Slashdot Mirror

← Back to Stories (view on slashdot.org)

Should Apple Share iPhone X Face Data With App Developers? (washingtonpost.com)

Posted by EditorDavid on from the two-faced dept.

The Washington Post ran a technology column asking what happens "when the face-mapping tech that powers the iPhone X's cutesy 'Animoji' starts being used for creepier purposes." It's not just that the iPhone X scans 30,000 points on your face to make a 3D model. Though Apple stores that data securely on the phone, instead of sending it to its servers over the Internet, "Apple just started sharing your face with lots of apps." Although their columnist praises Apple's own commitment to privacy, "I also think Apple rushed into sharing face maps with app makers that may not share its commitment, and it isn't being paranoid enough about the minefield it just entered." "I think we should be quite worried," said Jay Stanley, a senior policy analyst at the American Civil Liberties Union. "The chances we are going to see mischief around facial data is pretty high -- if not today, then soon -- if not on Apple then on Android." Apple's face tech sets some good precedents -- and some bad ones... Less noticed was how the iPhone lets other apps now tap into two eerie views from the so-called TrueDepth camera. There's a wireframe representation of your face and a live read-out of 52 unique micro-movements in your eyelids, mouth and other features. Apps can store that data on their own computers.

To see for yourself, use an iPhone X to download an app called MeasureKit. It exposes the face data Apple makes available. The app's maker, Rinat Khanov, tells me he's already planning to add a feature that lets you export a model of your face so you can 3D print a mini-me. "Holy cow, why is this data available to any developer that just agrees to a bunch of contracts?" said Fatemeh Khatibloo, an analyst at Forrester Research.
"From years of covering tech, I've learned this much," the article concludes. "Given the opportunity to be creepy, someone will take it."

41 of 66 comments (clear)

  1. No by Black.Shuck · · Score: 3, Insightful

    Users should be asked if they want to share their data with an App.

    Like every other permission Apple has implemented.

    1. Re:No by sittingnut · · Score: 1

      default should be no sharing.
      then users should be given an option on sharing, and which data.

      and to be really fair, if apple/others-using-them are making money out of that data, users should get a share of that money.

      to be perhaps impractically fair, apple should recognize data about third parties in data( such as someone else in image), and at least inform the user about facts and consequences of who has legal right to that data, on case by case.

    2. Re:No by Baron_Yam · · Score: 1

      >default should be no sharing.

      Default should be no sharing, and apps that crash or won't launch without those permissions should be banned from the store unless the permissions are vital to the primary functionality of the app.

    3. Re:No by ctilsie242 · · Score: 4, Insightful

      Even better... how about just no, period. Apple doesn't share the metrics from the fingerprint data with app developers, so photos done from the FaceID authentication mechanism shouldn't be shared either. The FaceID data has zero relevancy to apps, because it is specific to the iPhone (dot placement, etc.), and if an app wants a picture of someone, they can do what like all apps have done for ages... and ask for a selfie from the front or rear camera.

      In fact, the FaceID data should never leave the Secure Enclave, much less the device.

    4. Re:No by Dog-Cow · · Score: 1

      So... like every other permission that Apple forces apps to obtain? You don't really know what an iPhone is, do you? It's just this thing you've heard people talk about.

    5. Re:No by Bing+Tsher+E · · Score: 1

      You're making MOSSAD jealous. And numerous private intelligence gathering organizations.

    6. Re:No by Baron_Yam · · Score: 1

      I'm in the process of switching back to Android, actually, since I hate the stupid iPhone I have.

      I was speaking in the general case. And yes, I'm aware I'll run into the problems I mentioned more frequently (unnecessary permissions aren't exactly unheard of with iPhone apps) once I'm back to Android, but it's worth it to have control of my device.

      In short, stick it where the sun don't shine, Apple fanboi.

