It boasts an edge-to-edge screen, no Home button, and faster charging. But perhaps its most notable feature — certainly its most concerning — is Face ID.
Based on this function, how secure is the iPhone X? Is it a privacy concern? And will Apple have access to a huge database of everyone’s faces?
What Is Face ID?
Without the Home button, the new iPhone needs a simple way of being unlocked: users have grown used to Touch ID, and can’t be bothered with passcodes anymore. Realistically, biometrics are generally safer than passcodes anyway — certainly more so than anyone who unlocks their smartphone by typing in “1234.”
This is where Face ID comes in.
And it is a very smart system. First of all, it projects 30,000 invisible dots across your face, then an infrared light (so it doesn’t matter how much light there is available).
These create an image of your face which can be assessed to check whether it’s the same as the image stored in the phone’s database. The original, on which subsequent unlocks will be based, uses the same process but requires the user to turn their head slightly to give a proper 3D scan. It’s reminiscent of the 3D imaging techniques used in CGI.
You won’t just use it to unlock your device either. It can be used to verify purchases through Apple Pay and the App Store.
It makes gaining access to your phone very easy. But is it secure?
Can You Fool It?
Apple obviously says not. The chances of tricking it, the company reckons, is 1 in 1 million. It’s remote, but not impossible.
Him: It's 3am, why you putting on make up for?
Her: My iPhone X don't recognise me without it on
— LAK X (@l4444k) September 19, 2017
It won’t be fooled as easily as the Samsung Galaxy S8, which hit shelves earlier this year. Even before that release date, the facial recognition software had been fooled by a simple photo taken from social media. It took longer to unlock than usual, but the point remains that it did reveal its secrets. Samsung reaffirmed that the facial ID isn’t as secure as its PIN, fingerprint scanner, and iris scanner.
This won’t work with the iPhone X because it takes a 3D image of your face, rather than just a head-on template.
In an effort to prove how secure it is, Apple even got unnamed Hollywood studios to create face masks — and no, the iPhone X couldn’t be fooled that way.
Seemingly, this is a pretty secure method. But nothing’s impenetrable. Cloudflare’s Marc Rogers, who previously demonstrated how to trick Touch ID, is convinced he can trick Face ID:
“The moment someone can reproduce your face in a way that can be played back to the computer, you’ve got a problem. I’d love to start by 3D-printing my own head and seeing if I can use that to unlock it.”
Let’s put it this way: it’s very likely that Face ID will be cracked in the same way that Touch ID was, but spoofing won’t considerably affect the general public.
What About Twins?
In the relatively slight chances of you having an identical twin, that could cause a problem. At the time of writing, we don’t know whether Apple has tested its product on two people who look exactly alike. If the firm had, it would surely have announced the results… unless they were negative.
Interestingly, Windows Hello uses facial recognition on Windows 10 that can tell the difference between twins, at least according to a recent study. In addition to comparisons with image sets, it combines depth and heat readings to check if the correct twin is signing in.
Though the 3D imaging allows some study of depth, the iPhone X cannot detect heat.
We don’t genuinely know yet how the smartphone could determine differences of people who look incredibly similar. But to be on the safe side, identical twins probably shouldn’t trust Face ID.
Where Are Images Stored?
You might be troubled by the idea that Apple will have a database of all its customers with an iPhone X.
But worry not. Details used for facial verification will be stored in a “secure enclave”, which is also where mathematical representations of your fingerprint, used for Touch ID, are located. It’s stored solely on your phone, essentially, so Apple won’t get to enjoy your eyes, mouth, and nose.
That doesn’t reassure Senator Al Franken, however. He’s so concerned that he wrote a letter to Apple CEO Tim Cook. In this, he asked the circumstances which could cause the company to store images elsewhere, and further:
“Can Apple assure its users that it will never share faceprint data, along with the tools or other information necessary to extract the data, with any commercial third party?”
If Apple Pay can already access Face ID, could other apps? Right now, we don’t know the answer to that, but the possibility of tracking how users respond to an advertisement or page is surely a tempting one. The recognition software can track where your eye is, so third-parties could, in theory, see which elements in an article or ad particularly take your attention.
Right now, that’s a minor issue on the distant horizon. But while you’re here, it’s worth noting that there is a database of your face — and many people use it every single day.
It is, of course, Facebook. Its Deep Face project can detect and recognize a face, even from different angles. That’s why you can tag people in a photo. Worrying, eh? Maybe you should take a look over your privacy settings, and untag yourself in some images. If you’re taking iPhone privacy seriously, the same should go for social networking.
Who Else Can Access It?
Now we come to the really worrying aspect of Face ID: you can unlock your smartphone using your face. So can muggers and the police.
The immediate issue is if a thief steals your device and threatens you to access it. With other methods, the coercion is exactly that. With facial recognition, however, it’s much easier for a criminal to get you to unlock it. After all, all they need is your face.
Right now, law enforcement agencies, including the police and border controls, can’t make you unlock your iPhone using a passcode or Touch ID without a warrant. This is due to the Fifth Amendment, protecting you from self-incrimination.
Remember back in 2016, Apple refused to unlock the encrypted iPhone 5C of San Bernardino shooter, Syed Rizwan Farook? They trod a fine line: from one perspective, they refused to help the FBI investigate this act of terrorism; from another, it would’ve been a clear precedent — an admission that Apple can get into any devices used by their customers.
The fact they refused told the world that Apple values security and privacy.
Face ID does the opposite. The exact legalities of how the Fifth Amendment applies to facial verification are yet to be determined. They probably won’t be until a case goes to court anyway.
This gray area is certainly one we’re concerned about. And you definitely should be too.
What Can You Do About It?
One caveat of Face ID is that, for a face to be recognized, your eyes have to be open. You have to actually be facing the screen too. If you were mugged, you could try to close your eyes or perhaps turn away. That may work if the criminal had hoped for a snatch and grab — less so if you’re under duress.
The latest operating system, iOS 11, will come automatically installed on the iPhone X, and that does at least have Emergency SOS in Settings. You can set it up so that, when you click the power button five times in a row, it’ll disable Face ID and Touch ID. You have to enter a passcode to gain access.
This feature can also be activated to automatically call an emergency contact or service.
That’s really the key to all this. If you’re too worried about using Face ID, you don’t have to.
You can resort to a Touch ID or a passcode. But make sure you do use some method of encryption to secure your smartphone.
Of course, you don’t have to buy an iPhone X. You might love Apple and need an upgrade, in which case opt for the Face ID-free iPhone 8. It also has the much-loved Home button, charges faster compared to previous models, and is cheaper. That last part tempted you, didn’t it?
When the Touch ID was announced, security and privacy concerns consumed the internet… and in the end, it turned out to be just fine. Face ID will likely be the same.
There will be issues, and it’s certainly not for everyone. But it’s your choice as to whether you buy the device or not, and if you use Face ID.
What will you be doing? Are you keen to try out the iPhone X? Are you an early adopter? Or do you prefer to wait until the kinks have been ironed out? And will you use Face ID?