After Apple announced a series of sensors capable of measuring your face down to the finest detail, the security world instantly warned of the repercussions. Police could force users to unlock the iPhone X with their face, the data could be stolen, marketers may use it to gauge your feelings about an app or advertisement. These were the most common concerns, but not the only ones.
For Apple’s part, it did a great job at not only ensuring the public its data was safe, but going above and beyond standard industry practices to ensure them it was. The data would never leave their phone. Apple didn’t have access, it was never transmitted to Apple HQ or a server farm in an unknown location. Your iPhone X, and only your iPhone X contained the facial data taken by the “TrueDepth” sensing capability on Apple’s new flagship device.
Apple, it appeared, was serious about its aim at protecting our privacy. Unfortunately for us, this level of security doesn’t seem to extend to parties not named Apple.
According to a Washington Post report, iOS developers are not only allowed to use, but store (on their own servers) two views stored from the on-board sensors — a wireframe representation of the user’s face, and a live read-out of 52 unique micro-movements of their eyelids, mouth, and other features. These movements could accurately track engagement, emotion, and a host of other things you probably don’t want in the hands of marketers, spies, or hackers.
To see for yourself, you can use an iPhone X to download an app called MeasureKit. The app, developed by Rinat Khanov, lets you see the data Apple makes available to developers. And according to its maker, he’s planning on adding a feature that allows users to export a model of your face. Khanov’s motives seem benign — he wants to allow people to 3D print their own face from high quality models — but he’s just one of thousands with this kind of access.
The Post may have said it best: “[Apple] isn’t being paranoid enough about the minefield it just entered.”
Apple has a good track record in protecting our data. It’s not in the business of selling out users, or tracking data it can later sell to advertisers, a la Facebook — at least it doesn’t seem to be. But while Apple’s intentions may be good, it cannot possibly know the intent of the developers it’s offering up this data to.
And this might only be the second biggest mistake on the security front from Apple this week.