17 comments

  • freehunter 11 days ago

    I know it's against the rules to tell people to read the article, but I would encourage everyone to read the article. It specifically says this is a potential threat to

    >"elected officials, candidates, political campaigns, [and] political parties"

    not to the general public. The potential threat is for someone at Candidate_1's campaign taking selfies with the app, that then uploads them to Russian servers where the Russian government can see them and can also see what's in the background (sensitive documents?) or see geo-location from the app (like how Strava was leaking the coordinates at military bases [1]) or any number of things a hostile foreign government who has already hacked American elections once and is planning to do it again might want to do with pictures that interns/staffers might think are private.

    [1] https://www.theguardian.com/world/2018/jan/28/fitness-tracki...

    • wruza 11 days ago

      >Russian government can see them and can also see what's in the background (sensitive documents?) or see geo-location

      It feels like a boy scout camp rather than government then. The same for a bunch of emails that ‘interfered’ with true democratic elections. If your organization is so fragile that revealing a tip of your pants makes everyone wonder if they are clean, then maybe that is what needs to be fixed, not someone who posts pictures of it to the internets (in this case provides a REST API for you to do that). However evil my country’s govt will ever be, the level of this nonsense is pushing the heliopause.

      • quaquaqua1 11 days ago

        Never underestimate the ability of the US government to lay blame elsewhere! (1) (2)

        (1) Or any human for that matter

        (2) I am an American

      • Stratoscope 11 days ago

        > I know it's against the rules to tell people to read the article, but I would encourage everyone to read the article.

        It's not against the rules at all, so thank you for the encouragement! I will go read the article.

        What the guidelines warn against is something different: Please don't comment on whether someone read an article. "Did you even read the article? It mentions that" can be shortened to "The article mentions that."

      • slg 11 days ago

        Can apps still get information that identifies the specific device? If so, another possible threat model could be more about identifying who uses what device rather than anything specifically in the photos themselves.

        For example, I already have a database of high value target's faces built from political sources like house.gov. Now I do facial recognition between that set of faces and the FaceApp faces. That allows me to identify the specific devices used by government officials. That would seem to be super valuable for more targeted attacks and/or pairing with other apps for potential kompromat.

        • Scipio_Afri 11 days ago

          I was thinking more along the lines of hacking because now you have a face and can identify who they work for and that they may have valuable info being a part of X person’s political campaign. Potentially you’d then install some silent update or use some new exploit to gain access to the rest of their phone. Anyone know if that is possible?

          • JaRail 11 days ago

            Current-gen devices provide an advertising id. It's unique to the device but can be reset to a new random value by the owner in the OS settings.

            • judge2020 11 days ago

              I think they're talking about just what device they have and OS version (but that's available in the user-agent anyways[0]), since that tells an adversary what exploits to purchase or put resources into developing. Who knows, maybe 30% of congress people haven't yet upgraded to an iPhone with the A12/A13 chip (which can't be exploited via the checkm8 exploit).

              0: https://developers.whatismybrowser.com/useragents/explore/so...

          • duxup 11 days ago

            I wonder how long that is the only threat.

            I knew someone volunteering for a senate campaign. They noted their personal email suddenly had what looked like a lot of spear phishing type emails.

            • nl 11 days ago

              It specifically says this is a potential threat to > "elected officials, candidates, political campaigns, [and] political parties

              But that is NOT what it says at all.

              I can't emphasise how misleading this summary is! The exact quote is:

              > If the FBI assesses that elected officials, candidates, political campaigns, political parties are targets of foreign influence operations involving FaceApp [then the the FBI would investigate].

              Note that "IF"? That puts a pretty different spin on it to your interpretation!

              Separately, it says:

              > The FBI considers any application or similar product developed in Russia, such as FaceApp, to be a potential counter-intelligence threat.

              @dang - I think that the current headline "FBI designates FaceApp as counterlintelligence threat" as misleading. "Designates" implies something like being added to an official list (like a sanctions list or something). A better headline would be "FBI responds to congressional query on FaceApp" or "FBI considers all Russian-built apps counterintelligence threats"

              • freehunter 10 days ago

                Not at all. There's plenty of people in this thread wondering what "potential" means in "potential threat". This is what that potential means. The FBI has assessed that this app is a potential threat but they haven't found any evidence that Russia's government is actually using it in this way. If the FBI finds out that it's being used as an attack vector, then they will jump in to assist.

                Not misleading at all. I don't know why so many people are reading this so wrong, it's not a long letter. The Senate asked the FBI if this app was a threat to US politicians, the FBI said it could be but they don't see it being exploited at this time. If that changes, the FBI will intervene. Pretty simple to understand as long as you read the words that were written.

                • nl 9 days ago

                  Your version It specifically says this is a potential threat to "elected officials, candidates, political campaigns, [and] political parties" makes it sound like the FBI said that.

                  In the letter it speaks separately about FaceApp specifically (~"no known campaigns") and general potential threats (~"anything developed in Russia"). Your summary combines a quote from the "no known campaign" and the "anything developed in Russia" bit to say something they never said.

                  Specifically the letter says the FBI will investigate any foreign influence operations involving FaceApp aimed at officials.

                  Your version turns that into a claim that the FBI says FaceApp is only a potential threat to those officials. The letter doesn't say that at all.

                  Additionally you make up a bunch of stuff around the threat model that you claim the FBI sees. ("The potential threat is for someone at Candidate_1's campaign taking selfies with the app, that then uploads them to Russian servers where the Russian government can see them and can also see what's in the background (sensitive documents?) or see geo-location from the app (like how Strava was leaking the coordinates at military bases [1]) or any number of things a hostile foreign government who has already hacked American elections once and is planning to do it again might want to do with pictures that interns/staffers might think are private.")

