Face ID is one of the hallmark features of the iPhone X. Using facial recognition, you can unlock your phone almost as quickly as if you had no device security enabled at all—all you have to do is stare at it. It’s convenient, and potentially more secure than a four- or six-digit passcode. And because your data is stored in the phone’s so-called secure enclave and not in the cloud (as Apple did with Touch ID’s fingerprint data), the impressively detailed digital map Apple makes of your face, and the more than 50 facial expressions it can recognize, are kept safe. For the most part.
At launch, facial recognition data from Face ID will only be used by Apple to unlock your phone—and animate a handful of goofy emoji characters called Animoji. However, Apple plans to allow third-party app developers access to some of the biometric data Face ID collects. And this has some privacy experts concerned, as Reuters reports.
Facial recognition is everywhere these days. It’s how Facebook suggests friends you should tag in photos, how Snapchat’s lenses so masterfully morph onto your face, and how Google Photos can so intelligently collect and organize photos of people you photograph often. Apple already uses facial recognition in its Photos app on iOS, too. But until now, these companies have kept their facial recognition data private. Allowing developers to access some of that data—even if it’s only a rough map of your face and facial expressions, not the full dataset it uses for biometric identification—is new, potentially scary territory.
To use your facial data, developers must first ask your permission in their apps, and must not sell that information to other parties. Still, while it’s forbidden under Apple developer guidelines, privacy experts worry that developers might sell this data or use it for marketing or advertising purposes. (Imagine, if you will, an ad-supported gaming app that uses your current facial expression on your avatar. How valuable would it be for an advertiser to monitor what facial expressions you make as you watch their commercial in between rounds of gameplay?)
It is a valid concern. There have been several instances of notable apps such as Path and Uber violating Apple’s guidelines. Back in 2013, Path was uploading the contacts from your address book to its own private servers without user permission. More recently, Apple CEO Tim Cook threatened to kick Uber out of the App Store for violating Apple’s privacy rules. The app tracked iPhone users’ location even after they’d deleted the app off of their phones.
Other privacy experts, however, are confident in Apple’s abilities to appropriately manage Face ID data. “Apple has had great success historically imposing limitations on developers in exchange for access to their lucrative iOS user base, and I don't see that changing with Face ID,” Travis Jarae, CEO of identity and privacy research company OWI, said.
Still, it could be a good idea for developers to hold back on rolling Face ID data and facial recognition into their own apps, even if just to feel out consumer sentiment. According to a survey of 500 social media users by photo vault app Keepsafe, 80 percent said they were uncomfortable with services using facial recognition, and nearly half said they’d turn it off given the choice.
And as Slate’s April Glaser reported last month, Face ID has one more serious security concern: biometrics are not provided the same protection as passwords or PIN codes under the Fifth Amendment.
“It has been argued that the courts could compel an individual unlock their phone using biometrics, as ‘attributes of the body’ are not protected under the Fifth Amendment,” Jarae said. This is similar to how a DUI suspect may be compelled to give a blood sample even if they refuse to provide a spoken testimony. Police can’t force you to turn over your passcode, but they can, theoretically, force you to unlock the phone with your face. Apple does have some security precautions in place here. For example, you’re supposed to look straight at the camera when using Face ID. If you avert your eyes while being forced to unlock your phone under duress, it shouldn’t work (early reviews confirm this).
It’s still very, very early days for Face ID. It’s most likely that developers who want to use your face data will only want to use it to personalize your onscreen avatar in a game, for instance, or to improve augmented reality experiences. It’s worth being aware of the issues, though. If your favorite shopping app wants access to your facial recognition information, it might not be using that data the way you think.