App Developer Access to TrueDepth Camera Worries Privacy Advocates

Privacy advocates and developers are once again expressing concern over the iPhone X’s TrueDepth Camera. The infrared camera scans over 30,000 facial points to create an extremely accurate 3D model of a face. It’s what powers Face ID, and allows the iPhone X to track and, with Animoji, make sophisticated facial animations that once was solely the realm of Hollywood studios.

The issue, of course, is that Apple has talked quite a bit about how secure Face ID is. The company has talked a lot less about what facial data developers can gain access to, and how they can use it.

The Problem

To be clear, the 3D facial scan that the TrueDepth Camera takes to make Face ID work is secure. Developers can’t access it.

The problem lies in what developers do have access to: the TrueDepth system itself. Currently, third-party app developers can use the TrueDepth Camera to take a scan of a user’s face, including a full wireframe, 3D face map and a “live read-out” of 52 micro-movements — including movements in the eyelid, mouth and other facial features. Apps can store this information on their own servers, and use it for their own purposes, the Washington Post reported.

While that level of access allows for more realistic augmented reality experiences, its ramifications are worrying. App developers could, theoretically, use the TrueDepth system to scan a user’s facial expressions. They could then use that scan to judge if a user is happy or depressed. App developers could determine a user’s gender, race, or even their sexuality. They could even combine that data with other information to track a user when they’re walking down a street, or shopping at a store.

If you want to see exactly the kind of facial data that’s available to app developers, just download MeasureKit on an iPhone X. It has a face scan tool built in that allows users to see what kind of data TrueDepth collects and gives to developers, including the facial map and the list of facial micro-expressions.

The Good News

The good news, thankfully, is that Apple is staunchly committed to user privacy. Because of the way it does business, it doesn’t sell that user data to third-parties for advertising or marketing purposes (unlike other tech giants). Similarly, to the best of our knowledge, most apps aren’t using TrueDepth’s system for any sneaky purposes — yet.

When pressed by WaPo reporter Geoffrey Fowler, Apple started to require app developers accessing TrueDepth information to publish a privacy policy. An Apple spokesperson also reiterated that the company requires developers to ask a user’s permission before accessing any camera, and requires apps to explain exactly how and where that data will be used.

Additionally, Apple restricts developers from selling face data, using it to identify anonymous individuals, or harnessing it for advertising purposes.

The Future

Of course, it’s not all good news. While Apple’s privacy policies are a good first step, there are still some holes in it. iOS doesn’t differentiate between the rear camera and the TrueDepth system — asking permission for one grants it for both. There’s also the question of how effectively Apple can enforce those policies.

Additionally, Face ID undoubtedly opened a floodgate — and competitors are rushing out to field their own advanced facial recognition systems. Think about what a less privacy-minded company could do with that data.

“I think we should be quite worried,” ACLU Senior Analyst Jay Stanley told WaPo. “The chances we are going to see mischief around facial data is pretty high — if not today, then soon — if not on Apple then on Android.”

Now, think about government surveillance and recent cases focused on whether our privacy rights apply to digital data or passwords, and you can see why some people are concerned.