                  Again, this letter doesn't say or imply that. In-fact, the foreign influence operations may imply that the FBI is more concerned about foreign adversaries using the politician's likeness (eg for "Fake News" style videos or something).

              • trhway 11 days ago

                >The potential threat is for someone at Candidate_1's campaign taking selfies with the app, that then uploads them to Russian servers where the Russian government can see them and can also see what's in the background (sensitive documents?)

                good old days just less than 20 years ago back at Sun when we were strictly instructed that the computer monitors must be off when the photos would be taken. How times and basic norms of opsec have changed - these days you just tweet the straight photo of the classified monitor screen https://www.npr.org/2019/08/30/755994591/president-trump-twe...

                • mc32 11 days ago

                  I remember when the Sony-DPRK thing happened there was a photo of Cybercommand and it showed a wall of monitors and people were examining the tools they had open on the monitors.

                  There was also a photo from the Iranian Nuclear agency and it had photos of their systems and software on their website or something and it was scraped for info prior to Stuxnet.

                  MacAfee let some "Wired" photog take a digital photo without ensuring geotagging was disabled or removed from the metadata when he was prancing over Belize as he was escaping some plot to frame him.

                  Those lapses happen.

                  • wanderer2323 11 days ago

                    To be more precise, it seems to be a photo of what 'experts' say is 'almost certainly' an image from a 'classified' satellite or drone.

                    • baxtr 11 days ago

                      This really does not look like a photo of a monitor. Looks instead much more like the original photo?

                      • trhway 11 days ago

                        The flash reflection and the head and shoulders shadow suggest monitor mounted at the eye level.

                      • laughinghan 11 days ago

                        Is President Trump representative of modern opsec norms?

                        • trhway 11 days ago

                          i think it is close to it. I mean for example that FBI guy - Peter Strzok - who led investigation into Clinton's mishandling of emails was himself officially found in flagrant violations of classified information handling policies in particular for storing the classified documents on his personal unencrypted devices, etc.. Somehow i don't think that Strzok is just an exception at FBI - he spent 21 years there after all - , no, he is just the one who got caught because he attracted attention (by his anti-Trump and pro-Clinton text messages on his FBI issued phone while investigating Clinton emails and Trump-Russia collusion - speaking about opsec again :)

                          • soul_grafitti 11 days ago

                            No. He is representative of a self-aggrandizing moron.

                        • glorious 11 days ago

                          > a hostile foreign government who has already hacked American elections once and is planning to do it again

                          What do you mean by hacked? There is no evidence that any vote counts were changed. So I don't think the election was hacked. The only evidence of any hacking was the theft of DNC emails, but even then the DNC has never turned over the servers they say were hacked to the FBI. And Crowdstrike retracted key parts of their report on the supposed hacking.

                          Certainly I think the Russian government would love to control the outcome of American elections, and they probably try daily to do that. But saying that they or anyone else hacked American elections is a stretch.

                          I'm not saying this with any political motivation. I'm just trying to interpret the facts of what happened in 2016.

                          • stevespang 11 days ago

                            That's only the most obvious of targets - - there are many other possibilities, some yet to be imagined. What about mafia style hits ? As in the Russian agents who nerve gassed their adversaries in Britain ?

                          • rauchp 11 days ago

                            Looks like the FBI designated FaceApp as a threat because of its crazy data policy and its Russian origin. Even though I think it's a really shady app, that's a pretty low bar.

                            • zkid18 11 days ago

                              I think FaceApp should be hosted on an AWS-like infrastructure.

                              Hosting in Russia is expensive and does not provide any advantages, such as dynamic routing that is crucial for world-wide app. Most developers use it to comply with Russian standards: you only need to store information about Russian users on Russian servers. In addition, currently in Russia there are no good alternatives for reliable cloud neural network inference.

                              But I can’t understand the negative media about the application, based on the founder’s country of origin. I argue that this is discrimination because there is as yet no evidence of breach of confidentiality.

                              • freehunter 11 days ago

                                According to the article, FaceApp says they host in the United States, Singapore, Australia and Ireland. Whether that's true or not, I don't know. The problem the FBI has is no matter where the data is hosted, the Russian government has access to it as long as the Russian developers of FaceApp have access to it.

                                • FDSGSG 11 days ago

                                  >I think FaceApp should be hosted on an AWS-like infrastructure.

                                  >Hosting in Russia is expensive and does not provide any advantages

                                  Hosting in top .ru DCs like Selectel is vastly cheaper than on any AWS-likes. These are extremely different products though.

                                  • zkid18 11 days ago

                                    You might be right. It's been a while since I tired to migrate to Russian servers.

                                  • debt 11 days ago

                                    It’s worth noting that the heads of CIA, FBI, NSA, DHS and the Justice Department have all confirmed the Russian government are currently actively engaged in ongoing global disinformation campaigns propagated primarily on social media designed to sway elections in democracies abroad.

                                    It’s beyond dispute.

                                    The Russian government has breached confidentiality.

                                    • zkid18 11 days ago

                                      US intelligence agencies do the same, no?

                                      The country intervening in most foreign elections is the United States with 81 interventions, followed by Russia (including the former Soviet Union) with 36 interventions from 1946 to 2000—an average of once in every nine competitive elections [1]

                                      [1] https://en.wikipedia.org/wiki/Foreign_electoral_intervention

                                      • debt 11 days ago

                                        "US intelligence agencies do the same, no?"

