November 4, 2017 -
Privacy experts applauded Apple for assuring that facial data used to unlock its new iPhone X would be securely stored on solely the phone itself, however, these privacy promises do not apply to the thousands of app developers who will have access to facial data in order to create entertainment features for iPhone X users, according to a report by Reuters.
Last month, Senator Al Franken expressed his appreciation to Apple for addressing his privacy and security concerns over the Face ID facial recognition technology in the iPhone X.
Apple allows app developers to gain access to certain facial data stored on the phone as long as they agree to first obtain consent from the customer and not sell the data to any third parties.
Game developers will use the facial data to create a three-dimensional mask based on the iPhone X user’s face or a video game character that mirrors the player’s actual facial expressions.
These app makers can remove the facial data from the phone and store it on their own servers, which raises concerns among privacy groups such as the American Civil Liberties Union and the Center for Democracy and Technology about how effectively Apple can enforce its privacy rules.
Apple swears by the effectiveness of its enforcement tools, which include pre-publication reviews, audits of apps and the threat of banning developers from its App Store.
The company’s documentation about the face unlock system that it release to security researchers said the facial data available to developers cannot unlock a phone, as the process relies on a mathematical representation of the face instead of a visual map of it.
However, the ease with which developers can transmit face data to remote servers is troubling.
“The privacy issues around of the use of very sophisticated facial recognition technology for unlocking the phone have been overblown,” said Jay Stanley, a senior policy analyst with the American Civil Liberties Union. “The real privacy issues have to do with the access by third-party developers.”
Privacy experts are most concerned about marketers who track iPhone X users’ facial expressions in response to advertisements or content, despite Apple’s privacy rules prohibiting this kind of practice.
According to Apple’s developer agreement, app makers must “obtain clear and conspicuous consent” from users before obtaining or storing face data, and are only allowed to do so for a legitimate feature of an app.
The company’s iOS operating system asks users to give permission for an app to access to any of the device’s cameras.
Apple prohibits developers from using the face data for advertising or marketing, as well as from selling it to data brokers or analytics firms that might use it for similar purposes.
Apple also does not allow the creation of user profiles that could be exploited to identify anonymous users.
“The bottom line is, Apple is trying to make this a user experience addition to the iPhone X, and not an advertising addition,” said Clare Garvie, an associate with the Center on Privacy & Technology at Georgetown University Law Center in Washington.
Privacy experts are concerned about Apple’s potential inability to control what app developers do with face data once it is remotely accessed from the iPhone X, and whether the company’s disclosure policies effectively notify customers.
In addition to the company’s threat to kick apps out of the App Store, Apple’s other defense measure against privacy abuse is in reviewing all apps before they are accepted into the App Store.
However, Apple does not review the source code of all apps, but rather relies on random spot checks or complaints, according to 2011 Congressional testimony from Apple’s “privacy czar” Bud Tribble.