Privacy advocates express concern over Apple allowing developers to use iPhone X Face ID c...

Posted:
in iPhone
A series of privacy advocates are taking issue with Apple allowing developers to use the TrueDepth camera central to the Face ID system under limited circumstances -- and with serious restrictions applied by Apple to what coders can use the data for.




A report on Thursday morning by Reuters notes that Apple's terms for developers allows app creators to utilize "certain facial data" such as attaching an augmented reality mask to a user's face. Additionally, some data can be collected by the developers -- assuming they get "clear and conspicuous consent" from the user.

Apple is disallowing access in any way to stored identification data. Under debate is any developer use of the TrueDepth system associated with Face ID.

"The privacy issues around of the use of very sophisticated facial recognition technology for unlocking the phone have been overblown," said Jay Stanley, a senior policy analyst with the American Civil Liberties Union. "The real privacy issues have to do with the access by third-party developers."

Apple's terms specifically prohibit developers from using the face data for advertising or marketing, or generating user profiles to identify anonymous users. Also disallowed is selling the data to others who may use the information.

Clare Garvie, an associate with the Center on Privacy & Technology at Georgetown University Law Center said that Apple's terms for developers are clear that the technology is a "user experience addition" and not one for advertising.

An Apple corporate employee not authorized to speak on behalf of the company told AppleInsider that what developers are allowed to use is "profoundly, seriously limited" and isn't precise enough to be utilized to build a third-party facial recognition database, even if users allow their data to be collated.

The issue isn't developers that adhere to Apple's policies. Advocates are concerned about rogue developers who may use the Face ID system unscrupulously and surreptitiously.

Apple already requires discrete permission to be granted per app to use a camera in the first place. At this time, it is unclear if there is a required dialog box for users to agree to to allow developers to collect Face ID data.

"Apple does have a pretty good historical track record of holding developers accountable who violate their agreements, but they have to catch them first - and sometimes that's the hard part," Stanley said. "It means household names probably won't exploit this, but there's still a lot of room for bottom feeders."

The Face ID system, and the True Depth camera are debuting with the iPhone X -- which will be in customer's hands on Friday. The technology is expected to migrate to Apple's entire fall 2018 line of iPhones.

Comments

  • Reply 1 of 18
    Apple have already said it's a low poly mesh. That's the sort of thing that's good for a Snapchat filter, but that is worlds away from ID. Rather, it's the existing camera that's in every smartphone which would be far superior at building out an identification database.

    Also take a moment to appreciate what Facebook and Google Photos are already doing with access to your images.
    edited November 2017 radarthekatrob53jbdragoncaliracerhomiechialostkiwichasmSendMcjakjony0
  • Reply 2 of 18
    Don't know if it's possible, but I guess I'd be concerned if an advertiser were able to somehow tie my face with some product I was looking at, then implemented some magical technology that could ID me while walking down the street or entering a store and flash an ad on a sign related to the product I was looking at earlier.
  • Reply 3 of 18
    gatorguygatorguy Posts: 24,176member
    Personally I'm a little bit surprised Apple is allowing facial expression data to be used by 3rd parties this soon. TBH I don't know how they would actually police the use of it for activities that Apple wouldn't approve of. I would imagine unscrupulous devs would do dirty work on the server side which Apple wouldn't have easy/any access to. In any event it's not necessarily a big privacy issue, they're not sharing your photo. 
  • Reply 4 of 18
    gatorguy said:
    Personally I'm a little bit surprised Apple is allowing facial expression data to be used by 3rd parties this soon. TBH I don't know how they would actually police the use of it for activities that Apple wouldn't approve of. I would imagine unscrupulous devs would do dirty work on the server side which Apple wouldn't have easy/any access to. In any event it's not necessarily a big privacy issue, they're not sharing your photo. 
    There is no server side work to dirty. TrueDepth and Face ID work totally within the Neural Engine enclosed in the A11. Nothing goes to any server.
    racerhomielostkiwi
  • Reply 5 of 18
    gatorguygatorguy Posts: 24,176member
    gatorguy said:
    Personally I'm a little bit surprised Apple is allowing facial expression data to be used by 3rd parties this soon. TBH I don't know how they would actually police the use of it for activities that Apple wouldn't approve of. I would imagine unscrupulous devs would do dirty work on the server side which Apple wouldn't have easy/any access to. In any event it's not necessarily a big privacy issue, they're not sharing your photo. 
    There is no server side work to dirty. TrueDepth and Face ID work totally within the Neural Engine enclosed in the A11. Nothing goes to any server.