                                        Yes, definitely, again another thing beyond dispute. Not sure what the point is you're trying to make though.

                                        • remarkEon 11 days ago

                                          The most effective aspect of this disinformation campaign is that if you share the wrong meme on reddit or Facebook you can get accused of being a tool of the Kremlin, which is pretty grand and hilarious really. Americans have gaslit themselves into thinking the Russians are everywhere (again).

                                          • zkid18 11 days ago

                                            My point is that I do not see a direct connection between the mobile application founded by the Russian indie developer almost 2 years ago and the swaying one of the most established democracy in the entire history.

                                            • Craighead 11 days ago

                                              No, not at all the same. Please educate yourself on the Russian SORM law. Russia a revisionist authoritarian regime establishing cyber sovereignty in places other than Russia.

                                      • flattone 11 days ago

                                        policy standpoint that's a low bar

                                        but from a counter intelligence standpoint that's finger painting bar

                                        • r41nbowdash 10 days ago

                                          Yeah, I don't think it's about the data storage, as much as the possibility of backdooring your phone by a rogue state.

                                          • nl 11 days ago

                                            They haven't designated it as a threat. The headline is wrong.

                                            • TheRealPomax 11 days ago

                                              Not during an election year, at a point in time that sees _much_ heavier use of these apps than even 4 years ago, no.

                                            • unityByFreedom 11 days ago

                                              It says potential threat, not threat, and according to this letter, the Russian government can access ISP data directly without request.

                                              • ShorsHammer 11 days ago

                                                Thankfully that doesn't happen anywhere else in the world.

                                                Australian government metadata requests was well over 300,000 last year, nearly 1000 requests a day all warrantless, can come from tiny local councils or horse racing orgs. Trust us, they say, there's oversight in hidden tribunals, they say.

                                                • freehunter 11 days ago

                                                  Yes all countries do it, but US intelligence doesn't just take into account the action, they take the actor as well. Australia is a friendly nation to the US and shares intelligence data with US intelligence agencies. What we see, they see and what they see, we see. Russia is not a friendly nation to the US and does not share intelligence with US intelligence agencies.

                                                  The FBI isn't saying "normal people are at risk from FaceApp" but "US intelligence is at risk from the use of FaceApp". In the (very short) linked letter, it specifically calls out "elected officials, candidates, political campaigns, [and] political parties".

                                                  Considering all US intelligence agencies unanimously agree that Russia already attacked US candidates and political parties in the past, saying "yeah but everyone does it" is about as off-topic of a remark as you can get. To my knowledge the FBI has never publicly disclosed Australia's efforts to meddle in US elections.

                                                  • _jal 11 days ago

                                                    > saying "yeah but everyone does it" is about as off-topic of a remark as you can get

                                                    I've seen this sort of "argument" a lot lately. Not sure why people think it communicates anything other than lazy cynicism.

                                                    That everyone (to a rounding error) has sex does not mean that everyone has sex with everyone.

                                                  • ShorsHammer 10 days ago

                                                    How any US serving member is allowed to use facebook or random apps is beyond me. The entire premise here is absurd. Of course it is a risk, just like the app partially owned by tencent that one of the most popular sites in the world insists you install when browsing on mobile.

                                                    Australians legally do metadata and spying better than everyone else on many metrics and then share it with the multiple eyes. Something to remember when the media is whipping up a threat frenzy. Given Australia's treatment of whistleblowers and slow descent into authoritarianism, I very much envy the few protections Americans take for granted.

                                                • asdfasgasdgasdg 11 days ago

                                                  > It says potential threat, not threat

                                                  Aren't all threats potential threats, until they are actual? I dunno, maybe the FBI has a formal delineation between potential threat, threat, and . . . whatever is after that. But I doubt it.

                                              • tehlike 11 days ago

                                                Plenty of chinese apps under "utility" category is flooding the us consumers...

                                                • walrus01 11 days ago

                                                  Notably ES File Explorer was recently removed form the Google play store because of suspicious behavior. One of the most popular Android file managers.

                                                  • LilBytes 11 days ago
                                                    • desine 11 days ago

                                                      I bought microSD reader off Amazon, which has two dongle ends, one USB type A for a computer, one Lightning, for my iPhone. According to the included instructions, it required me to download an app (from the Apple app store) to use on the the iPhone. I didn't trust the App, even with Apple's scans, so I ended up using it with my already-owned Camera Connection Kit (Lightning to USB Host) adapter just fine. The name of the app was something very similar, if not identical, to that name, which is what reminded me of it.

                                                      It seems fishy that the Apple provided Files app didn't recognized my SD card

                                                      • xnyan 11 days ago

                                                        Someone please correct me if I'm mistaken, but this is/was a limitation imposed by Apple before iOS 13. On iOS 13 (on an ipad pro at least) you can now access an SD card via files, but before that it was Photos or a bespoke app from the manufacturer only. I've not tried on an iphone recently.

                                                      • ravenstine 11 days ago

                                                        Aw man, I had no idea! Time to delete. :(

                                                        • ericfrederich 11 days ago

                                                          Total Commander was the recommended replacement a while ago when ES started to become shady.

                                                          • sjwright 11 days ago

                                                            Android: for people who want the freedom to do anything.

                                                      • not2b 11 days ago

                                                        The article does not match the headline. The FBI letter only calls it a "potential" threat, meaning maybe it is a threat, maybe not.

                                                        • debt 11 days ago

                                                          Yes so buyer beware. Russian government currently engaged in global disinformation campaigns, use app at your own risk.

