Privacy Central

Apple FaceID Sharing Data - Woman's Face Being Authenticated by FaceID
Privacy20 Dec 2017 4 mins read

Apple is Giving Away Your Sensitive Facial Data

Privacy concerns about Face ID - Apple's facial recognition tech - have intensified now that it's emerged that app makers not only have access to your facial data but can store it on their own servers.

Ben Dickson
Ben DicksonTech Blogger

Apple has a well-established reputation for being serious in protecting the privacy of its customers. So when it introduced Face ID, the cutting edge face authentication technology that comes with its new iPhone X, there was little doubting the company’s pledge to avoid storing users’ data on its servers. (To be fair however, we did have other security concerns about Face ID.)

However, it seems that Apple doesn’t care about what others do with the sensitive facial data that the iPhone X collects. According to a story published on Washington Post, iOS app developers can have their way with your Face ID data, such as using it to create cool applications that mimic your facial expression—or collecting it for more creepy uses.

What kind of data are you giving away?

Apple’s iPhone X comes packed with TrueDepth, a sophisticated selfie camera that emits 30 thousand infrared dots to create a 3D map of your face and to measure your facial expressions. Face ID uses TrueDepth to register your face during the setup, and to authenticate you when unlocking your phone. As promised, Apple only stores that data on the iPhone’s Secure Enclave component, one of the most secure pieces of hardware found in consumer products.

However, Apple also enables app developers to access TrueDepth and the 3D model of your face and the movement of your mouth, eyes, eyebrows and other facial features. Once they have that data, they can do anything they want with it, including storing it on remote servers.

Developers were quick to seize the opportunity and test the limits of the feature. An app called MeasureKit lets you see a live visualization of your face’s wireframe. All it needs to do is ask for you for permission to use the phone’s camera, and iOS doesn’t discriminate between the selfie cam and the back camera. As long as you don’t revoke the app’s access or uninstall it, it’ll be able to see and record your face’s every move.

Apple does require developers to clarify how they will employ the data, and it forbids app makers from selling it or using it for advertising purposes. But it’s not clear how it plans to police the tens of thousands of apps that are being added to its App Store every month. There’s already a history of some of the most famous iOS apps circumventing App Store’s rules and managing to conceal it for years. It would be much easier for a less known app to evade scrutiny and make shady uses of user data.

Rinat Khanov, the developer of MeasureKit told the Post that the Apple App Store imposed no special scrutiny on his app for accessing TrueDepth’s data.

What can go wrong?

Civil liberties and digital privacy organizations have warned about the privacy concerns of facial recognition technology. A statement by the American Civil Liberties Union (ACLU) reads: “Unlike many other biometric systems, facial recognition can be used for general surveillance in combination with public video cameras, and it can be used in a passive way that doesn’t require the knowledge, consent, or participation of the subject.”

In fact, many states are now incorporating facial recognition technology into their national surveillance systems. The U.S. government already possesses a database that contains the faces of more than half the country’s adult population. China has the most aggressive surveillance program, with more than 170 million CCTV cameras installed across the country and heavy investments in artificial intelligence and facial recognition startups. The BBC recently ran a program in which it showed how efficient the system was: It took seven minutes for Chinese authorities to find BBC reporter John Sudworth after he was flagged as a suspect. The government says it wants to use it to identify criminals, but this can also include political dissidents.

At the same time, tech giants such as Facebook and Google are exploring new ways to optimize their ads by analyzing users’ facial data. The state of Illinois is already looking into the practices of both companies as potential breaches of its laws surrounding the privacy of biometric data.

When weighed against this backdrop, the highly accurate data that iPhone X’s TrueDepth camera produces can take the privacy concerns surrounding facial recognition to new heights. Face ID has been designed to distinguish its owner’s face even when wearing a scarf, hat, glasses or facial hair. Does it mean that soon, government agencies will also be able to use that data to further improve their spying on citizens?

You’re now carrying a device that can not only take pictures and videos of you, but will be able to precisely capture the physique and emotional changes of your face and send it to government agencies or the next Big Brother tech company. Use it wisely.