More Face ID FUD, This Time From Reuters

Stephen Nellis, reporting for Reuters under the headline “App Developer Access to iPhone X Face Data Spooks Some Privacy Experts”:

Apple Inc won accolades from privacy experts in September for assuring that facial data used to unlock its new iPhone X would be securely stored on the phone itself.

But Apple’s privacy promises do not extend to the thousands of app developers who will gain access to facial data in order to build entertainment features for iPhone X customers, such as pinning a three-dimensional mask to their face for a selfie or letting a video game character mirror the player’s real-world facial expressions.

Apple allows developers to take certain facial data off the phone as long as they agree to seek customer permission and not sell the data to third parties, among other terms in a contract seen by Reuters.

This is dangerously misleading FUD. I say “dangerous” because this is the sort of story that could lead people to not set up Face ID, leaving their iPhones less secure and less useful.

There is no way, opt-in or otherwise, for third-party apps to access Face ID data. Face ID data is stored on the iPhone X’s secure enclave — even the OS itself can’t read it.

What third-party apps do have access to, if granted permission, is the front-facing camera with the TrueDepth sensor. That’s it. Apps have access to a front-facing camera that is better than previous front-facing cameras because it has 3D depth mapping. An app (like Snapchat or Instagram) can use this to implement augmented reality features like putting a mask or fake mustache on your face, but that has nothing to do with Face ID. I don’t think this is any more privacy invasive than what these apps are already doing with your iPhone camera — it’s just more accurate spatially for AR effects.

Thursday, 2 November 2017