When I look at my iPhone X that glance alone is usually enough to unlock the phone so I can use it. Apple has created Face ID as a way to identify me by my face alone using 30,000 infrared dots projected on my face to create a 3D digital model, which the phone uses to compare with my actual face when it's time to unlock the phone again.
Apple has said that Face ID has a million to one chance of making an incorrect identification, except in unusual situations. Those situations, as we’ve seen on a regular basis include identical twins, parents and their children and even a mask created for that purpose. While Face ID may be more secure than its predecessor, Touch ID that used fingerprints, it’s not infallible.
Now, Apple has begun sharing the Face ID data with app developers who can then use it for a variety of purposes that might make use of your face, or the data that represents your face. Initially, Face ID was largely used in apps in the same way that Apple used it with iOS and its own apps, which was to use it as an alternate to a pass code. If you have an iPhone X, you’ve probably noticed that it can now use Face ID to provide access to your banking or shopping apps.
But the Face ID data can be accessed and used for other purposes as well. You can run an app that creates live emojis, for example. There are a few augmented reality apps that are starting to use your facial data to make characters that look like you. But the potential is far greater.
The data that Apple provides includes a wireframe representation of your face and it includes detailed data on your facial expressions in real time (which is how you create those emojis). To get an idea what the wireframe is, imagine if you drew a line between each of those 30,000 infrared dots projected by the Face ID Dot Projector. What you’d have is a contour map of your face.
Apple allows app developers to download the map of your face and store it on their own servers, along with the data that represents your expressions. The idea is to use the Face ID camera and data to provide input to a wide variety of apps for any number of different functions. And herein lies the rub when it comes to personal privacy.
Your face, even in wireframe, and your expressions expressed as data, could be seriously valuable to marketers, because knowledge of micro-expressions is a good indicator of your emotions. A marketer could tell in a second or two whether you liked a specific product or not. Effectively, you can be sharing your emotions with someone without realizing it.
If you’d like to see exactly what the facial data that Apple provides to app developers looks like, download an app called MeasureKit from the App Store. Measure Kit is actually designed to be an AR measuring tool and it’s surprisingly useful for that. But one of the things it will measure is your face, and the micro expressions that go with it. The result is a wireframe image of the data representing your face.
But, the privacy concerns go far beyond that. Geoffrey Fowler writes in The Washington Post of potential misuse of this information to discern your health, gender and perhaps even your sexual orientation, your mood and state of mental health. While that’s not being done yet, it appears that this data coupled with artificial intelligence and machine learning could indeed peer deeply within a person.
But there’s another risk as well and that’s security. While Apple has said many times, defeating Face ID is highly unlikely, suppose you have that wireframe representation of a person’s face? Could that data, along with the expression data, provide enough information to 3D print a mask and give it realistic movement? If so, would it be good enough to fool Face ID?
The problem with the facial data that Apple provides is that it has to be good enough to be useful to app developers. But that also means it’s probably good enough to be misused. It’s not hard to imagine an app that transmits the wireframe and expression data to a server, perhaps for more app development or other research. But then, supposed that hackers gain access to that data?
While Apple has policies that limit what developers and others can do with the Face ID data, that doesn’t mean those developers will pay attention to those rules. You can be sure that a malicious hacker who gets that data isn’t going to be paying attention to Apple’s rules.
Unfortunately, Apple doesn’t really have a way to set security standards for storing the Face ID data that developers get, but even if they do, keeping hackers from getting it will be problematic.
So the question that needs to be asked is what to do about protecting that data? Does Apple have a way to require that it be encrypted or otherwise protected and if it does, will there be a means of enforcement?
These are questions that Apple and its developers need to answer and questions that users of such data need to find answers for.