The eyes may be the window to the soul, but your face is almost certainly the door to your wallet. Oh, and also the last vestiges of your privacy.

Apple’s Sept. 12 unveiling of the iPhone X brought with it the official reveal of Face ID: face-scanning tech that will be used in lieu of Touch ID to both unlock smartphones and authenticate Apple Pay. But privacy experts, security consultants, and at least one sitting U.S. senators are concerned that the technology is ripe for abuse. So just how worried should you be?

Like so many things these days, that all depends on how much you trust your friendly neighbourhood  $800-billion tech, giant.

Perhaps the largest single worry about Face ID can be summed up with one simple question: Who, exactly, is going to get access to the data and tools the tech depends on to function? Apple has assured everyone that any biometric information (or mathematical representation thereof) gleaned from faces can be stored locally on a user’s phone, and not in some large cloud database. As such, the argument goes, there’s no cause for concern that hackers — or the U.S. government — will ever get access to a large repository of faceprints for the simple reason that it won’t exist.

The tools of the trade.

It’s a security measure similar to the one Apple implemented with Touch ID, putting a “mathematical representation” of your fingerprint in a so-called “secure enclave” located on the device itself. So far, that process has been (as far as we know) successful in keeping iPhone-gathered biometric data out of the hands of criminals or law enforcement (although there are still lots of great reasons not to use Touch ID).

But the face is different than a thumbprint, and those aforementioned assurances from Apple combined with the history of Touch ID weren’t enough for Sen. Al Franken, who on Sept. 13 wrote a letter to Apple CEO Tim Cook inquiring as to what happens further down the line. “Is there any foreseeable reason why Apple would decide to begin storing such data remotely,” asked the senator.

Essentially, Franken wants to know under what circumstances Apple would change its mind about how and where it keeps that data — as well as how technically feasible it would be for the company to move it off the phone.

Perhaps even more importantly, Franken is curious if Apple would ever hand access over to third parties such as advertisers.

“Apple has stated that has no plans to allow any third party applications access to the Face ID system or its faceprint data,” wrote Franken. “Can Apple assure its users that it will never share faceprint data, along with the tools or other information necessary to extract the data, with any commercial third party?”

This same tech will be used—by someone— to identify protesters, to figure out if you’re depressed or manic—and how to monetize that. https://t.co/WuY1oAVfly

— Zeynep Tufekci (@zeynep) September 12, 2017

This is not a random, paranoid concern. Online advertising companies already monitor whether displayed ads actually appear on a person’s computer screen, and data gleaned via the myriad of front-facing iPhone X sensors could feasibly take it even a step further — tracking eye movement and facial expressions as people browse the web or interact with apps on their smartphones.

If this doesn’t already creep you out, just let the implications of major corporations micro-targeting your ads (and collecting all the associated data on you) based on your every flick of the eye and passing mood sink in. It will, for example, be significantly harder than it already is to keep something as private as a pregnancy out of the clutches of Big Ad.

According to faculty associate at Harvard’s Berkman Klein Center for Internet & Society and New York Times contributor Zeynep Tufekci, that’s laying the groundwork for some really bad stuff.

It will be different. It won’t look like 1984 in most places. It will likely leverage the ad-tech infrastructure—Facebook and Google lead.

— Zeynep Tufekci (@zeynep) September 13, 2017

And she’s not the only one who thinks so. Noted NSA whistleblower Edward Snowden dropped into the debate surrounding mass facial-recognition technology, and his take wasn’t exactly reassuring.

#FaceID
Good: Design looks surprisingly robust, already has a panic disable.
Bad: Normalizes facial scanning, a tech certain to be abused.

— Edward Snowden (@Snowden) September 12, 2017

Sure, Apple isn’t the first company to have some form of faces can. However, according to Android Central, the technology powering Face ID is significantly more powerful than that of the face-unlock features found on the Samsung Galaxy S8 or on Android phones. Specifically, using what Apple calls the TrueDepth Camera system, the “shape data of your face in real time can be used for other purposes” than just unlocking your iPhone X. Other purposes like, say, gauging your receptiveness to certain targeted advertisements.

Considering that Apple frequently sets new industry standards and the fact that where Cupertino goes others follow, what we’re seeing with Face ID is likely only the beginning of what scholars like Tufekci fear could turn out to be an ad-driven surveillance state.

So where does all this leave us? On first glance, it appears that Apple has taken the security of the Face ID system itself seriously. Which, that’s a good thing. However, it’s what’s coming next that should concern us all. And, remember, when it comes to governments and corporations exploiting cutting-edge tech for profit and control, “what’s next” is typically just around the corner.

Advertisements