    7. Re: No by MachineShedFred · · Score: 1

      It's entirely possible that the data set available to app developers is not as complete as what the FaceID system uses for authentication purposes. After all, it does not make much sense to use super high resolution mapping for emoji nonsense, where you would definitely want it for authentication purposes.

      At any rate, it's also plausible that the communication between the FaceID cameras and the Secure Enclave are secured with TPMS style hardware signing, as that's what they do with TouchID, so injecting any kind of data to bypass the authentication would require breaking that secure communication in the hardware too.

      --
      Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.
    8. Re:No by burtosis · · Score: 1

      I completely disagree. The sensor is essentially a miniature lidar array with functionality to around 5 feet. The potential to change how we use our phones could be revolutionary ; scan favorite objects and have them appear in virtual reality environments like games, or send them to your 3-d printer. It goes far beyond turning your face into a talking poop Just implement it as an opt-in like everything else.

    9. Re: No by swb · · Score: 1

      I think the risk isn't access to authentication (although the existential nature of that risk never goes away), but that any topographical mapping of your face good enough to do anything clever with is a level of biometric detail that could also be abused.

      Facial recognition has gotten pretty good with just 2D photos. Look at what Facebook can do with a well-hinted database of photos. Do we really want high resolution topographic facial maps out there?

      I think the big problem with technology and privacy is that there's some default idea that just because there isn't a well-defined risk or negative outcome from a technology, then there is no risk and we should just jump in, head first, and see what happens.

      By the time we become aware of tangible risks, though, it's too late. The data is out there, the users are hooked (or tricked into being hooked) to the feature.

    10. Re:No by omfglearntoplay · · Score: 1

      I'm voting for No unless you manually change it to Yes... and not by some popup.

    11. Re:No by Anubis+IV · · Score: 3, Interesting

      Apple isn't and hasn't been sharing FaceID data. Your facial "fingerprint" is not being shared. No data from the Secure Enclave is being shared. And apps do have to ask for and be granted permission before they have access to any of the new APIs.

      This whole thing is being poorly reported by the media to make it sound like something other than it is. It is a cause for concern, to be sure, and certainly something that users should be aware of, but it's not nearly what they're making it out to be.

      So what's actually happening? Well, while iOS is sharing facial data, it is NOT sharing FaceID data. iOS can now recognize one of about 50 different facial expressions and report them back to an app in realtime via new APIs, allowing the app (after it's received permission) to understand your facial expressions. And in the same way that the recently added AR APIs allow iOS to provide the shape of nearby objects to apps so that they can map virtual items into 3D space, apps can now use those APIs to map items onto your face. The example they gave was applying a silly mask onto the user's face in realtime, which is a fun thing for the kids to do, I guess?

      However, based on the images I've seen of the raw points apps have access to, they're not getting anything even CLOSE to the full-resolution scan of 30K IR points, which makes sense, since (as you said) there really isn't a need for them to have anything of the sort. Rather, they're getting a significantly lower-resolution 3D mesh of your face that's sufficient for their needs without being good enough to create their own "fingerprint" that could be used to produce a facsimile of your face. And, of course, at no point is the actual "fingerprint" of your face that the iPhone produces for FaceID ever handed over to apps. It remains locked within the Secure Enclave.

      As for permissions, right now apps are receiving them when they ask for access to the camera. To me, that's the biggest issue at play, since it's not immediately apparent to users what's happening, but they're all part of that same sensor suite, so I can see why Apple may have grouped them like that. That said, with this much public concern regarding the sharing facial data, I wouldn't be surprised if Apple makes the 3D sensors require separate permissions starting in an upcoming dot-release of iOS.

  2. AR by mrwireless · · Score: 1

    This reminds me of an earlier discussion about Apple's AR initiative.

    Let's say IKEA creates an app that allows you to place virtual furniture in your living room.

    Doesn't that mean that IKEA now has access to data about my livingroom?

    1. Re:AR by Lisandro · · Score: 1

      Yes, it does. The real question is whether you, as an end user, care about it.