    You very obviously didn't read the article before commenting. You should have.

    "Apple allows developers to take certain facial data off the phone as long as they agree to seek customer permission and not sell the data to third parties, among other terms in a contract seen by Reuters.

    App makers who want to use the new camera on the iPhone X can capture a rough map of a user’s face and a stream of more than 50 kinds of facial expressions. This data, which can be removed from the phone and stored on a developer’s own servers, can help monitor how often users blink, smile or even raise an eyebrow."

    I'd invite you to comment again. 
    edited November 2017 muthuk_vanalingamSpamSandwichSendMcjak
  • Reply 6 of 18
    rob53rob53 Posts: 3,241member
    gatorguy said:
    gatorguy said:
    Personally I'm a little bit surprised Apple is allowing facial expression data to be used by 3rd parties this soon. TBH I don't know how they would actually police the use of it for activities that Apple wouldn't approve of. I would imagine unscrupulous devs would do dirty work on the server side which Apple wouldn't have easy/any access to. In any event it's not necessarily a big privacy issue, they're not sharing your photo. 
    There is no server side work to dirty. TrueDepth and Face ID work totally within the Neural Engine enclosed in the A11. Nothing goes to any server.

    You very obviously didn't read the article before commenting. You should have.

    "Apple allows developers to take certain facial data off the phone as long as they agree to seek customer permission and not sell the data to third parties, among other terms in a contract seen by Reuters.

    App makers who want to use the new camera on the iPhone X can capture a rough map of a user’s face and a stream of more than 50 kinds of facial expressions. This data, which can be removed from the phone and stored on a developer’s own servers, can help monitor how often users blink, smile or even raise an eyebrow."
    As @EsquireCats mentioned, Google, Facebook, and who knows how many other companies are already scanning photos users naively upload to servers. These companies can do anything they want to with your photos because you give them the authorization to do it (I'm sure it's in the fine print on every single web site that uses photos.) I just hope Apple only allows a rough map in their public api's and is very diligent in reviewing apps that might figure out a way to use the Face ID api's. 
    jbdragonunphocuschia
  • Reply 7 of 18
    Yep, the same nonsense of Touch ID launch time. People should get informed before they try to criticize something.
    unphocuscaliracerhomiechia
  • Reply 8 of 18
    gatorguygatorguy Posts: 24,176member
    Yep, the same nonsense of Touch ID launch time. 
    This is a tad different since Apple never let any Touch ID data go "off the phone" to a developer's server did they? Still no great concern, just a bit surprising IMHO.
    muthuk_vanalingamSpamSandwichicoco3
  • Reply 9 of 18
    gatorguygatorguy Posts: 24,176member
    Apple have already said it's a low poly mesh. That's the sort of thing that's good for a Snapchat filter, but that is worlds away from ID. Rather, it's the existing camera that's in every smartphone which would be far superior at building out an identification database.

    Also take a moment to appreciate what Facebook and Google Photos are already doing with access to your images.
    I'm not aware of Google doing anything within Google Photos that you haven't specifically wanted it to do. They aren't shared with 3rd parties unless you choose to share a specific picture or catalog with another person. They aren't permitted to be collected to a third party developer's server. They aren't used for advertising. They aren't monetized in any way AFAIK, unless selling you server space to store them counts. Is there something they've done with them that's a concern to you?

