The iPhone X is officially here, and with it comes a bevy of new bells and whistles that Apple promises justify the smartphone’s hefty price tag.
Once such feature is the front-facing TrueDepth camera, which powers both Face ID and gives us the lovely notch. However, according to an Apple contract recently shared with app developers, it also opens up users to a new and not yet fully understood privacy risk.
According to Reuters, which managed to review the terms of a third-party app developer agreement with Apple, the data gleaned by the TrueDepth camera need not remain on a customer’s phone. Instead, it can be transmitted to non-Apple servers — a revelation that has some privacy and security experts concerned.
Notably, Apple has gone out of its way to address privacy concerns related to its Face ID biometric system. The company has promised that all data gathered by Face ID will remain on the phone, and that “[when] using Face ID, the [third-party] app is notified only as to whether the authentication was successful; it can’t access Face ID or the data associated with the enrolled face.”
Importantly, however, that doesn’t mean app developers won’t have access to the TrueDepth camera and the data it gathers.
“Unless Apple comes up with something a bit stronger than a wag of the finger, this has the potential of getting real ugly.”
“App makers who want to use the new camera on the iPhone X can capture a rough map of a user’s face and a stream of more than 50 kinds of facial expressions,” explains Reuters. “This data, which can be removed from the phone and stored on a developer’s own servers, can help monitor how often users blink, smile or even raise an eyebrow.”
We reached out to Apple to confirm that this is in fact the basic structure of third-party app developers’ contracts with the company, and will update this story if and when we hear back.
But why does any of this matter? Well, Apple has reportedly forbidden third-party app makers from either selling face data to marketers or using it for advertising purposes. However, according to Dan Tentler, a security researcher with The Phobos Group, once the data leaves Apple’s grip it no longer matters what the rules are.
If the technological capability is there for abuse, he notes, bad actors will find a way to abuse it.
“It wont matter. Advertisers are going to [go after the data] anyway, and it’s plausible there will be a black market or underground market for quietly lifting that data off of phones despite [Apple’s] rules,” Tentler explained over email. “The trouble here is that their defensive mechanism appears to be just a bunch of rules, and it’s staggeringly obvious that making something against the rules only stops people who elect to follow the rules.”
Which, yeah, that doesn’t sound so good.
Tentler took his warning even further, saying, “if people followed the rules, we’d never see malware being sent to people through advertising networks, or, you know, murder. You can’t depend on rules alone to stop people from doing bad things, so unless Apple comes up with something a bit stronger than a wag of the finger, this has the potential of getting real ugly.”
So, are iPhone X owners doomed to live a life of potential privacy abuse by unscrupulous app developers? Not necessarily, but they do need to exercise some caution.
Jim Dempsey, the Executive Director of Berkeley’s Center for Law & Technology, told Mashable that while Apple does have a good track record when it comes to privacy, the specifics of the TrueDepth sensor require an extra level of consumer awareness.
“Now, for some apps, [users] will also be receiving notices asking permission to collect facial data,” he wrote via email. “It’s very easy to say yes, because you want the features offered by the app, which seem cool at the moment. I think consumers have to become even more vigilant about those requests. There is a risk — probably already a reality — that many folks become desensitized to the requests for permission, accept them, and then forget about them.”
In other words, the next time a fun-looking third-party app asks for permission to access the data gathered by your iPhone X’s TrueDepth camera, maybe think long and hard before tapping “OK.”