Wired reported that, last Tuesday, Apple unveiled a new line of phones with one feature immediately falling under scrutiny: FaceID, a tool that would use facial recognition to identify individuals and unlock their phones.
So why all the anxiety? Retailers already want facial recognition to track consumers – minus legally binding terms, Apple could use FaceID to track consumer patterns at its stores, or develop similar data and sell it to others. It's also likely that police would be able to more easily unlock phones without consent by simply holding an individual's phone up to his or her face.
But the greatest threat comes from government surveillance - using mass scans to identify individuals based on face profiles. Law enforcement is rapidly increasing the use of facial recognition; one in two American adults are already enrolled in a law enforcement facial recognition network, and at least one in four police departments have the capacity to run face recognition searches. But until now, utilizing consumer platforms hasn't been an option. While Facebook has a powerful facial recognition system, it doesn't maintain the operating systems that control the cameras on phones, tablets, and laptops that look at us every day. Apple's new system changes that. For the first time, a company will have a facial recognition system with millions of profiles, and the hardware to scan and identify faces throughout the world.
This could, at least in theory, make Apple a target for a new type of mass surveillance order. The government could issue an order to Apple with a set of targets and instructions to scan iPhones, iPads, and Macs to search for specific targets based on FaceID, and then provide the government with those targets' location based on the GPS data of devices' that receive a match. Apple has a good record of fighting for user privacy, but there's only so much the company could do if its objections to an order are rejected by the courts.
Last Wednesday, Sen. Al Franken (D-Minnesota) released a letter to Apple CEO Tim Cook, asking how the company will handle the technology's security and privacy implications.
Edward Snowden's disclosures revealed the existence of Upstream, a program under FISA Section 702 (set to expire in just a few months). With Upstream, the NSA scans all internet communications going into and out of the United States for surveillance targets' e-mails, as well as IP addresses and what the agency has called cybersignatures. Last year, Reuters revealed that Yahoo, in compliance with a government order, built custom software to scan hundreds of millions of e-mail accounts for content that contained a digital signature used by surveillance targets.
Many believe these mass scans are unconstitutional and unlawful, but that has not stopped the government. Those concerns have not prevented the FISA Court from approving the government's requests, usually with the public totally unaware that mass scans continue to sift through millions of Americans' private communications.
By generating millions of face prints while simultaneously controlling the cameras that can scan and identify them, Apple might soon face a government order to turn its new unlocking system into the killer app of all time for mass surveillance.
There are steps Apple can take to prevent becoming this killer app. Face prints developed through FaceID should be stored only locally on devices, and should be fully encrypted so that the company cannot access them remotely, even if legally compelled to surreptitiously take control of an iPhone.
But remember that Apple and the FBI are still fighting over encryption. Therefore, Apple should also update its Transparency Reports to include data on whether it receives orders to turn over facial recognition profiles, or to conduct facial recognition scans, which would ring an alarm bell if it receives an order related to FaceID in the future.
And hey, talk to your representatives in Congress about applying the brakes to mass surveillance. Or, if they don't listen, send them packing.
E-mail: email@example.com Phone: 703-359-0700
Digital Forensics/Information Security/Information Technology