    Now Facebook is a different matter, tho I'm not quite as up-to-date with their use of uploaded images. I do know they do some psychological experimentation on their members and perhaps photos are a part of it? My wife finding herself "tagged" with her name in another person's photos was a bit unsettling to her. She did not realize Facebook could ID her. I suppose using a little caution if you're someplace you'd prefer not to be ID'd in might be wise as it seems almost everyone has a Facebook page anymore and most have dozens/hundreds of pics on their page.  Even if you don't have a Facebook account yourself you're not safe from being "tagged" and identified in some picture someone posts there.
    edited November 2017
  • Reply 10 of 18
    gatorguy said:
    gatorguy said:
    Personally I'm a little bit surprised Apple is allowing facial expression data to be used by 3rd parties this soon. TBH I don't know how they would actually police the use of it for activities that Apple wouldn't approve of. I would imagine unscrupulous devs would do dirty work on the server side which Apple wouldn't have easy/any access to. In any event it's not necessarily a big privacy issue, they're not sharing your photo. 
    There is no server side work to dirty. TrueDepth and Face ID work totally within the Neural Engine enclosed in the A11. Nothing goes to any server.

    You very obviously didn't read the article before commenting. You should have.

    "Apple allows developers to take certain facial data off the phone as long as they agree to seek customer permission and not sell the data to third parties, among other terms in a contract seen by Reuters.

    App makers who want to use the new camera on the iPhone X can capture a rough map of a user’s face and a stream of more than 50 kinds of facial expressions. This data, which can be removed from the phone and stored on a developer’s own servers, can help monitor how often users blink, smile or even raise an eyebrow."

    I'd invite you to comment again. 
    OK, what dirty work developers can do with This data, which can be removed from the phone and stored on a developer’s own servers ?

    Or, would Apple release any data that would allow developers to do dirty work "on their servers inaccessible to Apple"? Of course novice bright young urban entrepreneurs will always come forward to brag about their clever "hacking" of Face ID by putting moustaches on that girl's face.
  • Reply 11 of 18
    FaceID stored on the phone is the mathematical representation of users face, right? Third party don’t have access to it and send it to their own server, right? If that is so, then I see no privacy issue. 

    If if an app has given access to the camera and photos, then there’s a chance that a dishonest developer can take your photos, collect data about you, and use it to monetize data or whatever else they could think of (many scary possibilities).

    What is like to see happens is that when app needs access to camera, it should be very specific request; for example: “App need access to camera to take photo/video to be stored in your photo album” or something to that extent. The current request is just to generic for app to use camera. 
    racerhomie
  • Reply 12 of 18
    Rayz2016Rayz2016 Posts: 6,957member
    gatorguy said:
    Personally I'm a little bit surprised Apple is allowing facial expression data to be used by 3rd parties this soon. TBH I don't know how they would actually police the use of it for activities that Apple wouldn't approve of. I would imagine unscrupulous devs would do dirty work on the server side which Apple wouldn't have easy/any access to. In any event it's not necessarily a big privacy issue, they're not sharing your photo. 
    I’m very surprised.

    When Google decided to sneak past a bug in Safari and track users who had specifically asked not to be tracked, it demonstrated that the unscrupulous cannot be trusted to toe the requested line. 

    Not sure this is such a great idea. 
    lostkiwi
  • Reply 13 of 18
    gatorguygatorguy Posts: 24,176member
    Rayz2016 said:
    gatorguy said:
    Personally I'm a little bit surprised Apple is allowing facial expression data to be used by 3rd parties this soon. TBH I don't know how they would actually police the use of it for activities that Apple wouldn't approve of. I would imagine unscrupulous devs would do dirty work on the server side which Apple wouldn't have easy/any access to. In any event it's not necessarily a big privacy issue, they're not sharing your photo. 
    I’m very surprised.

    When Google decided to sneak past a bug in Safari and track users who had specifically asked not to be tracked, it demonstrated that the unscrupulous cannot be trusted to toe the requested line. 

