A new phone app which offers users a free digital avatar is taking facial-recognition quality photographs and sending them to Moscow, prompting major concerns within the cyber security community.
Tens of thousands of people have already uploaded their photographs to the servers of the New Profile Pic app in return to the free avatar. However, many will be unaware that the company behind the app, Linerock Investments, is based in an apartment complex overlooking the Moscow River, beside Russia’s Ministry of Defence and just three miles from Red Square.
Jake Moore, Global Cybersecurity Advisor, ESET Internet Security told MailOnline that people have to be incredibly careful when uploading photographs or personal data to a brand new website.
He said: ‘This app is likely a way of capturing people’s faces in high resolution and I would question any app wanting this amount of data, especially one which is largely unheard of and based in another country.’
The company behind the App is called Linerock Investments Ltd, who according to the International Consortium of Investigative Journalists Offshore Leaks data base, is registered in Moscow.
It has a shareholder based in Panama City, while a director is based in Russia.
In 2017, a St Petersburg-based company released FaceApp, which allowed users to upload a photograph which would be aged using Artificial Intelligence. A viral challenge prompted warnings from security experts about the amount of data the app was sending to Russia.
According to the new app’s promotional material: ‘The world around us is fast-paced and always evolving. In this ever changing world, why stick to one profile pic on your social media? Let it be different, always new and… made by AI!
‘The NewProfilePic app lets you change your user image style as often as you want. Dare to be different, with a profile pic that reflects your current mood or state of mind. Impress your friends on social media and keep them interested in what’s coming next! ;)’
By agreeing to download the app, users are willing to share their location, details about the device they are using as well as other photographs on their social media feeds.
The company’s data policy is clear that ‘we collect certain personal information that you voluntarily provide to us’.
It continues: ‘We collect your name, email address, user name, social network information and other information you provide when you register.’
They also collect data on the user from other companies and combine it with their own dossier.
The firm also collects the IP address, browser type and settings from a computer or the device data from a mobile phone handset.
Explaining how the technology works, the App developers said: ‘Whenever you choose an effect that involves face manipulations we use special face recognition technologies to detect a photo; find required facial key points, and apply the effect to your photo.’
The firm claims the ‘detected key points may be kept along with the photo on the servers of our providers for up to two weeks from the last interaction with the photo… to speed up further processing of the same photos’.
On Apple’s App Store, the App is number one in the photo and video chart, while more than 25,000 have rated it on the Google Play Store.
One user said: ‘This is the best app for cartoon images of photos. Hands down the best. Need more. We need a full body, or torso. Also I would love to see Animation like Ai Face Animator.’
Mr Moore warned: ‘Before people upload photos or other personal data to a brand new website, they must carry out their own due diligence where possible.
‘Although most people will not question the possibilities of anything untoward occurring from simply uploading a photo, the amount of data taken under the radar can often be far more than the user intended on sharing which can cause security and privacy problems.
‘This app is likely a way of capturing people’s faces in high resolution and I would question any app wanting this amount of data, especially one which is largely unheard of and based in another country.
‘Regardless of where they are based, I would always err on the side of caution when handing over sensitive data as once it has gone it is virtually impossible to gain control of it back.’
A spokesperson for the App told MailOnline: ‘We are a BVI company with development offices in Russia, Ukraine, and Belarus.’
They said the images are sent to their Amazon servers to apply the effects and are not visible to anybody. They added that the images are deleted after two weeks.