                                                          • finneganscat 11 days ago

                                                            The CIA is now, and always has been, engaged in global disinfo campaigns. Who cares? Isn’t what’s good the the goose also good for the gander?

                                                        • Wissmania 11 days ago

                                                          I wonder how many people with a profile picture of their face on their Twitter/Facebook accounts are seriously concerned about this

                                                          • Nextgrid 11 days ago

                                                            I wouldn't be surprised if this app collected much less data than the Facebook cancer. Facebook is not only stalking you through its main app but its other brands (Insta, WhatsApp, etc which a lot of people don't even know they're owned by FB) as well as unrelated third-party apps & websites that embed their malicious SDKs.

                                                            Facebook is an industrial-scale stalking operation. I doubt FaceApp (or frankly any government actor) could pull off something like that even if they wanted to.

                                                            • baroffoos 11 days ago

                                                              The difference is which government the spyware corp is controlled by.

                                                            • Merrill 11 days ago

                                                              The face picture is not really the problem. The app slurps other data from the device, such as log files, cookies, identifiers, etc. Of course, this app is probably not dissimilar to many of the other 2.5 million Android, 1.8 million Apple, 0.7 million Windows, and 0.5 million Amazon apps. https://www.statista.com/statistics/276623/number-of-apps-av...

                                                              • judge2020 11 days ago

                                                                Well Twitter and Facebook are American companies so it's obviously patriotic to give them your image and data.

                                                                (/s)

                                                                • Wissmania 11 days ago

                                                                  The photos are public too...

                                                                  • corporate_shi11 11 days ago

                                                                    It's certainly better than giving your face to sketchy apps from Russia or China.

                                                                    • zzzcpan 11 days ago

                                                                      It's not better to have your face or other data in a database within reach of your own government. Your government has power over you, other governments do not.

                                                                      • creato 11 days ago

                                                                        The FBI very specifically is concerned about public/elected officials. You don't think other governments might be interested in data about elected officials?

                                                                        • borski 11 days ago

                                                                          Other governments absolutely have power over you, just not always legally.

                                                                          • ta999999171 11 days ago

                                                                            Or anywhere nearly as easily, to be fair.

                                                                          • zaphirplane 11 days ago

                                                                            I need a passport and driver license

                                                                            • ta999999171 11 days ago

                                                                              That one piece of paper doesn't say you do, but, I digress.

                                                                          • PhasmaFelis 11 days ago

                                                                            If it's in your public Facebook profile (or any other public profile), you've already given it to Russia and China.

                                                                      • JoeCortopassi 11 days ago

                                                                        There is no threat model for an iPhone app to do nefarious things in an App Store distributed app on a non-jailbroken phone. At most, FaceApp grabs the picture you uploaded and some minor meta-data that every app using an analytics tool (read: all of them) collects.

                                                                        This is political grand-standing at best, and would be a non-issue if you replaced the geographic location of the dev team with any other countries

                                                                        I get it, Russia is the Big-Bad-Boogeyman right now. But if you think for a second that a real attempt at counterintelligence would publicly come from such an obvious point of interest, than I have a bridge to sell you

                                                                        • saurik 11 days ago

                                                                          By "non-jailbroken" you should mean "jailbreakable": it is the existence of the vulnerability that makes the phone insecure, not the user having used an exploit to leverage that vulnerability to do something for them. Like, for no avoidance of doubt: if you are running a version of iOS for which you can download an app-based jailbreak (which has been all jailbreaks for current phones that have been released for years now, all reliant on sandbox escapes), the issue is that the attacker jailbreaks your phone, not that you do; and also, to be explicit, as people also often confuse this, the code I would put in an app for a "back door" capable of letting me jailbreak remotely would not look like exploit code but would look like an innocent bug: maybe a vtable use after free bug on my stack while parsing a network response for which I knew the location of all the required ROP gadgets to exploit (put different "if you want to put a back door in software, just leave yourself a vulnerability you know how to exploit, and then claim you weren't evil, you were just bad at memory management or concurrency... like everyone else).

                                                                          • JoeCortopassi 11 days ago

                                                                            Just to be clear, you’re saying that FaceApp has a yet unfound component that lets them remotely jailbreak an otherwise un-jailbroken Phone via a published AppStore app? and that they’ve done this in the open on one of the most politically criticized apps short of Facebook?

                                                                            • saurik 11 days ago

                                                                              1) I am saying that your assertion that "There is no threat model for an iPhone app to do nefarious things in an App Store distributed app on a non-jailbroken phone." is a misleading statement that is making a very broad and entirely inaccurate claim about something that I personally don't want anyone confused about (the safety of users jailbreaking their own phone, particularly on these newer devices where the jailbreak developer has very limited ability to mess with the sandbox).

                                                                              However, 2) I would imagine the probability that FaceApp does not have a vulnerability in it somewhere is extremely low, as in my experience essentially every single app has security flaws in them; the problem in your mental model is that you think someone would "find" a "component" that would be a smoking gun of some form, whereas only an idiot would make a back door something other than a security vulnerability (as essentially every single app has security vulnerabilities). Were any placed there on purpose? No one would ever know.

                                                                          • godelski 11 days ago

                                                                            The threat model is that this photo is shared with the Russian government and then the Russian government can match American citizens (or potentially people working in intelligence), and then using that in facial recognition programs. I.e. they can differentiate Americans (insert x country) from their own citizens and know who to watch more carefully.

                                                                            This is a legitimate threat model. I'm not sure why you think it wouldn't be. Spies and others do use fake identities. The threat model is that there is that there is a way to determine who is faking their identities.

