Apple updated the security and privacy information on its website on Wednesday, revealing new details about how its new facial-recognition technology works.
The new details come about a month before Apple’s most advanced iPhone, the iPhone X, goes on sale. The banner feature of the iPhone X is a facial-recognition tool called Face ID that unlocks the phone, replacing the fingerprint sensor.
Since Face ID and its corresponding 3D camera, called TrueDepth, were announced earlier this month, the technology has attracted a lot of attention and speculation from privacy advocates and security experts. Sen. Al Franken even wrote an open letter to Apple CEO Tim Cook with 10 questions about the technology.
The new disclosures published on Wednesday answer several questions about Face ID. They include a Face ID security overview paper, an Apple support page on the technology, and a redesigned privacy page that says Apple’s management believes “privacy is a fundamental human right.”
“So much of your personal information … lives on your Apple devices,” the privacy page says. “Your heart rate after a run. Which news stories you read first. Where you bought your last coffee. What websites you visit. Who you call, email, or message.”
In contrast to its secrecy on upcoming products and internal procedures, Apple likes to publicize much of how its security and encryption systems work. Cook wrote an open letter about security in 2014 and publicly fought the FBI in court in 2016 over whether to help it break into an encrypted iPhone used by a terrorist.
“A few years ago, users of internet services began to realize that when an online service is free, you’re not the customer,” Cook said in 2014. “You’re the product. But at Apple, we believe a great customer experience shouldn’t come at the expense of your privacy.”
Face to Face ID
Apple is eager to show that it has anticipated many of the concerns about Face ID that have come up so far, though many will remain until the product is released to the public and tested independently.
“I still need to test it and try it out, and I never fully believe any vendor until we see how something performs in the real world, but on paper, this looks secure enough for the vast majority of Apple customers,” said Rich Mogull, the CEO of the security firm Securosis.
Mogull wrote in a blog post in August that the point of a security system like Face ID was not to create an uncrackable system. The point is to allow users to use a strong, long password – but have the convenience of not using it most of the time.
To be useful, a system like Face ID would need to eliminate so-called false positives – or when the iPhone lets in someone other than the intended user. Apple says the chance of that happening at random is 1 in 1 million.
Another risk is that the camera could be fooled by a flat, printed photo – like some of Samsung’s devices have been in the past. Apple even says it tested custom, high-end, 3D masks against the system. Mogull called that an “obvious starting point” that researchers would test when they finally got their hands on an iPhone X.
Apple on Wednesday also detailed six scenarios in which Face ID would not unlock an iPhone and would instead ask for a passcode, as happened during Face ID’s big reveal:
- “The device has just been turned on or restarted.” “The device hasn’t been unlocked for more than 48 hours.” “The passcode hasn’t been used to unlock the device in the last 156 hours (six and a half days) and Face ID has not unlocked the device in the last 4 hours.” “The device has received a remote lock command.” “After five unsuccessful attempts to match a face.” “After initiating power off/Emergency SOS by pressing and holding either volume button and the side button simultaneously for 2 seconds.”
Not just facial recognition
Apple didn’t just release information on Face ID on Wednesday – it also announced details about other products, including information on how it’s zapping tracking cookies in its Safari browser, on its new emergency SOS mode that locks a phone when a user presses its home button five times, and on differential privacy, a kind of statistical method Apple says allows it to collect data from its users without identifying them.
As Apple breaks into health and other areas, it will continue to lean on privacy and security features as a way to differentiate itself from rivals like Google and Amazon.
Most of Apple’s sales stem from premium devices and hardware, as opposed to advertising or other data-oriented business models. And its ability to design both its hardware and its software means it can more easily pull off new security systems like Face ID than other technology vendors could.
It’s clear that biometrics – a fingerprint or a face scan – is a big part of Apple’s security strategy going forward, and that Apple will market these advantages as a reason to pick an iPhone over competitors.