When Apple unveiled Face ID, which creates a complex 3D map of your face to identify you, the company promised it wouldn’t store your facial data on its servers. But Apple made no such claims in regards to the third parties that access the face data your iPhone stores to build cool new applications, such as emoji that mimic your facial expression, and those developers don’t necessarily share Apple’s commitment to privacy.
Without specific measures taken to ensure developers use your face data responsibly, Apple’s new authentication technology is ripe for abuse—and the results could be disastrous.
What’s at stake?
Apple stores Face ID data in the iPhone’s Secure Enclave, which is reputably one of the most secure pieces of hardware available on consumer products. But it gives programmers access to all the features of iPhone X’s TrueDepth selfie camera, which Face ID relies on to perform its functions. TrueDepth is a sophisticated piece of technology that uses an infrared emitter to create a wireframe of the subject’s face and analyze the movements of their eyelids, mouth, and other facial features. Apps will be able to access and store all of that information.
App developers are required to disclose how they will use the data and where they will store it. Apple also forbids them from selling face data or using it for advertising or other questionable activities.
However, it’s not clear how Apple plans to implement those rules and police the use of the data, especially as thousands of new apps are being added to its App Store every month.
There’s already an app called MeasureKit that lets you see a wireframe of the 3D model TrueDepth creates of your face. The app’s developer plans to add a feature that lets you export the 3D model. You can then use it for anything, such as 3D-printing your face. The maker of the app told the Washington Post that he didn’t feel any extra scrutiny from Apple for accessing the data.
Meanwhile, all an app needs to access the TrueDepth camera and its features is permission from the user to use the camera. It doesn’t differentiate between the front and back cameras, or between using the camera’s video feed or its high-tech gear to monitor your facial expressions. And once you give an app permission to use the camera, it’ll have access to your facial data until you uninstall it or revoke the camera access in the advanced settings section.
In all fairness to Apple, Android phones are no better. Android doesn’t discriminate between the front and back camera, and the Google Play Store doesn’t prevent apps from collecting face data and using it for commercial purposes so long as they ask the user’s permission. The difference is that Android phones don’t collect face maps and facial expression like the iPhone does—at least not yet.
Why does it matter?
Facial recognition technologies are becoming an increasing privacy and security concern.
Organizations such as the American Civil Liberties Union (ACLU) and the Electronic Frontier Foundation (EFF) have warned about the threats of facial recognition. “The biggest danger is that this technology will be used for general, suspicionless surveillance systems,” the ACLU cautioned.
The U.S. federal government already has a facial recognition database containing photographs of half the adult population. In China, things are even worse. The government is planning on building a ubiquitous CCTV surveillance network and, along with investment firms, is pouring billions of dollars into AI and face-recognition startups to be able to identify people appearing in surveillance video feeds in real time. Russia is also testing the use of facial recognition technology in its large network of CCTV cameras.
Meanwhile, tech giants such as Facebook and Google are using AI algorithms and face- and emotion-detection technology to improve their ad targeting. Both companies are facing lawsuits in Illinois for the potential breach of privacy rules in using biometric data.
However, no consumer technology so far has the capabilities and accuracy of Apple’s TrueDepth camera to create face maps and record facial expressions. The technology offers a lot of cool and interesting possibilities, but it could easily be exploited. It could be used to identify and target dissidents in autocratic states, for example.
With the explosion of data and advances in AI technology, mining and matching data such as photos and personal information from social media profiles and public websites is becoming easier. Now, the millions of iPhone Xs that will find their way into the hands of consumers will give tech firms and government agencies even more data to monitor users for their commercial or political purposes.
We’re enabling the surveillance state, one app permission at a time.
Ben Dickson is a software engineer and the founder of TechTalks. Follow his tweets at @bendee983 and his updates on Facebook.