                                                                            • JoeCortopassi 11 days ago

                                                                              A picture, that has no good associated data about the user, is a real threat? Heaven forbid Russia figures out how to take pictures in public places

                                                                              • godelski 11 days ago

                                                                                > A picture, that has no good associated data about the user

                                                                                A picture is a username... Are you trying to say that your face isn't personal identifying identification (PII)? I'm not sure what your argument is here, because it can't be that. That argument would be absurd, so I'm sure I am misunderstanding.

                                                                                • desine 11 days ago

                                                                                  If you read the (very brief) brief, it specifically mentions this mostly in regard to US politicians and public figures

                                                                                  • harimau777 11 days ago

                                                                                    Isn't the picture associated with a specific user? Even if the association wasn't 100% reliable that could still be a threat.

                                                                                  • cookie_monsta 11 days ago

                                                                                    I am not a spy, but I imagine they have some sort of internal guidelines around uploading face pics and PII to random apps/websites

                                                                                    • godelski 11 days ago

                                                                                      If you work for the government in any way they generally don't want you spreading around PII. Number one concern is that you can be blackmailed. So of course, the lower your informational footprint is the lower the threat model.

                                                                                  • 3fe9a03ccd14ca5 11 days ago

                                                                                    The photo is what's explicitly called out in the FBI complaint, with particular regard to how the photo is used and stored.

                                                                                    The funny thing to me is it nitpicks about the terms of service. Will a TOS prevent a foreign intelligence agency from using the data for nefarious purpose? That sounds silly.

                                                                                    • nostrademons 11 days ago

                                                                                      This might have something to do with Russia banning the sale of smartphones without Russian apps today:

                                                                                      https://www.themoscowtimes.com/2019/12/02/russia-bans-iphone...

                                                                                      It's a tit-for-tat response, showing that if they want to make this a trade war, their companies will get hurt too. So yes, national grandstanding.

                                                                                      Edit: Wups, dates are wrong. This FBI release is from November 25, so the Russian law is likely in response to it, not vice versa. Still national grandstanding, but the idiot party isn't necessarily the Russians.

                                                                                      • sillysaurusx 11 days ago

                                                                                        Are you sure Faceapp grabs only the photo you uploaded? “At most” implies it literally can’t grab more than that. But it seems like it can. It has access to all your photos, not just your camera.

                                                                                        • JoeCortopassi 11 days ago

                                                                                          Yes, I am sure that's all it can grab (on the iphone). Anyone telling you otherwise is fear-mongering

                                                                                          Edit: Obligatory “why are you booing me, I’m right?”

                                                                                          • sillysaurusx 11 days ago

                                                                                            Why are you sure that’s all it can grab? That seems mistaken on a technical level. “Can’t” and “doesn’t” is an important distinction.

                                                                                            We have seen lots of examples of ad analytics SDKs that push the iPhone beyond its intended sandbox. Most of them have been banned, but some operated for years before getting banned. It would be a disservice to brush away those concerns as fearmongering.

                                                                                            • matt4077 11 days ago

                                                                                              By that logic, very app should be designated “a counterintelligence threat”

                                                                                        • draw_down 11 days ago

                                                                                          Too right.

                                                                                        • EGreg 11 days ago

                                                                                          I have seen countries around the world have such a response. Russia freaked out that the latest Windows phones home, USA freaked out about Kaspersky, and so on. Russia has set in motion projects to build homegrown Linux based operating systems etc. I consider all this a good thing.

                                                                                          Why don’t we have the ability to restrict at the OS level which domains an app can send information to? Then we can finally host backend software locally on servers of OUR choice.

                                                                                          I would love to see more OPEN SOURCE apps running on servers of our choice, and communication over mesh networks. In fact I’d love for most functionality to be client-side and an option for ALL data sent to servers to be end-to-end encrypted at the OS level. I dont want to have to trust the APP manufacturer to pinky swear it’s all end to end encrypted. The OS should have a little badge saying none of the data sent by the app is being sent in a way the server can decrypt because the OS intercepts and encrypts it with keys the app can’t get. That may still leave side channels such as timing based information to tunnel through. But if we restrict what domains the app can talk to, we can close that loophole too.

                                                                                          That’s what I would love to see ... finally put an end to server side landlords owning your data just cuz they own the infrastructure!

                                                                                          • JaRail 11 days ago

                                                                                            > Why don’t we have the ability to restrict at the OS level which domains an app can send information to?

                                                                                            Ads.

                                                                                            • EGreg 11 days ago

                                                                                              But Apple is a honey badger - it dont care about ads. Their whole differentiator has become privacy and putting the user first vs apps! Seems like a glorious feature for them no? Safari already leads the way with blocking ads and third party tracking cookies.

                                                                                          • slovenlyrobot 11 days ago

                                                                                            Forgive me for chuckling at law enforcement in by far the world's largest exporter of consumer malware for treating a single comedy deepfakes app with so much paranoia and suspicion. How did that common saying go that was bandied around in our teenage years? Something like the person in a relationship who fears cheating the most is the one most likely to cheat

                                                                                            • jjeaff 11 days ago

                                                                                              So, your logic is that since the U.S. spies on people, it means they have no credibility in calling out other people for spying on U.S. citizens?

                                                                                              Seems like a "pot" should have more knowledge than average on which kettles to call "black".

