The company is releasing a report that should lessen much of its privacy concerns about new iPhone face recognition technology. But Apple also leaves a few unanswered questions. Apple issued an official technical report offering security analysis of Face ID, its new facial recognition technology. For now, the iPhone X will be the only Apple device to use Face ID, but the authentication tool has already raised concerns on multiple fronts. Senator Al Franken, a Minnesota Democrat, sent a letter earlier this month to Apple CEO Tim Cook asking how Face ID data is stored and whether third-party applications could be accessed. There was also concern that the biometric technique, which uses multiple facial scanners, would be used in courts and police.
Apple's official report answers questions such as what part of your face image the company actually stores, how long it stores the image, and what apps can use Face ID. But it does not speak directly to how robust ID privacy is when it comes to law enforcement agencies. Here's what Apple replied to in its document:
How much data from my face would be saved via Face ID?
Not much unless you consider mathematical equation and infrared points as your image. Face ID doesn't capture the whole picture, Apple says in its article. Infrared images, representing 30,000 dots, are taken and a map is created to look at your face. It also retains the "mathematical representation" of your face, not the image itself.
The background of your unlocking image is not stored. Login Image - The first image you take to get Face ID to recognize you - cuts to your face. Each time you unlock your phone using Face ID, the images are "immediately discarded as soon as the mathematical representation is calculated", and compared with the recorded data.
Where is the data stored? Can hackers extract my image online?
The data is stored in the Secure Enclave chip of the device itself and is only available there. The data is encrypted and "never leaves the device," Apple says. Even Apple does not receive data, nor is it stored when backing up your phone.
"Face ID data never leaves your device and is never copied to iCloud or anywhere," Apple writes.
This is the same way that data is stored for Touch ID, Apple's fingerprint reader. Because the data is stored on your device and not on a server or cloud, someone would need to have physical access to the device to be able to steal it. Even that would be difficult, given that Face ID data is encrypted.
Face ID data will only be sent if you agree to be uploaded for AppleCare technical support, and it will only be diagnostic information. You are allowed to view and approve what information is being sent, including your face image. And they are automatically deleted after 90 days.
Will third-party apps be able to use Face ID?
Yes. Third-party applications will be able to use Face ID for authentication. Any application you use with Touch ID for identification will automatically be able to support Face ID without any changes, Apple says.
But that doesn't mean apps get your face data. Face ID only tells third-party applications that the authentication has gone - it does not send your face information. The process is similar to shopping with Face ID on the App Store and iTunes. You will be able to do this with any application where developers enable Face ID. How did Apple prepare diversity for Face ID?
Apple said it used more than a billion images to train Face ID to recognize people. Franken asked where the company got those billions of images, but Apple didn't answer that question. The company said it worked with a diverse group of people to prepare for the recognition of different genders, ages, ethnicities and "other factors."
Does Face ID replace my password? No. Face ID requires the password to be enabled. Apple said that Face ID should actually allow for a "longer, more complex password to be far more convenient," since you won't have to enter it often.
"Face ID does not replace your password, but allows easy access to the iPhone within certain limits and with a time limit," Apple writes. Also, there are several circumstances in which you will need to enter your password to open your phone:
- When you just turned it on
- When you have not unlocked it for more than 48 hours
- When received a remote lock command
- After five unsuccessful attempts to unlock it with Face ID
- When Emergency SOS is activated (volume and side volume hold for two seconds)