You’d have to have been living in a cave to miss Apple’s two big announcements last week: the iPhone 8 and the iPhone X.
As ever with Apple annoucements, there’s a lot to be excited about here (and a lot to be unsure about), but those of us in the privacy world can’t stop talking about one particular thing:
Facial recognition technology.
The iPhone X has scrapped the fingerprint reader of previous generations in favour of the new Face ID, which uses a 3D scan of your face to act as the password to unlock your phone. It also replaces Touch ID for Apple Pay, which may be more worrying.
Apple’s reasoning for this move is based on convenience. It takes just a split second (theoretically) for Face ID to scan your image and open your phone, and you don’t even have to be holding it.
According to Apple exec Phil Schiller:
With the iPhone X, your iPhone is locked until you look at it and it recognizes you. Nothing has ever been more simple, natural, and effortless. This is the future of how we’ll unlock our smartphones and protect our sensitive information.
But a huge question remains: Is Face ID secure enough to protect your information? Let’s look at the potential risks—and Apple’s response.
Having your face used against your will
Sounds weird, I know, but one of the main risks of facial recognition as a security measure is that your face can be used by someone who isn’t you. Maybe a thief retrains you and holds your phone up to your face. Boom: unlocked. A customs agent or a police officer does the same? Unlocked. If an authority figure is attempting to make you give up your password, you can invoke the Fifth Amendment protection from self-incrimination. You can’t do that if the password is your face and they use it without your consent.
Apple claims that you’ll have to look directly into the screen in order to unlock your phone using Face ID, though that doesn’t seem to be a perfect solution and it’s not clear exactly how this will work.
Having a photo used instead of your face
This has long been a criticism of facial recognition technology, and one that’s been hard to overcome. Both Samsung and Android have attempted versions of this before, and both have been shown to have been fooled by photos or photoshopped images, which means that security heavily compromised.
Apple seem to have put a lot more into this technology than other companies have before. The iPhone X’s camera can apparently sense depth and read the shape of your face, meaning that 2D images should not work as they would be recognised as flat images. However, the now infamous demo fail—when the iPhone X apparently failed to read Craig Federighi’s face and therefore wouldn’t unlock, displays a related issue here. What if the tech just isn’t as good as it says it is?
Having an identical twin
What if someone has an almost identical face to yours?
Yeah, that’s an issue. You better trust your siblings.
And another thing…
It’s not just the risks of misuse that make facial recogition technology potentially harmful for user privacy. Human faces contain a lot of information that can tell people a lot more about the person; their race, their physical features, their mood, their approximate age and potentially their gender. Any tech that uses the human face in this way normalizes the sharing of this information. This is inherently a threat to user privacy.
In addition, to an extent the iPhone X’s sensors will always have to be on, scanning for faces in whatever is in front of it. This means that it could gather data that users are unaware of—and if the sensors were hacked, they could be used to capture a hell of a lot of information about the user, including their physical location.
As ever with new technologies like this, the proof is in the pudding. It’s only when Face ID gets out into the hands of consumers that we’ll really understand the impact it has on privacy and whether or not facial recognition is a viable security alternative to fingerprint identification or the more traditional passwords.
But, as ever with Apple advances, its going to be interesting to find out.