Forum

Apple’s Face ID paves way for police abuse and surveillance

Credit: Anna Li/ Credit: Anna Li/
Editorials featured in the Forum section are solely the opinions of their individual authors.

The Fifth Amendment has been rendered obsolete. Apple’s new Face ID is an example of human ingenuity but one that raises a whole host of questions about our privacy and mass surveillance.

There are two main concerns legal and privacy experts have expressed with Face ID. The first and foremost is exactly how much leeway law enforcement has in accessing the data on our phones. The second is whether Face ID could be a prelude to mass government surveillance.

In 2014, the Supreme Court of the United States (SCOTUS) ruled in Riley v. California that it was illegal for law enforcement to search a cell phone without a warrant. Our right to be safe from unlawful search and seizures is protected under the Fourth Amendment. However, a warrant was issued to the Los Angeles Police Department (LAPD) in October, 2014 which essentially allowed the LAPD to treat an arrested suspect’s biometric information as physical evidence and not testimonial evidence.

Even though this distinction is seemingly insignificant, one important legal precedent is that physical evidence is not protected under the Fifth Amendment. One’s biometric information is under the same category as DNA, which one can be compelled to give. Worse still, arrested suspects are legally required to provide fingerprints and mug shots, the very biometrics used for Touch ID and Face ID. This dangerous precedent was further supported with an additional ruling by a Virginia circuit court judge in late 2014. Under the ruling, it was established that law enforcement cannot force anyone to give up their passcode as their passwords are protected under the Fifth Amendment; however, biometric info is not and suspects can be forced to provide their fingerprints for Touch ID.

According to Orin Kerr, a research professor at George Washington University Law School and the Director of the Cybersecurity Law Initiative said, “From a legal perspective, I don't see any difference.” Since there isn’t a definitive landmark case precedent set by the SCOTUS in terms of biometric information protection under the Fifth Amendment yet, Apple’s new Face ID definitely seems like trading more utility in exchange for less overall benefit.

Face ID not only utilizes a two-dimensional scan to unlock the iPhone but also makes a mathematical model of one’s face by projecting over 30,000 points on their face and recording a three-dimensional (3D) model. Another caveat adopted by Apple has been to ensure that Face ID only works if our eyes are open so that one can’t unlock your phone if you’re sleeping merely by holding it up to your face.

Yet there isn’t a mechanism to detect micro-expressions in Face ID that is capable of detecting whether you’re under duress and someone is forcing you to unlock your phone. Therefore, law enforcement or anyone else can simply hold up the iPhone X to our faces to unlock them.

The one coup there is in terms of protecting oneself from unlawful search and seizure of one’s personal data is a nifty feature Apple has introduced in iOS 11. If you press the power button on your phone five times, that will disable Touch ID and Face ID, requiring your passcode to enable them again. Or, one can simply power off their phone, and on restarting, your passcode is required to re-enable Touch ID.

Another concern industry experts have professed focuses on how secure Face ID is going to be. For instance, Samsung’s “extremely secure” widely touted facial recognition unlock system in the flagship Galaxy S8 was easily fooled by a mere picture. Even though this will not be the case with Face ID due to the 3D facial models iPhones will store, there are certainly other ways Face ID could be spoofed. Apple has acknowledged that twins can unlock phones and that Face ID won’t work perfectly for children 13 or younger “because their distinct facial features may not have fully developed.”

This concern has spread to the financial market. After all, many banks and retailers were only convinced to accept Apple Pay after they saw how secure Touch ID was. Since we don’t yet know how secure Face ID is, Apple’s decision to move Apple Pay from Touch ID to Face ID will remain up for debate.

After Apple unveiled Face ID, U.S. Senator Al Franken (D-MN), Chairman of the Senate Judiciary Sub-Committee on Privacy, Technology and the Law sent a public letter to Tim Cook, CEO of Apple, and outlined questions he had about Face ID technology and how Apple’s hopes to protect individual consumer data, specifically one’s “faceprint.” If someone’s password is compromised, they can simply change it. On the other hand, if someone’s faceprint is stolen, they can’t change their faces.

Another concern Franken had was about the database Face ID was developed with. Phil Schiller, Apple’s Senior Vice-President of Worldwide Marketing, claimed that Face ID had been fine-tuned using over a billion images of faces. Senator Franken is understandably curious how Apple was able to obtain access to or able to develop this database and whether the database had sufficient samples from a plethora of ethnicities, genders, and ages.

Franken has requested Apple to make their strategies for protecting their customer’s biometric data public and to make the process more transparent. In addition, he is curious as to how Apple will respond if asked to divulge biometric data when faced with a warrant, especially when Apple claims that this biometric data isn’t being stored in the cloud or on Apple servers.

Apple has attempted to stave off any claims of Face ID being utilized as a tool for mass surveillance or the claim that Apple is creating a massive database of facial scans which it can then sell to third parties or one the government can commandeer the use of by heavily promoting their secure enclave. Schiller assured the audience when introducing Face ID on the iPhone X, that unlike Samsung, all iPhones with Face ID will store all the secure data locally, in a secure enclave built into the phone itself, encrypted to such a degree that Apple itself does not possess the key to decrypt it.

Let’s give Apple the benefit of the doubt and assume that their enclaves are indeed secure and hack-proof. That still doesn’t protect the average consumer from the biggest customer of their personal data — the government. Recently, Apple had a huge public disagreement with the Federal Bureau of Investigation (FBI) over providing the law enforcement agency with blanket access to all Apple devices. Apple refused.

The only reason Apple prevailed over the FBI, however, is because they challenged the FBI in the courts and won. That will not always be the case. It is inevitable the government will at least attempt to gain access to the huge database of biometric data Apple has the potential to retrieve from their iPhones. Currently, Facebook is the world leader in facial recognition; however, Facebook only controls the software. Apple has unified both the hardware and software for facial recognition in the world’s most popular and ubiquitous tech.

Another concern is that certain applications will be granted access to one’s biometric information and many third-party applications already do so for Touch ID. Apple now has the additional responsibility of ensuring that even though the aforementioned third-party developers can access the biometric info stored in the secure enclave, they can’t store or further distribute it.

In fact, Edward Snowden tweeted that, while it’s good Apple has a “panic disable,” Face ID normalizes facial scanning and makes it mainstream, which has an extremely high potential for abuse and misuse.

A database of biometric info storing even the most basic information has the potential for strangers and law enforcement to identify someone with a simple picture. In addition, facial recognition can be utilized to track someone in real time, a prelude to George Orwell’s "Big Brother."

As revealed by Snowden, under the Foreign Intelligence Surveillance Act (FISA) and the therein established FISA courts, the government can issue as many secret warrants as it deems fit. This is especially worrisome as this tactic has already been tried with Yahoo to order them to make a program to scan all their emails for keywords specified by the government.

Even if Apple appeals any order by the government to create a database of their customer’s biometric data, there’s always the chance that SCOTUS or the FISA courts will simply side with the government in the interest of national security. Certainly, national security is an important concern for the government, however, that does not mean that that certain government agencies should have blanket access to all consumer data.

Big Brother is watching.