Why the iPhone 8’s face-scanning tech could be a privacy disaster
There are few things more personal than a face. Every wrinkle, blemish, and freckle combine to tell a person’s story — an interactive and ever-changing map of one’s self unspooling over time.
Oh, and if smartphone manufactures have their way, that map will also soon be the preeminent key to your digital life. Unfortunately, that’s a problem.
Mashable spoke with about half a dozen experts who expressed concern that the push toward some form of facial-recognition tech will not only present an untold number of privacy concerns, but will actually make our devices less secure. Basically, it’s a lose-lose situation — albeit one that the smartphone makers of the world seem all too excited to drag us into.
“Absolutely people should be concerned.”
Companies like Apple, Google, and Qualcomm are charging ahead to make face scans the new biometric we’ll rely on for everything from unlocking phones to making digital purchases. Thumbprints, in the form of TouchID and similar tech, have for some time served this purpose, but early reports that the iPhone 8 will abandon this feature in lieu of a facial-recognition technology called Pearl ID make it clear which way the wind is blowing.
But at what cost? What will it mean when every cellphone stores some sort of detailed digital representation of our (surely) beautiful mugs? Is that really safer than an alphanumeric password? And what will happen when hackers — or government officials — come knocking?
Always on
Of particular note is one rumored feature in the forthcoming iPhone: resting unlock. Written as “accessibility.resting.pearl.unlock.” in the HomePod firmware leak, the speculation among developers is that this means the iPhone 8 will scan faces even when the device is lying face up on a table.
Basically, you won’t even need to touch your phone to unlock it (or make a purchase).
Sounds cool, right? But for that to work, facial recognition would need to be always on, a phrase that concerns Electronic Frontier Foundation Senior Staff Attorney Adam Schwartz.
“In general, ‘always on’ products raise special concerns,” Schwartz explained over the phone. He emphasized that “always on” features translate to always gathering information.
“Once the always-on device gathers information, it may be available to many kinds of people, contrary to the user’s intentions,” Schwartz said.
“These include external data thieves, who may break into the device or the data farm where content is stored; or internal employees of the company that makes the device, who improperly misappropriate customer content; or the police, by means of a subpoena or search warrant (depending on what the police are demanding). So, before technology users activate their always-on devices, they should think long and hard about the privacy implications.
“Once an adversary has our biometric there’s very little we can do about it.”
Jonathan Frankle, a second-year PhD Student at MIT’s Internet Policy Research Initiative, echoed those concerns.
“It’s a privacy issue that the camera on the phone will always be on,” he told Mashable in a phone interview. He added that it’s a similar privacy risk posed by devices like the Amazon Echo. That’s primarily because if you don’t need to activate the gadget before it captures data. The device, instead, will record all kinds of things that you don’t intend it to by default. Which, um, could get you in trouble.
And when it comes to a smartphone or the next iPhone, remember, there’s the added wrinkle of it always being on you — at least an Amazon Echo is restricted to your home.
Your face is key
Even putting resting unlock aside, however, Schwartz made it clear that his organization has numerous concerns with biometrics in general: everything from weak 5th Amendment protections (cops can force you to unlock your phone with a thumbprint), to biometrics being trivial to fake. But it’s facial recognition in particular that has him particularly worried.
“It raises unique issues of privacy,” said Schwartz. “Much more so than any other biometric.”
Why? Well, a host of reasons. It’s easy to snap a picture of someone in a crowd, or pull a high-resolution selfie off Instagram. With Samsung’s Galaxy S8 face unlock shown to be hackable with nothing more than a photo, this shouldn’t exactly inspire confidence in those concerned about security — especially because, unlike a password, you can’t as easily change your face.
“It’s like setting your password to ‘password’ then tattooing it on your forehead.”
“Once an adversary has our biometric there’s very little we can do about it,” Schwartz warned.
To make matters worse, according to Frankle, current facial-recognition tech just isn’t that good. “Experts in the field widely agree that facial-recognition technology is not as accurate as fingerprint technology. Period.”
But that’s only the tip of the iceberg. Questions on the security of your specific device aside, Schwartz believes that a major company possessing a detailed map of your face isn’t the best idea.
“Absolutely people should be concerned,” said Schwartz. “What else is the company going to be doing with the face [scan]?”
That’s a question that Dan Tentler, a security researcher with The Phobos Group, has a few thoughts on.