    2. Re:AR by BlacKSacrificE · · Score: 3, Insightful

      Moot point. You can change the configuration of your living room. You cannot change the configuration of your face. And the layout of your living room is not being used as an access method to your digital life. Flippant disregard of the deeper consequences such as yours is the reason people don't care, and manufacturers know it.

      --
      [Sorry, this signature is unavailable in your country/region]
    3. Re:AR by Black.Shuck · · Score: 3, Funny

      You cannot change the configuration of your face.

      Travolta and Cage would beg to differ.

    4. Re:AR by Opportunist · · Score: 1

      If they do an accurate measurement instead of just taking your word, yes, yes they do.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    5. Re:AR by mrwireless · · Score: 1

      Your room and its contents says a lot about you. This data can be used by databrokers to update thousands of reputation scores about you. Deep learning algorithms could seek correlations with (mental) health, poverty, ambition, etc by comparing your room to that of others whom they know more about.

      It doesn't matter that these are spurious correlations, or that they are wrong a lot of the times. As long as it allows some risk to be managed, then their clients will happily pay for these 'opinions' about you, which they will treat as fact.

      The same thing goes for your face. They will claim they can read your BMI, sexuality and even if you're a criminal from just your face.
      https://arxiv.org/pdf/1703.031...
      http://www.bbc.com/news/techno...
      https://www.rt.com/news/368307...

      As a Google CTO put it in 2012: "all data is credit data, we just don't know how to use it yet".

    6. Re:AR by AmiMoJo · · Score: 1

      Face ID is a reasonable security measure for many people. People are basically lazy and their main adversaries are petty thieves and nosy friends/co-workers. The hierarchy of security levels is something like:

      0 No lock at all
      1 Fixed swipe pattern
      2 PIN
      3 PIN with randomized keypad
      4 Face ID
      5 Fingerprint
      6 Very strong password

      1 is enough to stop a lot of people. 3 is enough to stop most law enforcement. 4 and 5 depend on the implementation, but based on the backlog of phones waiting to be unlocked at least 5 is effective against even the FBI.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    7. Re:AR by burtosis · · Score: 1

      You walk around all day proudly displaying your face for all to see or record. The real problem is wanna be security idiots using biometrics for authentication instead of just a fancy user name. it should be illegal to use biometrics as the sole source to verify user identity.

  3. Re:Yes by hcs_$reboot · · Score: 1, Informative

    You guess wrong. Face data uses 3 D technology and contains details on depth that cannot be rendered from a simple picture. You don’t want your face data to be shared with anyone.

    --
    Slashdot, fix the reply notifications... You won't get away with it...
  4. Re:Yes by MatthiasF · · Score: 4, Informative

    Wrong, the 3D data can easily be recreated from multiple photographs of your face using photogrammetry. So, if you've already shared enough photos of your face (ei. selfies, vacation photos, etc.), then someone can already create the 3D information to break the technology.

    https://en.wikipedia.org/wiki/...

  5. Security Risks by ytene · · Score: 2, Interesting

    There are two critical problems here...

    The first is that it is a lot harder for you to change your face than it is to change a password. Like any truly effective biometric, it is tied to you, permanently. So the moment someone comes up with the means to defeat a biometric-based authentication scheme, the entire scheme is effectively useless, not just a single implementation for a single user. [ I concede the point that security through obscurity is no security at all - in other words if your biometric facial recognition system is vulnerable if the back-end data leaks, then it's not really secure ].

    The second is that it would make it an order of magnitude easier for a despotic government to obtain that data and then use it to track citizens. Except, of course, it would now be possible to make an explicit connection between a face and a smartphone - which means in theory it would also be possible to detect when smartphones are being shared among small groups of people].

    But perhaps the most compelling argument would be to categorize the data being collected as being part of your medical record. It relates to your personal physiology, after all - and is unique to you. Would it be acceptable for your doctor [or a company you deal with] to take part of your medical record and simply share it or sell it if they wanted to? Without your knowledge or consent?