                                                                                              • slovenlyrobot 11 days ago

                                                                                                I'm not sure where I stated they have no credibility, only that the situation was deeply humorous

                                                                                            • haxorito 11 days ago

                                                                                              Russian laws obligates all companies and individuals to provide government access to any data, hardware or applications upon initial request or better have backdoor. All information must be stored for minimum 5 years and provided in un-encrypted form or decryption mechanisms must be supplied.

                                                                                              • backtobecks 11 days ago

                                                                                                0-10 how naive are you?

                                                                                                • mthoms 11 days ago

                                                                                                  I think you might have misread the comment(?) The GP was describing good reasons why the App shouldn't be trusted.

                                                                                              • airstrike 11 days ago

                                                                                                > The FBI considers any mobile application or similar product developed in Russia, such as FaceApp, to be a potential counterintelligence threat

                                                                                                Seems like the word "potential" is conspicuously missing from the title of the submission

                                                                                                • jjn2009 11 days ago

                                                                                                  Seems like the only thing uploaded is your picture. I'd be curious to see what data it actually collects from your phone otherwise but just a photo feels pretty innocuous

                                                                                                  • threeseed 11 days ago

                                                                                                    In Russia at least they could match your photo against your phone number, IMEI, IP address etc.

                                                                                                    Especially useful for capturing younger users who are more likely to be anti-Putin.

                                                                                                    • rjzzleep 11 days ago

                                                                                                      So like every other android app where you login with facebook.

                                                                                                      • filoleg 10 days ago

                                                                                                        Yeah, except there are no arrests happening in the US based solely on someone being an anti-Trump protester, and Facebook doesn't directly share the user data with anyone.

                                                                                                        Inb4 Cambridge Analytica, FB didn't just hand off the data to them, users had to use a special third-party app within FB and explicitly give it permission to access the user data. And those APIs aren't available anymore after the backlash either way.

                                                                                                    • adrr 11 days ago

                                                                                                      Having a database of peoples picture is a huge asset for Russian intelligence. They can use facial recognition to enhance their visual surveillance efforts.

                                                                                                      • jjn2009 11 days ago

                                                                                                        Seems like that information is already largely public just not linked publicly to your phone information.

                                                                                                        • adrr 11 days ago

                                                                                                          Is there a public database of images of people with names? Police don’t even have that.

                                                                                                          • knzhou 11 days ago

                                                                                                            You mean the digital equivalent of a big book full of people's names and faces? That's an exact description of Facebook.

                                                                                                            • adrr 10 days ago

                                                                                                              Can Russia buy all facebooks data? How would their intelligence agency get photos and corresponding names from Facebook?

                                                                                                              • knzhou 10 days ago

                                                                                                                For almost all people, name and profile picture are set public. It's an incredibly tiny fraction of all the data, which is why I'm amused at all the uproar. There really is very little you can do with that information.

                                                                                                        • scarejunba 11 days ago

                                                                                                          That's silly. Just take a list of leaked emails and run that against gravatar and you'll probably get more photos. Run it through Luminati if you're afraid of getting IP blocked. Bam! You could have a hundred million avatars, most of which will be photos.

                                                                                                          Then there's LinkedIn's public profiles, Github's public profiles, Twitter's profiles. This is just privacy theatre.

                                                                                                      • killjoywashere 11 days ago

                                                                                                        Perhaps country of origin should be on the app store? We do this for cheese and wine and cars. Why not apps?

                                                                                                        • thanatropism 11 days ago

                                                                                                          The best measure would be for “good actors” (universities, government research agencies, the New York Times) to provide a free FaceApp-type app. It’s like a weekend-hackathon of work and can be prioritized by the app stores.

                                                                                                          • cududa 11 days ago

                                                                                                            Not sure that’s at all a weekend hacksthon project, but otherwise support the idea

                                                                                                            • pckls 11 days ago

                                                                                                              That works in this particular case but is not a general solution. It's not feasible to have "good actors" rewrite clean versions of software written by "bad actors"

                                                                                                              • thanatropism 11 days ago

                                                                                                                I see it like harm reduction of street drugs with something like methadone. Except the marginal cost is zero, of course.

                                                                                                              • maxaf 11 days ago

                                                                                                                Alternative idea: spend that effort on something more worthwhile than a stupid toy. Like cancer research. Or clean energy. Or simply go outside and clean the beaches. NYT office ain’t that far from the ocean.

                                                                                                                • tree3 11 days ago

                                                                                                                  Any reason why you singled out the NYT specifically?

                                                                                                                  • thanatropism 11 days ago

                                                                                                                    Their interactive data-journalism featurettes implies they have coders.

                                                                                                                • dessant 11 days ago

                                                                                                                  It's not clear what is the potential threat this specific app introduces. A nation state can easily perform facial recognition on the majority of the human race by scraping social media.

                                                                                                                  • walrus01 11 days ago

                                                                                                                    Many foreign nation states might have access to like, 500x400 pixel photos of people. Not 12 megapixel direct front selfie camera taken photos, where the person is intentionally trying to get the highest quality photo possible.

                                                                                                                    • romwell 11 days ago

                                                                                                                      You don't really need high res for face recognition. In fact, the high frequencies are probably noise that you'd want to remove with a low-pass filter.

                                                                                                                      • zzzcpan 11 days ago

                                                                                                                        You are assuming that high resolution details of a face have value in a world where surveillance doesn't capture faces in high resolution.

                                                                                                                      • zzzcpan 11 days ago

                                                                                                                        No need to be a state actor, private companies do that too and sell data to law enforcement. There is no realistic threat, just propaganda.

