What Could Possibly Go Wrong? The iPhone X’s Face ID
Anyone who has been paying attention to what’s going on around them for at least some portion of their life has almost certainly experienced Murphy’s Law. If something can go wrong, it will go wrong. And yet, time and again the response to something new is “Let’s do it! What could possibly go wrong?” Case in point, iPhone X’s Face ID.
Technology evolves when it adapts to the way you do things and makes doing those things easier. Is Face ID easier to use than the iPhone’s Touch ID? Not really. With Touch ID you put your finger on the home button when you grabbed your phone and the phone unlocked. It was fast, easy, and once you got used to it, your phone was unlocked and ready to go by the time you looked at it. It was also easy to unlock your phone surreptitiously in situations where you didn’t want to be seen using it.
Face ID is fast but that’s about it. To unlock your phone, you place it in your palm, hold it in front of your face like you were taking a selfie, and look directly at it. That’s a lot more complicated than simply touching the home button. You can also say goodbye to surreptitious phone unlocking. People are likely to notice when you hold your phone in front of your face in a business meeting. In addition, The Verge and others have reported Face ID doesn’t work so well in some lighting conditions – like outside when the sun is shining.
While Face ID is clearly not as simple and straightforward as Touch ID, Apple may not view this as something going wrong. After all, this is the company that responded to complaints about their poor placement of the antenna in the iPhone 4 with the arrogant and dismissive “You’re holding it wrong.”
Ease-of-use is a thing, but it isn’t what a phone’s unlock system is all about. It’s about security. Apple has stated (without evidence) that there’s a one in a million chance that a random stranger could unlock your phone with Face ID as opposed to a one in fifty thousand chance (also without evidence) with Touch ID. If true, that’s a huge increase in security.
Apple also pointed out that the chance of an unwanted unlock was “different” for “twins and siblings that look like you as well as among children under the age of 13”. How different? Apparently, very different.
Mashable asked two pairs of identical twins to try to unlock a Face ID-locked iPhone X. The phone unlocked for the wrong twin every time. Twin A opened Twin B’s phone and Twin B opened twin A’s phone. A million to one chance? How about a 100% chance. Yeah, that’s “different”.
It’s not really a surprise that Face ID doesn’t work as well with identical twins. You and I probably couldn’t tell them apart either. How about the mother and her 10-year old son in the above video. Can you tell them apart? Face ID couldn’t. The boy unlocked his mother’s iPhone X. What could possibly go wrong?
Okay, so Face ID isn’t foolproof. Other people can unlock your phone simply by looking at it. What about hackers? Can the technology be hacked?
How would go about trying to hack a person’s face? With a mask. Wired spent “thousands of dollars” and brought onboard “an experienced biometric hacker [and] a Hollywood face-caster and makeup artist” and failed. They couldn’t create a mask that unlocked an iPhone X.
If it looks like hacking may not be a problem, look again. Six days after the iPhone X launched, Bkhav, a Vietnamese cybersecurity company with a track record in hacking biometric security systems, released a proof-of-concept video showing them unlocking a Face-ID locked iPhone X with a mask that cost $150 to make. The mask was 3-D printed with pictures of 2-D eyes stuck in place.
Forbes and others pointed out that Bkhav’s video wasn’t as convincing as it might appear because it didn’t demonstrate the enrollment process used to set up Face ID on the iPhone X. Bkhav responded with the above video that shows them enrolling the user’s face and then immediately unlocking it with a mask. They used a more sophisticated mask for this demonstration. It cost $200 and still used pasted on pictures of eyes.
What could possibly go wrong? Bkhav concluded that Face ID is not secure enough to use for business transactions.
Setting aside issues of convenience and security, there’s another problem with Face ID that’s potentially even more serious. Apple is sharing user’s Face ID data with third-party app developers.
The rich set of data that Face ID collects to unlock the iPhone X stays in what Apple calls a “Secure Enclave” on the phone. That’s a good thing. What’s not so good is that Apple is giving app developers enough of this data to create a detailed wiremap of your face while also tracking 52 micro-movements of parts of your face in real time.
People have an extraordinary ability to accurately infer someone’s thoughts and emotions by “reading” their face. We rely on this ability, often unconsciously, every time we have a face-to-face conversation with someone. Companies like Affectiva use powerful neural networks to extract real-time emotion recognition data from webcam video that is used successfully in advertising, education, gaming and healthcare.
App developers want Apple’s Face ID data so they can do a better job targeting people who will pay for their apps and in-app purchases. Apple wants to make the data available because they believe it will encourage developers to write iPhone apps which make more money for Apple.
Apple takes great care to keep customer data safe and it has a lot of rules governing the gathering and use of Face ID data by app developers. However, Apple is not only giving the developers access to some of your Face ID data, it’s allowing the developers to download the data to their own servers.
What happens after that is anybody’s guess. Apple may try to police what developers do with your face after they’ve downloaded it, but it’s unreasonable to believe Apple will be able to keep close tabs on hundreds of small developers who are farming faces. Moreover, Apple can’t control security at third-party development outfits. This year’s massive Verizon data leak happened when Verizon shared customer data with a third-party vendor. When your Face ID data leaves Apple’s hands, the chances that bad things will happen greatly increases.
The iPhone X launched about a month ago and it’s already apparent that it’s less convenient than Touch ID and less secure than Apple would have you believe. It’s also very troublesome that Apple is sharing people’s Face ID data with third-party app developers and allowing them to download the data onto their own servers.
A password doesn’t give away very much about you unless you were clueless enough to use your birthday or bank account number as your password. Passwords can be hacked, and if they are, you can create as many new ones as you like.
Your face can also be hacked, it can be farmed, and it can give away a lot more about you than a password. You only have one face. Lose it as your security key, or lose how it’s being used for unscrupulous purposes and it’s game over. You can’t create a new one.
But hey, what could possibly go wrong?