‘NewProfilePic’ app sparks red scare over Moscow data dump
Is the viral app secretly sending data to Russia? Security experts and fact-checkers weigh in on the facial recognition software being compared to a TikTok-style Trojan horse for spyware.
Technology
Don't miss out on the headlines from Technology. Followed categories will be added to My News.
A new phone app breaking the internet by turning selfies into painterly avatars has led to fears that user images and data are being leaked to Russia.
Released in May on the Apple and Google app stores, the picture editor - also known as Photo Lab - quickly went viral and shot to #1 with its artificial intelligence-powered conversion of high-quality images into seemingly handpainted portraits.
But a user-spotted domain registration showing the website newprofilepic.com registered in Moscow immediately sent chills among thousands of users that the App was a Trojan horse for spyware.
They’re similar concerns held over the Chinese-developed app TikTok, which has been forced in countries like the US to separate its western operations from the country’s Communist Party ecosystem in China.
The fears were amplified when The Daily Mail linked the address of the app developer, Informe Laboratories, Inc to Linerock Investments LTD, which holds the copyright and is linked to an apartment complex across from the Moscow River, next to Russia’s Ministry of Defence and just three miles from the Red Square.
Jake Moore, a cybersecurity expert at ESET internet Security, warned NewProfilePic users to be careful uploading photographs and personal data to a new and unknown website.
“Although most people will not question the possibilities of anything untoward occurring from simply uploading a photo, the amount of data taken under the radar can often be far more than the user intended on sharing which can cause security and privacy problems,” he told the outlet.
“This app is likely a way of capturing people’s faces in high resolution and I would question any app wanting this amount of data, especially one which is largely unheard of and based in another country.”
Users quickly began delving into the permissions the app receives and posted the warnings: “DO NOT download the NEW PROFILE PIC.COM APP it takes all your information and sends it to Moscow!!!!!!!”
That data, under the app’s data policy, includes “certain personal information that you voluntarily provide to us”.
That’s full names, user names, email addresses, social network information “and other information you provide when you register”. That “other information” includes IP addresses, browser types, device settings, and facial recognition information.
Its privacy policy continues: “Detected key points may be kept along with the photo on the servers of our providers for up to two weeks from the last interaction with the photo … to speed up further processing of the same photos.”
But what happens to the data once it’s collected?
The fact-checking website Snopes.com traced the original image of the Moscow domain registration - which spared the spyware fears - to a Facebook post on May 8. By the time they checked the domain on May 11 - the day of The Daily Mail published its investigation - it was registered in Florida.
A spokeswoman for Linerock Investments, Kathleen Polezhaeva, said in an email statement shared with media that the company was based in the British Virgin Islands and that the app comes from a team of international developers, including some in Russia, Belarus, and Ukraine.
“It is true that the domain was registered to the Moscow address. It is the former Moscow address of the founder of the company. He does not live in the Russian Federation at the moment. By now the address has been changed in order to avoid any confusion,” the spokeswoman said.
The address for Linerock Investments identified by The Daily Mail was, Ms Polezhaeva claimed, the address of lawyers who registered the company, not its corporate offices.
In a follow-up blog post on the website of Photo Lab, the name of the app in Ukraine countries, the company explains - in Russian - where and how the data is hosted.
“Just because the users it’s targeted at are very much likely to speak Russian and we’d like to do our best to lessen their concerns and bring a bit more calm in this time of hardship,” the blog post says in English, before explaining the rest in Russian.
In the post, they continue that the fears of user data being hoovered up and sent to Moscow were the “flip side” of the popularity of the app, which has millions of five-star user reviews.
“All we can do is explain patiently that all our apps (including NewProfilePic) are NOT a threat,” the post read.
“Your photos (or any other data) are NOT sent to Moscow. All our apps are server-based and user images are uploaded to Amazon AWS / Microsoft Azure servers located in the US. This is necessary in order to apply all those fancy effects driven by AI technologies.”
Originally published as ‘NewProfilePic’ app sparks red scare over Moscow data dump