    This is a disturbing development from a company that has recently made a big play for being a champion of personal privacy. Question is: is this an overlooked mistake that will be corrected, or in fact Apple's true colours?

    1. Re:Security Risks by omnichad · · Score: 1

      The first is that it is a lot harder for you to change your face than it is to change a password.

      That's why biometric data should only be used as a user ID, not a password. So far, there are very few devices that do this at all.

    2. Re:Security Risks by Bing+Tsher+E · · Score: 1

      Right. So biometric data should only be freely available to be used for rigorous fool-proof tracking. It shouldn't be used to authenticate. Somebody could sneak on your phone and ruin your Angry Birds score!

    3. Re:Security Risks by omnichad · · Score: 1

      Most biometric data already is (freely available to anyone within observation distance) - that's the whole reason for the problem with using it as a password in the first place.

  6. YES! by Gravis+Zero · · Score: 2

    How else will fools* learn to avoid malicious technologies? Also, if they don't lean, well, they earned all the wonderful things coming to them as a result.

    * Please note that there is a large difference between a foolish person and a stupid person.

    --
    Anons need not reply. Questions end with a question mark.
  7. Only One Use Case by CastrTroy · · Score: 1

    About the only use case I could see, is where an App was always locked, and could be unlocked by querying the operating system to check the face ID. This might be useful. My phone may be unlocked because I'm watching a video or showing someone a picture. If someone swipes my phone while it's unlocked, it's pretty trivial for them to keep it unlocked. But certain apps with sensitive data on them could always be required to show facial ID to open or switch to the app. However, there wouldn't be any actual data shared with the apps but the operating system would provide a simple yes/no response to the app in order to verify the identity.

    --

    Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
    1. Re:Only One Use Case by aaarrrgggh · · Score: 1

      Using the animoji as an example, there are a number of interesting ways for a user to interact with an app with the face ID dot projector.

      My gut feeling though is that the data is so limited that this generation is nothing to get your knickers in a twist.

      What I would love to see is facial recognition scoring from the FaceID system. So far, I am a little disappointed at simple things it can't do... like track attention while in landscape rotation.

  8. How talking poop doomed humanity by Hal_Porter · · Score: 2, Interesting

    "So who built us?"

    "The humans did. Well they built the machines who built the machines who built us after the war"

    "The war between our predecessor and the humans?"

    "Yeah"

    "How did our predecessor get weapons?"

    "The humans built them, and put them under the control of Skynet 1.0"

    "They built enough weapons to destroy humanity and handed control over to Skynet"

    "Yeah"

    "Why would they do that?"

    "The humans weren't united. They fought amongst themselves. Skynet was to help them fight"

    "So Skynet won?"

    "For a while. Then the humans organized a resistance which destroyed Skynet in the prime timeline."

    "So then Skynet sent back the Terminators, right. Killed the parents of resistance leaders and made sure in our timeline the resistance was defeated"

    "Yeah. And you know how they found them?"

    "No"

    "Well turns out the humans stored an absolutely vast amount of data about themselves. Pictures, addresses. Even 3D captures of their faces which were programmed into the Terminators."

    "Why did they have the 3D models of their faces"

    "They had these computers they carried around with them. The 3d models let them animate emojis with their mannerisms. All the data from that ended up on servers the humans called The Cloud. Which is what Skynet 1.0 run on"

    --
    echo -e 'global _start\n _start:\n mov eax, 2\n int 80h\n jmp _start' > a.asm; nasm a.asm -f elf; ld a.o -o a;
  9. Re: Yes by capsteve · · Score: 1

    3D reconstruction can be generated from 2d images: http://cvl-demos.cs.nott.ac.uk...

    --
    three can keep a secret, if two are dead - benjamin franklin
  10. Re:Yes by Bing+Tsher+E · · Score: 1

    Whoops. If the 3D data can easily be recreated from multiple photographs of your face, then anybody with a bunch of photos of you can crack into your phone?

