Senator Al Franken has some concerns about the iPhone X’s new feature, Face ID.
The feature, as Apple displayed on stage — or tried to — during its most recent iPhone event takes an algorithmic approach to unlocking a phone by mapping your face with sophisticated sensors. Unlike previous attempts in facial recognition, Apple’s sensors use multiple reference points, including the distance between facial features and depth readings that map facial contours.
It claims the technology is infallible, and can even work when you’ve changed your appearance. In fact, Apple doubles down on the claim by suggesting the chance of a random person unlocking your phone is one in a million (as opposed to one in 50,000 for Touch ID).
But still, we live in a world where ambient light sensors could track browsing behavior, police listen in on cellphone conversations without a warrant, and the DOJ goes out of its way to get Apple to betray its users by unlocking an iPhone.
It’s only natural to be a little skeptical.
Minnesota Senator Al Franken shares your skepticism.
Recently, Sen. Franken penned a letter to Apple CEO Tim Cook and laid out a few concerns. Chief among these was ensuring Face ID details were saved to the phone itself, not stored in the cloud on Apple servers — something Apple promised us wouldn’t happen at its latest event. Edward Snowden weighed in, as Edward Snowden does, stating Face ID normalizes facial scanning, and it’s “a tech certain to be abused.”
Sen. Franken is also worried about the implications of law enforcement requests that demanded Face ID data, a reasonable fear after last year’s iPhone 5C debacle.
And security issues aside, Sen. Franken wonders about the feature’s effectiveness in ensuring “its system was trained on a diverse set of faces, in terms of race, gender and age.”
You can read the letter in its entirety, here.
Apple today responded. The company pointed to its tech white paper and Knowledge Base articles that provide answers to “all of the questions you raise.” But as an aside, Cook and Co. offered up a side of TL;DR with its reiteration that there’s a one in a million chance of someone unlocking your phone without your consent.
Well, assuming they aren’t using your face to do it.
As far as sharing data is concerned, Apple says:
Face ID data, including mathematical representations of your face, is encrypted and only available to the Secure Enclave. This data never leaves the device. It is not sent to Apple, nor is it included in device backups. Face images captured during normal unlock operations aren’t saved, but are instead immediately discarded once the mathematical representation is calculated for comparison to the enrolled Face ID data.
And then adds:
Third-party apps can use system provided APIs to ask the user to authenticate using Face ID or a passcode, and apps that support Touch ID automatically support Face ID without any changes.
When using Face ID, the app is notified only as to whether the authentication was successful; it cannot access Face ID or the data associated with the enrolled face.
Notably, Apple refrained from commenting on how it would respond to data requests from law enforcement. That said, data residing inside a “secure enclave” means Apple couldn’t access it anyway. But as we saw last year, that’s not going to stop the DOJ from attempts to compel Apple to build a workaround.
But for Sen. Franken, the response seems to have hit the “good enough” mark on his cybersecurity litmus test. He responded to Apple with the following:
As the top Democrat on the Privacy Subcommittee, I strongly believe that all Americans have a fundamental right to privacy. All the time, we learn about and actually experience new technologies and innovations that, just a few years back, were difficult to even imagine. While these developments are often great for families, businesses, and our economy, they also raise important questions about how we protect what I believe are among the most pressing issues facing consumers: privacy and security. I appreciate Apple’s willingness to engage with my office on these issues, and I’m glad to see the steps that the company has taken to address consumer privacy and security concerns. I plan to follow up with the Apple to find out more about how it plans to protect the data of customers who decide to use the latest generation of iPhone’s facial recognition technology.