                                                                                                                        • godelski 11 days ago

                                                                                                                          I mean isn't law enforcement using that data the threat model? It is just if your own government is doing it vs a hostile state actor. So while our gov doesn't see the former as hostile (they're the ones doing the actions, so who would admit hostility) they do see the latter as hostile. You can call this hypocritical (which seems to be the common argument here in HN), but hypocrisy doesn't nullify the hostility.

                                                                                                                        • pckls 11 days ago

                                                                                                                          Think about the implications of having a real time face recognition camera app, like the one internal one facebook built (forbes article on this came out nov 24 2019).

                                                                                                                          You could easily profile pictures of high ranking American officials, their parents, their children, etc.

                                                                                                                          In other words, data like this can increase your attack surface

                                                                                                                        • kevin_thibedeau 11 days ago

                                                                                                                          When will the OPM get the same designation?

                                                                                                                          • Gusen 11 days ago

                                                                                                                            Nadler, Mueller, & Schiff all rape and kill boys in Buffalo, NY on the night of January 14th, 2019, as Trump did earlier that morning. The "impeachment" is a vehicle for keeping power, they are all working together. Full audio proving this entirely here, all three admit collusion with the President. News

                                                                                                                            \\January 14, 2019 23:23: Jerrold Nadler steps up to take his turn during the Illuminati "rape party". Nadler rapes and kills three boys in under a minute, however, there was a problem. One of the boys was already dead, so he requests a new one. Jerrold Nadler then requests another ten boys. Donald Reeves: "That's a million dollar request". Nadler responds: "...you guys will cover it. I'm gonna keep Trump in power" (Trump raped and killed a dozen boys 6:30-7:00am that morning). By the time Nadler is finished, he had raped and killed 24 boys. Audio pulled from the video linked below:

                                                                                                                            14JanCh4_2300-0000.mp3 - Nadler starts at about 20:00 in.

                                                                                                                            https://drive.google.com/file/d/1Kuvv2Zmbw5Jw7onbRI2hCZ0M8FU...

                                                                                                                            14JanCh2_2304-2359.mp3

                                                                                                                            https://drive.google.com/file/d/1nofp5xF-aXXcCSgQVwj30KlzE9W...

                                                                                                                            14JanCh3_2302-2359.mp3

                                                                                                                            https://drive.google.com/file/d/1wdDIsxfsX7xTBIBZYzV4iE4xEdg...

                                                                                                                            Further disclosure by Porter @24:47 in: Oblivious tenant Brian Schlenker comments on something unrelated to the ongoing events: "..call the fucking police...", to which is responded with: "...that's funny because we own the police (Buffalo Police Department), we pay them six million dollars a month."

                                                                                                                            19 minutes in Fred Norris, formerly of the Howard Stern show, is acknowledged on the system.

                                                                                                                            At 19:47 in Porter admits that Brian Schlenker will be the owner of this footage should it be discovered.

                                                                                                                            January 15, 2019 00:20: Special Counsel Robert Mueller takes his turn at the Illuminati "rape party" in Buffalo, New York. Mueller ra[es and kills twelve boys. About roughly 00:55 Representative Adam Schiff who will also be leading an impeachment effort, also requests the same deal as Nadler, and then tries to make a case for getting more than Nadler and Mueller. Adam Schiff rapes and kills three boys. Mueller and Schiff all receive $3 billion dollars each for joing the group. Nadler came back to witness these two rape to make sure they were all bound together under one purpose: keep Trump in power, and also to confirm the payments to each, including his $10.5 billion dollar payment.

                                                                                                                            Between Mueller and Schiff turns, the group issues orders for ten women to begin prepping more boys for rape. They are former friends and family of Brian Schlenker, and also some long standing Illuminati members who include Elsa Hosk, Gigi and Bella Hadid. Again, the "prep" these females engage means they perform oral sex on the boys’ penis and anus, as a child rapist like Henry Porter would, while trying to remove fecal matter from the boy prior to handing them over to be raped and subsequently murdered. Just a head's up, my voice is scattered throughout all of the footage within the links posted for this update, and is quite loud relative to the desired content at times. Audio links below:

                                                                                                                            15JanCh4_000-100.mp3

                                                                                                                            https://drive.google.com/file/d/1ZEDJR6jb6ARpcNnWJTokBUKb2J2...

                                                                                                                            15JanCh4_100-200.mp3

                                                                                                                            https://drive.google.com/file/d/173aYWvWHH4VGht1h_2nM0IMdw74...

                                                                                                                            15JanCh2_000-100.mp3

                                                                                                                            https://drive.google.com/file/d/1EsmHfguwBuo2PbavJ1WYyhiML62...

                                                                                                                            15JanCh2_100-200.mp3

                                                                                                                            https://drive.google.com/file/d/1NZnWRnBryalNQu2yJmfJUdS2pA_...

                                                                                                                            15JanCh3_000-100.mp3

                                                                                                                            https://drive.google.com/file/d/1zsEwYC875wQu6btsSbNznHsJinx...

                                                                                                                            15JanCh3_100-200.mp3

                                                                                                                            https://drive.google.com/file/d/15UAY2er2LdTViXG4azy_bc_oQUz...

                                                                                                                            //Full 110 page PDF [updated 2Dec2019]: FBI_FinalDraft_26Jul2019_BSchlenker.pdf

                                                                                                                            https://drive.google.com/file/d/1Sj9EN_pHmicKS6rFQlmk67knMdJ...

                                                                                                                            //This post will be censored when this account logs off, the posts are "shadow banned". They try to make it look like the post is live, but it is not. Here is an example.

                                                                                                                            https://drive.google.com/file/d/1zxS8JESoIg7uxRkUgdptMsF6SuJ...

