Apple updated the security and privacy information
on its website on Wednesday, revealing new details
about how its new facial recognition technology works.
The new details come a month before Apple’s most advanced
iPhone, the iPhone X, goes on sale in November. The banner
feature of the iPhone X is facial recognition called “Face ID”
that replaces the old fingerprint sensor.
Since Face ID and its corresponding 3D camera called
“TrueDepth” were announced in September, the technology has
attracted a lot of attention and speculation from privacy
advocates and security experts.
Sen. Al Franken even wrote an open letter to Tim Cook
with 10 questions about the technology.
The new disclosures published on Wednesday answer several
remaining questions about Face ID. They include a Face ID
security overview paper, an Apple Support page
on the technology, and a
redesigned privacy page that declares that Apple management
believes “privacy is a fundamental human right.”
“So much of your personal information … lives on your Apple
devices,” Apple wrote on the new page. “Your
heart rate after a run. Which news stories you read first. Where
you bought your last coffee. What websites your visit. Who you
call, email, or message.”
Compared to the company’s secrecy on upcoming products and
internal procedures, Apple likes to publicize much of how its
security and encryption systems work. Apple CEO Tim Cook
wrote an open letter about security in 2014, and publicly
fought the FBI in court in 2016 over whether to help it break
into an encrypted iPhone used by a terrorist.
“A few years ago, users of Internet services began to realize
that when an online service is free, you’re not the customer,”
said Cook in 2014. “You’re the product. But at Apple, we believe
a great customer experience shouldn’t come at the expense of your
Face to Face ID
Apple is eager to show that it has anticipated many of the
concerns about Face ID technology that have come up so
far, although many open questions about Face ID will remain
up in the air until the product is released to the public and is
“I still need to test it and try it out, and I never fully
believe any vendor until we see how something performs in the
real world, but on paper this looks secure enough for the vast
majority of Apple customers,” said Rich Mogull, CEO of security firm Securosis.
Mogull wrote in a blog
post in September that the point of a security system like
Face ID is not to create an uncrackable system. The point is to
allow users to use a strong, long password, but to have the
convenience of no password most of the time.
To be useful, a system like Face ID would need to
eliminate so-called “false positives” — or when the iPhone
lets in a user that’s not the intended user. Apple says the
chance of that happening at random is 1 in 1 million.
Another risk is that the camera could be fooled by a flat printed
photo, like some of Samsung’s devices have been in the past.
Apple even says that it tested custom, high-end 3D masks against
the system, which Mogull called an “obvious starting point” that
researchers would test when they finally got their hands on an
Apple also detailed six scenarios on Wednesday in which Face ID
would not unlock an iPhone and would instead ask for a
happened during Face ID’s big reveal:
- The device has just been turned on or restarted.
- The device hasn’t been unlocked for more than 48 hours.
- The passcode hasn’t been used to unlock the device in the
last six and a half days and Face ID hasn’t unlocked the device
in the last 4 hours.
- The device has received a remote lock command.
- After five unsuccessful attempts to match a face.
- After initiating power off/Emergency SOS by pressing and
holding either volume button and the side button simultaneously
for 2 seconds.
Not just facial recognition
Apple didn’t just release information on Face ID on Wednesday.
New details about other products were announced as well,
including information about how Apple is zapping tracking cookies
in its Safari browser, a new “emergency SOS” mode that locks a
phone when its home button is pressed five times, and
differential privacy, a kind of statistical method Apple says
allows it to collect data from its users without being able to
identify who the data came from.
As Apple continues to break into health and other areas, it will
continue to lean on privacy and security as a way to
differentiate itself from rivals like Google and Amazon.
Most of Apple’s sales stem from from selling premium devices and
hardware, as opposed to advertising or other data-oriented
business models, and its ability to design both its hardware and
software mean that it can pull off new security systems like Face
ID more easily than other technology vendors.
It’s clear that biometrics — a fingerprint or a face scan — is a
big part of Apple’s security strategy going forward, and
increasingly, you’ll see Apple lean on and market these
advantages as a reason to pick an iPhone over competitors.