Apple clarifies what Face ID and TrueDepth data developers have access to

Pocketnow

By Jules Wang

Published Dec 12, 2017

In short, no Face ID data is transmitted to app publishers, period. But they do have access to an API to track the faces you make at their app.

“They all stink.”

Apple senior vice president of marketing Phil Schiller needed no time to give his opinion on how other phone manufacturers were implementing face-based biometric security measures.

“They don’t work in all the ways we need Face ID to work.”

Schiller was quizzed on a broad range of topics by Bright.nl over what the new iPhone X brought with its TrueDepth texture-mapping camera and what the future might hold for Apple in different realities from virtual to augmented.

The long and short of AR and VR is that the company wants to branch virtual reality onto macOS first while keeping the focus on augmented reality with iOS. On the HomePod, Schiller was sad the company couldn’t bring it in time for the holidays, but that it had to commit to home audio right.

Back on Face ID, there was one big note regarding what third-party developers could do with the data they obtained from the TrueDepth camera on the iPhone X — set to spread to future iPads and all the iPhones next year. Schiller delineates what goes into Face ID and a face tracker API that those app makers do have access to:

First of all, no Face ID data goes to third parties. So what you enroll with Face ID, what you use to unlock your phone, that’s an algorithm that is created and encrypted by the Secure Enclave. No third party that uses the iPhone camera has your Face ID data. We did create an API so developers can use the cameras to track facial movements, to do things like wrap stickers on your face (like Snapchat, ed.) That’s different than Face ID. They don’t have all the access to the data that Face ID has for that.

While it’s true that publishers won’t have the correct hash needed to unlock users’ iPhones, the big concern that privacy advocates have is that the facial movement tracker API can be used to log how people feel about certain pieces of content or advertising to tailor what gets delivered in the future.

Schiller says, though, that these developers have to provide a measure of transparency.

[D]evelopers must be clear in their user privacy policies that they are using face data and what they are doing with that. So that you know. You have a choice to make whether you want to do that or not. You are in control. And also, every application that want(sic) to use face data must go through a special level of app review. We look at them specifically to understand what they are using the data for and does the user understand that. So [we] uphold developer to do the right job for customers and ultimately let the customer decide.

Every app has to go under review, but even then, major oversight can happen leaving users unaware of flawed behavior. And if we have to learn about potentially harmful behavior from a thick and heady privacy policy, it may end up too late for a public expose.

Apple has historically been a staunch supporter of its customers’ personal privacy. But the weight of just what this potentially new limb of data can bring has yet to hit it on the backside.