                                                                                                                            \\Previously: President of the United States Donald J. Trump rapes and kills 15 boys in Buffalo, NY on January 10, 2019. This is audio of the event from 10Jan2019. Download the mp3 and put on headphones, and turn the volume all the way up.

                                                                                                                            10JanCh3_1255-1557.mp3

                                                                                                                            https://drive.google.com/file/d/18lTt_YKFEtsV6YDNzXFVQYLkStY...

                                                                                                                            This is audio of the President, Donald J. Trump, demanding a $4 billion dollar bribe from child rapists to “take a blind eye” on January 3, 2019. Trump becomes one on January 14, 2019. Also, here is the big reason the major networks do not report any of it.

                                                                                                                            //Download the video, turn the volume all the way up and put head phones on. Note: there is not much to see in the video, the audio is picked up from another [illegal surveillance] system. Trump is on a call from with Henry Porter and Gigi Hadid. See page 63. Bribe demand at 10:18am:

                                                                                                                            3JanCh3_900-1100.avi

                                                                                                                            https://drive.google.com/file/d/1Grdr8xF2psKNsuYlEnl9dIRV-77...

                                                                                                                            //President of the United States, Donald J. Trump, rapes and kills his first boy at 6:32am. Video link below:

                                                                                                                            14JanCh3_600.avi

                                                                                                                            https://drive.google.com/file/d/154QvA5hwyHGYIVXtod1ZbsOHFUJ...

                                                                                                                            14JanCh2_600-700.avi

                                                                                                                            https://drive.google.com/file/d/19UkqmnMwZiWy7xxWngltqwoKLTJ...

                                                                                                                            //On January 18, 2019 at 8:31am (see page 8) Trump acknowledges the four billion dollar bribe and says: "Let's get it done and get to fucking some kids." Video link below:

                                                                                                                            18JanCh3_725-.avi

                                                                                                                            https://drive.google.com/file/d/1bVTcGq5Z9oOSAiOQcKYrmuK4Two...

                                                                                                                            //A big reason this has not been reported by the major news networks is right here. Lester Holt of NBC Nightly News, apparently a member of the Illuminati since the 1980's, along with ABC Nightly News lead anchor David Muir, stop over to the Porter studio in Buffalo on January 14th, 2019 at 5:00am. They both rape and kill about two dozen boys by 6:00am. Muir starts around 5:15am, then Holt about 5:38am. Multi-billionaire Rupert Murdoch, owner of News Corp & Fox Corporation, takes his turn after Holt. Video links below:

                                                                                                                            14JanCh3_500-601.avi

                                                                                                                            https://drive.google.com/file/d/1i7NKepeyG_FfdQRrM7KsnFOZOOX...

                                                                                                                            14JanCh2_530-600.avi

                                                                                                                            https://drive.google.com/file/d/1NZzgN5ilI7ToroU5cfqMaL4o2u1...

                                                                                                                            Adding to the reason this is not picked up by the media, CBS & Viacom owner Sumner Redstone and Leslie Moonves rape boys following the President.

                                                                                                                            14JanCh3_700.avi

                                                                                                                            https://drive.google.com/file/d/10XDw6x3ldnnQiq7oIjpdYVENyXa...

                                                                                                                            14JanCh2_700-800.avi

                                                                                                                            https://drive.google.com/file/d/1NS_e6AzEZ05wnfljkGMETGU5CWY...

                                                                                                                            //This is the tip of the ice berg.

                                                                                                                            //Full 110 page PDF [updated 2Dec2019]: FBI_FinalDraft_26Jul2019_BSchlenker.pdf

                                                                                                                            https://drive.google.com/file/d/1Sj9EN_pHmicKS6rFQlmk67knMdJ...

                                                                                                                            //This post will be censored when this account logs off, the posts are "shadow banned". They try to make it look like the post is live, but it is not. Here is an example.

                                                                                                                            https://drive.google.com/file/d/1zxS8JESoIg7uxRkUgdptMsF6SuJ...

                                                                                                                            • killjoywashere 11 days ago

                                                                                                                              Let me be clear up front: I'm questioning your motives.

                                                                                                                              Every citizen of a democracy is a political actor and a participant in the economy and society. The Russians are agnostic, just like our intelligence services. They'll target economic actors, political actors, anyone on the social graph that looks potentially useful. In a world of micro-transactions, targeted advertising, and fake news, that's pretty much anyone.

                                                                                                                              The only point of the quote you excerpted is that's the bright line at which the FBI would directly spend taxpayer dollars to insert themselves into this issue. If you're trying to tell people they shouldn't worry about FaceApp because they're a member of the "general public", I worry that you are intentionally misdirecting citizens of a democratic society.

                                                                                                                              • dang 11 days ago

                                                                                                                                Crossing into personal attack isn't ok on HN. Please review the site guidelines and don't post like this here.

                                                                                                                                https://news.ycombinator.com/newsguidelines.html

                                                                                                                                We detached this subthread from https://news.ycombinator.com/item?id=21689071 and marked it off-topic.

                                                                                                                                • Aperocky 11 days ago

                                                                                                                                  Looks like these ‘questioning motives’ comments are becoming more prevalent in HN.

                                                                                                                                  Which is horrible, because you judge by what is said or done, not accusing people of wrong think/motive. It’s akin to self censorship, the suppression of view points in the name of ‘protecting freedom/democracy’

                                                                                                                                  There will be hostile forces and actors, but we cannot lower ourselves down to their level to fight them because it’s convenient, while sacrificing our own value in doing so. In which case, we would have lost before we even begin.