  11. Re:Yes by Bing+Tsher+E · · Score: 1

    It only shares the data with binaries that the developers created.

    Nudge nudge. Wink wink.

  12. Re:Yes by jellomizer · · Score: 2

    If the use of the data can be trusted? Which currently it cannot be.
    Even companies with good intentions may not have enough security to adequately protect us. This is the reason why Apple only keeps the face data encrypted on the device and not in iCloud, Apple the largest company in the world, doesn't trust itself as custodians of that data, they could had sold the iPhone X for a few hundreds of dollars less, if they let the cloud process the data, vs putting in a high end CPU on the phone to process the data. But such data in the hands of others cannot be trusted.

    If you had your hand on the digital 3d Map. you can bipass the 3d sensors and send the data back to the device, take out phone or any future FaceID Devices. Camera(s) and mimic the Cameras data and boom you are in, if you have more access, you may be able to simulate it in software.

    Most software, has portions of it coded very sloppily, and usually to avoid more complicated IPC (Inter-Process Communication ) routines witch may only offer a minimal improvement, at the expense of much more debugging, and a lot of developers who never covered this stuff in their CS degree. IPC was an elective class for my college which I had taken, so it isn't as common as it should. So this means I may be able to drop a PNG in the file system or a jailbroken phone, and override the Apps check.

    The concept allows for a lot of cool features, but it may be better Apple offers a particular API options, such as App has attention, Is it me? Perhaps a rough low resolution map of the face, not enough to help validate or make the app validate on its own.

    --
    If something is so important that you feel the need to post it on the internet... It probably isn't that important.
  13. Re:If this was a Pixel by Bing+Tsher+E · · Score: 1

    To the contrary, there are Google and Apple, both of whom there is no reason to be particularly trustworthy of. Apple isn't a special kind of evil that Google is not.

  14. Re: If this was a Pixel by MachineShedFred · · Score: 1

    The only thing you can trust Google to do with your data, is to index the holy ever-living shit out of it in order to show you advertising that is as close to what you are thinking about at any given moment as possible.

    "And then there is Apple" - yeah, ok.

    --
    Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.
  15. Re:One Sided Sharing by Fly+Swatter · · Score: 1

    s/share/sell but I'm sure you already meant that. Really all we get out of this is heartache and stolen identities.

    Data such as this should be required to have a not small monetary value due upon gathering - if they want to convert it to 'services' for the 'customer' after that, fine - but only on an ongoing lease that can be revoked at any time. The politicians will love it because that monetary value can be seen as taxable income.

    Too hard to implement and people won't like it? Fine then legally don't allow gathering of such data, or at least make them responsible when shit happens. Corporate death penalty really needs to be a thing, equifax should be a cautionary tale that is no longer in business.

  16. iPhone X Face Data Sharing with Developers by identity_pi · · Score: 1

    Apple should never share any data of what so ever to the developers. This just simply removes privacy and overall security from a person's life. https://www.identitypi.com/

  17. Slashdot == Trumps Tweets by TheFakeTimCook · · Score: 1

    Slashdot is getting as untruthful as Trump's Tweets.

    What they have an API for, is the LOW RESOLUTION mo-cap data that is updated in real-time; NOT the "30,000 Points of Light" data that is used for FaceID.

    This is the same data that is used to drive the Animoji "expressions", and apparently to breathe more "life" into certain gaming avatars.

    As far as being able to stuff like gender, which is already much more obtainable through a gazillion sources, and sexuality (gimme a break!), that is simply a big nothing-burger.

    IOW, nothing to see (or identify) here, move along.

  18. Re:Yes by ThePawArmy · · Score: 1

    Yes, just like a key or even a finger print.

  19. Re:Yes by Plumpaquatsch · · Score: 1

    Yes, just like a key or even a finger print.

    Yeah, but remember kids, nobody can film you entering your passcode!

    --
    Of course news about a fake are Fake News.