With the iPhone X due to ship to those who have pre-ordered tomorrow as well as being available in stores in limited numbers, it has emerged that Apple is allowing app developers to access facial data.
Concerns have already been voiced about the privacy of Face ID and how facial data is used, but Apple responded to these saying the data remains on the iPhone X and is never sent to the cloud. But contracts seen by Reuters show that app developers are permitted to take facial data off phones, providing certain criteria are met.
App developers may make use of facial data for various reasons, including mapping masks onto video footage and photographs. Reuters reveals that developers are allowed to take "certain facial data" off iPhone Xs as long as they gain permission from users, and as long as the data is not sold to third parties.
App makers who want to use the new camera on the iPhone X can capture a rough map of a user’s face and a stream of more than 50 kinds of facial expressions. This data, which can be removed from the phone and stored on a developer's own servers, can help monitor how often users blink, smile or even raise an eyebrow.
That remote storage raises questions about how effectively Apple can enforce its privacy rules, according to privacy groups such as the American Civil Liberties Union and the Center for Democracy and Technology.
The data that developers have access to is not the same as that used by Face ID, and it cannot be used to unlock devices. Jay Stanley, a senior policy analyst with the American Civil Liberties Union, is concerned:
The privacy issues around of the use of very sophisticated facial recognition technology for unlocking the phone have been overblown. The real privacy issues have to do with the access by third-party developers.
The contracts seen by Reuters make it clear that app developers must "obtain clear and conspicuous consent" from users before they do anything with facial data, and make it clear that data can only be collected and used for legitimate reasons relating to the functioning of an app. Developers are banned from de-anonymizing user data, and for using it for advertising or marketing purposes. Despite this, there are still concerns that some developers could use facial data to judge reactions to ads using facial expressions.
Importantly, privacy experts point out, Apple has no control over what app developers do with facial data once it has left an iPhone X. Apple's threat to boot offenders out of the App Store is seen as an empty one as the company is reliant on complaints rather than an app review process to identify misuse -- and this is something that would be near-impossible for the average iPhone X user to spot. As Stanley says:
Apple does have a pretty good historical track record of holding developers accountable who violate their agreements, but they have to catch them first - and sometimes that’s the hard part. It means household names probably won't exploit this, but there’s still a lot of room for bottom feeders.