuck Schumer, Democrat⁴ of New York, asked both the F.B.I. and the Federal Trade Commission to investigate the app, citing "serious concerns" about security, data retention¹⁰ and transparency.

在周三的一封信中，纽约州民主党参议员查克·舒默(Chuck Schumer)要求联邦调查局和联邦贸易委员会(Federal Trade Commission)对这款应用进行调查，理由是安全、数据保存和透明度方面的“严重关切”。

"It would be deeply troubling if the sensitive personal information of U.S. citizens was provided to a hostile foreign power actively¹¹ engaged in cyber hostilities¹² against the United States," he wrote.

“如果美国公民的敏感个人信息被提供给一个频频对美国发起网络攻击的敌对外国势力，那将是非常令人不安的，”他写道。

But Ivan Rodriguez, a software engineer at Google who in his free time investigates suspicious iOS apps, including FaceApp, said he found little cause for concern. Like Mr. Robert, he found that the app collected little identifiable data beyond the photos users chose to alter.

但谷歌的软件工程师伊万·罗德里格斯(Ivan Rodriguez)说，他发现没什么值得担心的。罗德里格斯在业余时间调查可疑的iOS应用程序，包括FaceApp。和罗伯一样，他发现除了用户选择修改的照片，该应用程序收集的可识别数据很少。

"I don't understand where these 'fears' come from, other than the parent company being based in Russia," he said in a Twitter exchange. "I mean, I definitely don't have the resources the F.B.I. or even the F.T.C. have, but so far I haven't found anything that's alarming or that shows this app trying to hide functionality that can be harmful."“除了总部设在俄罗斯的母公司，我不明白这些‘担忧’来自哪里，”他在Twitter上说。“我的意思是，我肯定没有联邦调查局甚至联邦贸易委员会拥有的资源，但到目前为止，我没有发现任何令人担忧的东西，也没有发现这个应用试图隐藏可能有害的功能。”

Like many other applications, FaceApp uses services provided to developers by Facebook and Google, known as Application Programming Interfaces¹³, according to Mr. Robert. And although he was disappointed by the rapid spread of misinformation about what the program collected, he said, he was pleased by the impulse behind it.

罗伯说，和其他许多应用程序一样，FaceApp使用Facebook和谷歌为开发者提供的服务，也就是所谓的应用程序编程接口。他说，尽管他对有关该程序收集信息的不实说法迅速传播感到失望，但他对其背后的推动力感到高兴。

"I'm quite happy, to be honest, because people are starting to be interested by this kind of question," Mr. Robert said, "and they start to understand that, O.K., maybe there are some privacy concerns."“说实话，我很高兴，因为人们开始对这类问题感兴趣，”罗伯特说，“他们开始明白了，好吧，可能还有一些隐私问题。”

Still, he noted¹⁴, such concerns often take a back seat to novelty. "The cool factor is working a lot," he said.

不过，他指出，在新鲜的体验面前，这种担忧往往会退后。“酷的因素发挥了很大作用，”他说。

Mr. Robert and two other researchers who investigated the issue all said they had found no evidence on Apple or Android phones that FaceApp was secretly uploading entire photo galleries. But each voiced concern that the app, like many others, failed to alert users that their data was being uploaded to remote servers.

罗伯和另外两名调查此事的研究人员都表示，他们没有在苹果或安卓手机上发现任何证据，表明FaceApp正在秘密上传整个相册。但他们都表示担心，与其他许多应用程序一样，这款应用程序未能提醒用户，他们的数据正在上传到远程服务器。

"If they don't take privacy seriously, how seriously do they take security?" asked Will Strafach, the founder and chief executive of Guardian¹⁵ Firewall, a tool coming soon for iOS that aims to give users more control over their data. "If they don't take security seriously, what's the risk of either an insider threat or their company being breached¹⁶?"“如果他们不把隐私当回事，又怎么会把安全当回事呢?”卫士防火墙(Guardian Firewall)的创始人兼首席执行官威尔·斯特拉法奇(Will Strafach)问，他的这款即将登陆iOS的工具可以让用户对自己的数据有更多控制。“如果他们不认真对待安全问题，公司遭到内部威胁或被攻破的风险有多大？”

Others online raised concerns about FaceApp's privacy policy and terms and conditions, citing, among other things, a clause that grants FaceApp extensive rights to user photographs. But Jeremy Gillula, tech projects director at the Electronic Frontier Foundation, a nonprofit civil liberties group, said it was similar to those of other apps.

其他人则对FaceApp的隐私政策和条款提出了担忧，主要是其中一条让FaceApp获取了对用户照片的广泛权利。但非营利性公民自由组织电子前沿基金会(Electronic Frontier Foundation)的技术项目总监杰里米·吉卢拉(Jeremy Gillula)表示，它与其他应用的情况类似。

"We always have concerns," he said. "The fact that a lot of apps and services usually contain this catchall clause that says you grant us worldwide license¹⁷ to reproduce, modify, adapt, create derivative¹⁸ works from, distribute, publicly perform and display your user content always seems a little over the top to me."“我们一直有顾虑，”他说。“在我看来，很多应用程序和服务通常都含有这项笼统的条款，即：您授予我们在全球范围内复制、修改、改编、创建衍生作品、分发、公开表演和展示用户内容的许可，我总觉得这有点过分。”