    Not sure this is such a great idea. 
    Yup, that's a good example. Google was being bad, no doubt IMO. Uber using a private Apple API to to spy on what is on your iPhone screen wasn't a shining moment either. Uber following users after the service violated terms too. Accu-weather discovered selling iOS location data to RevealMobile is yet another instance of a developer not toeing the line on Apple rules. While Apple may prefer something to be a certain way reality sometimes doesn't comply with it.
    edited November 2017
  • Reply 14 of 18
    jbdragonjbdragon Posts: 2,305member
    All anyone has to do is go to Apple's Whitepaper that they released for FaceID and learn a little something!!!

    https://images.apple.com/business/docs/FaceID_Security_Guide.pdf

    Look in "Other uses for FaceID".
    edited November 2017 racerhomie
  • Reply 15 of 18
    gatorguygatorguy Posts: 24,176member
    jbdragon said:
    All anyone has to do is go to Apple's Whitepaper that they released for FaceID and learn a little something!!!

    https://images.apple.com/business/docs/FaceID_Security_Guide.pdf

    Look in "Other uses for FaceID".
    This particular use isn't mentioned at all in the White Paper is it? I don't see even a suggestion that any Face ID related data could leave your phone, even something as innocuous as a general non-detailed mesh representation of your face and your associated facial expressions while using a developer's app.
    This must be a new use of the data that wasn't covered in the Apple White Paper. 
  • Reply 16 of 18
    foggyhillfoggyhill Posts: 4,767member
    Just more FUD... I don't know WTF is going on and so I am "concerned".

    My father is concerned all the time, but that goes wit the territory, at 98, his grasp of the complexity of the world is reduced.

    That's basically the same thing, but for those "privacy advocate". The thing you don't understand frightens you.

    If they're concerned now, wait till those devices are in private hand and scan anything that moves without any regard on their property and in front of their property and then this gets aggregated by some broker who will buy it for money.
    Internet of things devices with those capabilities will occur in 3-5 years and will be everywhere, many of them android with almost no security, will be a much bigger concern but
  • Reply 17 of 18
    I think rogue apps can already ask you for access to your photos 
  • Reply 18 of 18
    MarvinMarvin Posts: 15,310moderator
    Apple have already said it's a low poly mesh. That's the sort of thing that's good for a Snapchat filter, but that is worlds away from ID. Rather, it's the existing camera that's in every smartphone which would be far superior at building out an identification database.

    Also take a moment to appreciate what Facebook and Google Photos are already doing with access to your images.
    If the mesh Apple shows in their videos is representative of the capture, it looks to be around 1000 vertices:



    https://developer.apple.com/videos/play/fall2017/601/

    The sensor projects 30,000 dots so it can't be more than this and they likely average over a few adjacent dots for a smooth result. The density increases where the surface changes more. The lower count helps with animation performance.

    AAA games use higher resolution meshes:

    https://wccftech.com/ryse-polygon-count-comparision-aaa-titles-crysis-star-citizen/

    Main Charachter Poly Count Ryse Star Citizen

    It would have to be combined with photo data for ID. Machine learning algorithms can extract pretty accurate meshes from images alone:

    http://cvl-demos.cs.nott.ac.uk/vrn/

    It can even do a better job than that if it starts with a detailed generic face model and then adjusts it to fit the shape of the person as it would have accurate shapes for the eyeballs, eyelids, nostrils, mouth, teeth, ears etc.

    Even with high resolution meshes and image data producing a 3rd party database, there's not much that it can be used for that would affect people. It might be useful to the medical industry, plastic surgeons, anthropologists, fashion industry to find potential models.

    It's not as if Apple has exclusive depth sensors either. Stores can put a Kinect-like sensor at the checkout when you pay for something.

    It would actually be quite useful to have developers able to access the high-res data from the sensor as they can make 3D scanners. Hold the device close to an object and move the camera around it to capture a model.

    Apple can prevent apps uploading data, they can put restrictions on apps that have face scanning and ask the user if they want to allow the app to send or share data. If not, network access and share access can be locked down while the scanner is active and any attempt to send new data either from memory or the filesystem has to be approved by the user.
Sign In or Register to comment.