“If you want to put your tinfoil hat on, imagine the scenario if Apple or Google were caught phoning home all that facial recognition data and keeping their own database of faces,” wrote Tentler over email. “We know they already do it to some degree, but what does that mean for consumers? If [consumers are] using their faces as a form of authentication, but doubly are the types to buy selfie sticks and littering pictures of themselves everywhere. It’s like setting your password to ‘password’ then tattooing it on your forehead. Then becoming a television news anchor, or a vlogger, or something.”
What do the companies have to say about all of this? Qualcomm, for its part, insisted that it’s taking security and privacy concerns seriously when it comes to the next generation of its Snapdragon chips (which could power advanced facial recognition in Android phones).
“While the [original equipment manufacturer’s] authenticator software implements the recognition itself, it enforces privacy by utilizing many features of the Snapdragon Mobile Platform,” said senior director of product management for Qualcomm’s Snapdragon security team, Sy Choudhury, in an email to Mashable. He added, “These are all steps that lead to the end-user’s face data being secure and private.”
We reached out to Apple for comment, but the company declined through a spokesperson. Google did not respond to our request as of press time.
Nuts and bolts
Of course, the specifics of the system matters — a fact that Jim Dempsey, the Executive Director of the Berkeley Center for Law & Technology, made clear over email.
“Will the process store your photo (most people’s phones already store a lot of selfies) or only the numerical result of the facial mapping process,” he told Mashable in an email. “Will photo or map be stored only on the phone or will it be stored in the Apple or Google cloud? The answers to these design questions will tell us a lot about the privacy implications of the system.”
In addition to larger questions of system design, the means by which a phone gathers the faceprint itself is important. Apple might employ infrared for 3D-visage mapping that could alleviate some of the security concerns expressed by Frankle, but even so, he was quick to insist that “infrared has its own challenges.”
I can confirm reports that HomePod’s firmware reveals the existence of upcoming iPhone’s infra-red face unlock in BiometricKit and elsewhere pic.twitter.com/yLsgCx7OTZ
— Steve T-S (@stroughtonsmith) July 31, 2017
What the phone actually considers a “face” will also come into play. Adam Harvey, a researcher and artist who’s explored confusing facial-recognition systems with what he’s dubbed CV Dazzle and HyperFace, explained that the next wave of face-oriented biometrics will likely rely on numerous elements of a person’s physical makeup.
“Although facial recognition seems to get the most attention in media reports, using a face alone is already an outdated approach for high-security facilities,” Harvey told Mashable. “It’s likely that the new biometric capabilities of the iPhone will employ a multi-modal approach combining fingerprint, face, iris, pupillary, and perhaps blink or liveness detection to improve the overall resolution and accuracy of the authentication.”
Even so, no biometric lock is perfect. Schwartz made this point loud and clear, emphasizing that no matter how secure the system is today, scientists (and later hackers) will always find a way to beat it tomorrow.
Moving forward
So where does this leave us? Should we be upset that Apple, Google, and Qualcomm are potentially making our devices less secure while simultaneously exposing our biometric data to greedy third parties — all for what amounts to bells and whistles?
Welp, when it comes to concerns that the government may want access to any biometric data stored by smartphone manufactures, Dempsey says that ship has already sailed.
“[The] danger is that a little bit down the road facial recognition gets normalized.”
“[Don’t] forget that government agencies in the US already have substantial biometric databases,” he reminded us. “All the states have photo databases of everyone with a driver’s license, and about half the states allow police departments to search those databases. As of 2016, the FBI had access to the DMV databases of at least 16 states.”
In other words, the FBI doesn’t need to run to Apple to get a scan of your face — they just have to ask the DMV.
So is there anything we can do about, well, any of this? Thankfully, if your goal is simply to keep your phone locked down, the answer is “sure.” It’s always been a better idea to use a strong alphanumeric password to lock one’s phone instead of just a thumbprint, and the impending wave of facial-recognition tech won’t change biometrics’ place in that hierarchy. (Using both forms in conjunction with each other, on the other hand, is a decent idea.)
Still, the more we rely on our face to serve as key to our phones, bank accounts, and digital life at large, the more corporations and government agencies we must permit to scan, categorize, and store one of the few remaining things that make us unique. And the more copies that exist out there, the easier it will be for hackers to exploit the impending wave of FaceID.
“[The] danger is that a little bit down the road facial recognition gets normalized,” said Schwartz. “Where is this going to stop?”
Does this matter to you now? Maybe, maybe not. But it probably will when someone drains your bank account using nothing more than a photo they pulled off your Instagram account.