The American Civil Liberties Union (ACLU) has raised privacy concerns about developer access to the facial expressions of iPhone X users. In particular, they say that Apple allows developers to capture facial expression data and store it on their own servers.
When the iPhone X was launched, Apple was careful to stress that the 3D face recognition model used by Face ID was stored only on the phone itself. The data is never transferred to Apple servers. But the ACLU says that app developers are allowed to transmit and store some face data …
“The privacy issues around of the use of very sophisticated facial recognition technology for unlocking the phone have been overblown,” said Jay Stanley, a senior policy analyst with the American Civil Liberties Union. “The real privacy issues have to do with the access by third-party developers.”
Reuters explained what Apple allows app developers to do.
Apple allows developers to take certain facial data off the phone as long as they agree to seek customer permission and not sell the data to third parties, among other terms in a contract seen by Reuters.
App makers who want to use the new camera on the iPhone X can capture a rough map of a user’s face and a stream of more than 50 kinds of facial expressions. This data, which can be removed from the phone and stored on a developer’s own servers, can help monitor how often users blink, smile or even raise an eyebrow.
One concern is that app developers could use facial expressions to assess emotional responses to ads shown within apps. However, Apple already outlaws that, stating that developers are only allowed to use face data to power a legitimate feature of the app. Using it for marketing or advertising purposes is specifically prohibited.
Some argue that rogue developers might still do it, as Apple’s review process can be hit-and-miss.
The company does not review the source code of all apps, instead relying on random spot checks or complaints, according to 2011 Congressional testimony from Bud Tribble, one of the company’s “privacy czars.”
With the iPhone X, the primary danger is that advertisers will find it irresistible to gauge how consumers react to products or to build tracking profiles of them, even though Apple explicitly bans such activity.
It’s also possible that developers might do it without realizing it’s not allowed.
One app developer told Reuters that Apple’s non-negotiable developer agreement is long and complex and rarely read in detail, just as most consumers do not know the details of what they agree to when they allow access to personal data.
The issue seems worth raising for this reason – just to ensure that developers are fully aware that Apple doesn’t permit it. But as our own Benjamin Mayo noted, this isn’t unique to the iPhone X: it would be entirely possible to recognize expressions like smiles and raised eyebrows just by using the existing camera.
It should be stressed that app developers do not have access to anything like the amount of data needed to perform their own face recognition.