FaceApp controversy provides unexpected boon for cybersecurity awareness
Cybersecurity professionals everywhere now owe a debt of gratitude to the Democratic National Committee. Earlier this week Bob Lord, chief security officer for the DNC, advised the various campaign staffs vying to become the next Democratic presidential nominee to avoid a popular application, dubbed FaceApp, that allows people to view what they might look like as they age. The authors of this application are based in Russia and Lord, given recent history, expressed a concern the data being collected by this application might be employed in the future to hack into the accounts of campaign staffers.
A few days later Sen. Charles Schumer (D-NY) called for a Federal investigation of FaceApp and now suddenly every end-user in the world is now more aware of how what appears to be innocent looking mobile applications collect a mountain of personal data.
Like many of these applications, FaceApp takes advantage of Amazon Web Services (AWS) and Google Cloud Platform (GCP) to store data, which requires independent software vendors (ISVs) to allow AWS to store data where it best sees fit. Most ISVs routinely include verbiage in their terms and conditions that reflect the data management policies of whatever cloud service they employ. However, because of the origins of the owners of FaceApp, some have interpreted that language to mean that FaceApp is storing data about end-users on a server in Russia that various state actors might be able to access.
Wireless Labs, a company based in St. Petersburg, Russia, responded to Schumer’s call by assuring end-users that it only stored data temporarily on public clouds and that their data is typically deleted within 48 hours. Most IT professionals know that storing that volume of data on any public cloud can be prohibitively expensive even for the most well-heeled company, never mind an ISV startup.
Whether Wireless Labs has any ties to the Russian government is at this point an unproven allegation. In theory, the Russian government reserves the right to inspect, also known as spy, on any and all data that passes through servers and networks located with its territory. Right now, however, it appears Wireless App has been caught up in a bit of hysteria that might naturally be expected given the revelations concerning Russian efforts to influence that 2016 presidential campaign that were published in the Mueller Report.
While that may be unfortunate for Wireless Labs, this brouhaha may be doing more to advance cybersecurity awareness among end-users than any other event in recent memory. End users tracking this controversy are suddenly a lot more aware of what all these applications they routinely download just might be doing with their data. None of that activity is especially new information for cybersecurity professionals. However, getting end-users to desist from the inherently risky act of downloading a mobile application of unknown origin on to a smartphone or tablet has long been a major source of concern and, frankly, frustration for cybersecurity professionals. It’s not at all clear how many end-users will alter that behavior in the wake of the FaceApp controversy but even if 5% increase in end users being more cautious would represent a substantial win for the cybersecurity community. The cost of trying to mount a cybersecurity awareness campaign with a similar level of scope would require nothing less than millions of dollars.
Obviously, the circumstances surrounding that win might be a little dodgy in terms of the facts of the case, but these days cybersecurity professionals need to take any and every end-user training win wherever they can find one.