I’ve seen a number of crazy media pieces arguing that Apple’s Face ID technology has privacy implications and will enable government mass surveillance.
I disagree, and I think there’s a more sensible way to think about Face ID, phones and privacy.
Smartphones contain a great deal of personal information that is worth protecting, but because they’re so portable they’re often lost or stolen. Ideally, a phone would work only for its legitimate owner and no one else.
Fundamentally, the problem that PINs, Touch ID and Face ID are trying to solve is whether you are the phone’s owner.
Teaching an inanimate object how to recognise someone is a difficult problem. So in the smartphone world we’ve relied on proxies for identity:
- something you know, such as a PIN or a password
- some property of you, such as your fingerprint (Touch ID) and maybe now your face (Face ID).
In the real world, we quite often use ‘something we have’ as an assertion of identity (for example, a passport, driver’s licence or access card), but I’m not aware of that being used for smartphone identification.
All of these mechanisms are actually proxies for who you are, and don’t necessarily guarantee anything. PINs and passwords are often forgotten but can also be shared, stolen or guessed. Fingerprints can be copied and spoofed. Identical twins and doppelgangers exist, and no doubt someone will spoof Face ID.
One big advantage that biometric authentication methods such as Touch ID and Face ID have, to my mind, is that they directly address the question of who I am by looking at me. Authentication by PINs and passwords, by contrast, relies on arbitrary shared secrets that have absolutely nothing to do with me.
In my own life I recognise people by looking at them and that seems to work out okay, so at first glance it seems at least plausible that facial recognition might be an acceptable way to arrive at identity.
Assuming that the Face ID implementation is good enough for the average person—that is, there’s a low false positive rate (unlocking for the wrong person) and it’s hard to spoof—what are the implications for mass government surveillance?
The most worrisome scenario is that governments would immediately be able to access all Face ID data instantly for all users. I don’t believe that scenario: Face ID and Touch ID data is kept only on phones in Apple’s Secure Enclave; Apple fought government efforts to get data from a single phone; and Secure Enclave hasn’t publicly been hacked. Even if states have exploits, they are likely to be very high value and therefore not widely deployed because every time an exploit is used there’s a risk of discovery.
However, let’s assume I’m wrong and all smartphone data is accessible by governments. In that scenario governments already have your location, photos, messages, emails, chats, contacts and more. What extra information does Face ID provide? What other privacy concerns are there?
Governments will have better models of the shape of your head and Face ID will make them more confident that you are actually in possession of your phone, at least compared to a PIN. It’ll be easier for them to identify you.
But there are limits. It’s not clear that Face ID data would help pick you out of a crowd; Face ID will be optimised for authentication (Are you Tom? Yes/no) rather than identification (Who is this person?).
Remember also that governments potentially already have access to large datasets—such as driver’s licences, passports and mugshots—that they already own and can use without the need to either compel Apple or somehow subvert Apple’s infrastructure. Australia’s federal government, for example, already has passport data and is reportedly seeking access to driver’s licence photos from state governments for a national facial recognition database.
Really, though, if you’re concerned about mass surveillance and government access to smartphone data you should be throwing away your phone rather than worrying about the incremental privacy problems of Face ID.
Personally, I’ll wait and see how well Face ID is implemented when the iPhone X is released. If it works well as an authentication mechanism, I’ll consider using it. But I won’t worry about mass surveillance.