Face ID on the Apple iPhone X raises some interesting new questions on privacy and data security

One of the highlight features of the recently announced **Apple iPhone X** is the **Face ID** . This feature, which is possible thanks to a TrueDepth camera sensor module located on the front of the phone lets you unlock your phone, make payments and more using a face-unlocking mechanism. Face ID replaces the Touch ID feature which was seen on iPhones (which is still present on the **iPhone 8 and 8 Plus** ) as a biometric authentication technique. [caption id=“attachment_4039461” align=“alignleft” width=“380”] Swipe up to close. Image: Apple.[/caption] And as is the case with biometrics, the Face ID feature has raised privacy questions once again. But before we get into the security concerns, let us first look at how Face ID actually works. How Face ID works The notch you see on the top of the iPhone X houses a plethora of sensors, four of which are required to enable Face ID. These are, in order from left to right, an IR camera, an IR emitter that Apple calls a ‘Flood Illuminator’, a structured light emitter aka ‘Dot projector’ and the front-facing camera. This sensor array has been dubbed the “TrueDepth” camera system. Here’s how unlocking the phone via Face ID works. As any Apple user will be aware, iOS 10 includes a feature called ‘raise-to-wake’, which does exactly what the name suggests. You pick up your phone, the device wakes up, shows you the lock screen, and while it’s doing that, starts scanning for your face. With iPhone X, you can also tap the screen to wake the device. Of course, using the power/sleep button is also an option. The Flood illuminator is basically an invisible torch light that shines on your face, illuminating it in a light spectrum that only an IR camera can see. The Dot projector paints your face with something like tiny lasers. These “dots”, 30,000 of which are projected on your face, are picked up by the IR camera and the data is used to create a 3D depth map of your face. All this processing happens aboard the A11 Bionic chip and never leaves the phone. The generated depth map is then compared to the original depth map of your face to authenticate. The A11 Bionic chip’s machine learning algorithms can also “learn” your face, recognising you even if you change your appearance, says Apple. Whether you grow a beard, cut your hair or wear sunglasses and a hat, the chip will learn to reliably authenticate your face. As Apple puts it, “your friends might not recognise you, but iPhone X will.” [caption id=“attachment_4037359” align=“alignnone” width=“1280”] Apple iPhone X’ TrueDepth sensor module[/caption] Anticipating the counter questions, Apple has already said on record that the data captured by Face ID will be stored locally on the phone itself. In essence, Face ID is expected to work just like Touch ID in that the data will be encrypted and stored locally on the phone. This is done in a way that even Apple is denied direct access to the actual data. Apple also announced on stage that it had used photographs and 3D face masks to try to fool the Face ID system. The learnings from using these techniques helped train the Face ID algorithms to be more secure. Apple says that there is now a 1 in a 1,000,000 chance that Face ID can be fooled. Identical twins could be the only exception in some cases.

#FaceID
Good: Design looks surprisingly robust, already has a panic disable.
Bad: Normalizes facial scanning, a tech certain to be abused.

— Edward Snowden (@Snowden) September 12, 2017

But that isn’t convincing enough for the US Senate and many activists. Even NSA whistleblower Edward Snowden, while praising Apple iPhone X, said that the Face ID feature would normalise face scanning, a tech feature that has potential for abuse. And since we have seen facial recognition being spoofed so often on existing smartphones, the apprehensions are justified. Questions put forth by a US Senator US Senator Al Franken has penned a detailed letter asking Tim Cook specific questions about Face ID. Some of the questions are: Apple has stated that all faceprint data will be stored locally on an individual’s device as opposed to being sent to the cloud: So is it currently possible — either remotely or through physical access to the device — for either Apple or a third party to extract and obtain usable faceprint data from the iPhone X? Apple has stated that it used more than one billion images in developing the Face ID algorithm. Where did these one billion face images come from? Can Apple assure its users that it will never share faceprint data, along with the tools or other information necessary to extract the data, with any commercial third party? How will Apple respond to law enforcement requests to access Apple’s faceprint data or the Face ID system itself? These are just four among the many questions asked. The questions asked cover a wide range of concerns which are quite valid. It waits to be seen if Apple will respond to each of these queries. Franken has requested Apple to respond to the questions by 13 October.

Analysts also concerned Speaking to Macworld, Cloudflare security researcher Marc Rogers said that Face ID isn’t impossible to crack. He hinted that 3D printing a target victim’s face and showing that to the iPhone X may still give access to the device. Although Apple has claimed it has tested the iPhone X against 3D masks, the results of that weren’t demoed. The 3D printed face theory is also seconded by Prof Kevin Curran, professor of cybersecurity at Ulster University. “Scans of our fingerprint are not out there on the web, yet images of our faces stare back at us from multiple social media profiles. Will someone 3D print your face and be able unlock your phone?” asks Prof Curran. The spectre of government agencies forcing Apple to give it access to the faceprints still hangs over consumers. The San Bernandino   **case** is still fresh in everyone’s mind, where even though Apple took a stand against compromising on its values, the FBI went ahead and managed to crack the passcode to access the phone of the accused in the case. And would Apple have caved if the court ruled in the FBI’s favour? This Wired column speculates how the Face ID feature could be used to track consumer patterns at Apple stores or can be used to develop methods and sell this data to third parties. It also talks about how Apple’s total control over the hardware and software to enable this type of face-scanning could make it face government orders to turn its system into an app for mass surveillance. Apple needs to have plans to protect itself from such orders or directives, says the column. So far, the iPhone X Face ID feature has only seen testing done by Apple. More insights can only be gained once the iPhone X starts selling in the markets and when more people will be able to use this feature. Till then, it would be really helpful if Apple answers the questions raised by the US Senator Franken, which highlight if not all, but most concerns any one of us would have about Face ID.