App developer access to iPhone X face data spooks some privacy experts

App developer access to iPhone X face data spooks some privacy experts

By Stephen Nellis • November 1, 2017

SAN FRANCISCO (Reuters) - Apple Inc won accolades from privacy experts in September for assuring that facial data used to unlock its new iPhone X would be securely stored on the phone itself.

But Apple's privacy promises do not extend to the thousands of app developers who will gain access to facial data in order to build entertainment features for iPhone X customers, such as pinning a three-dimensional mask to their face for a selfie or letting a video game character mirror the player's real-world facial expressions.

Apple allows developers to take certain facial data off the phone as long as they agree to seek customer permission and not sell the data to third parties, among other terms in a contract seen by Reuters.

App makers who want to use the new camera on the iPhone X can capture a rough map of a user's face and a stream of more than 50 kinds of facial expressions. This data, which can be removed from the phone and stored on a developer's own servers, can help monitor how often users blink, smile or even raise an eyebrow.

That remote storage raises questions about how effectively Apple can enforce its privacy rules, according to privacy groups such as the American Civil Liberties Union and the Center for Democracy and Technology. Apple maintains that its enforcement tools - which include pre-publication reviews, audits of apps and the threat of kicking developers off its lucrative App Store - are effective.

The data available to developers cannot unlock a phone; that process relies on a mathematical representation of the face rather than a visual map of it, according to documentation about the face unlock system that Apple released to security researchers.

But the relative ease with which developers can whisk away face data to remote servers leaves Apple sending conflicting messages: Face data is highly private when used for authentication, but it is sharable - with the user's permission - when used to build app features.

"The privacy issues around of the use of very sophisticated facial recognition technology for unlocking the phone have been overblown," said Jay Stanley, a senior policy analyst with the American Civil Liberties Union. "The real privacy issues have to do with the access by third-party developers."

The use of face recognition is becoming ubiquitous on everything from social networks to city streets with surveillance cameras. Berlin law enforcement officials in August installed a facial recognition system at the city’s main railway station to test new technology for catching criminals and terrorists.

But privacy concerns loom large. In Illinois, Facebook Inc faces a lawsuit over whether its photo tagging suggestions violated a state law that bars the collection of biometric data without permission. Facebook says it has always been clear with users that it can be turned off and the data for it deleted.

Privacy experts say their concerns about iPhone X are not about government snooping, since huge troves of facial photographs already exist on social media and even in state motor vehicle departments. The issue is more about unscrupulous marketers eager to track users' facial expressions in response to advertisements or content, despite Apple's contractual rules against doing so.

App makers must "obtain clear and conspicuous consent" from users before collecting or storing face data, and can only do so for a legitimate feature of an app, according to the relevant portions of Apple's developer agreement that Apple provided to Reuters.

Apple's iOS operating system also asks users to grant permission for an app to access to any of the phone's cameras.

Apple forbids developers from using the face data for advertising or marketing, and from selling it to data brokers or analytics firms that might use it for those purposes. The company also bans the creation of user profiles that could be used to identify anonymous users, according to its developer agreement.

"The bottom line is, Apple is trying to make this a user experience addition to the iPhone X, and not an advertising addition," said Clare Garvie, an associate with the Center on Privacy & Technology at Georgetown University Law Center in Washington.

ENFORCEMENT IN QUESTION

Though they praised Apple's policies on face data, privacy experts worry about the potential inability to control what app developers do with face data once it leaves the iPhone X, and whether the tech company's disclosure policies adequately alert customers.

The company has had high-profile mishaps enforcing its own rules in the past, such as the 2012 controversy around Path, a social networking app that was found to be saving users' contact lists to its servers, a violation of Apple's rules.

One app developer told Reuters that Apple's non-negotiable developer agreement is long and complex and rarely read in detail, just as most consumers do not know the details of what they agree to when they allow access to personal data.

Apple's main enforcement mechanism is the threat to kick apps out of the App Store, though the company in 2011 told the U.S. Congress that it had never punished an app in that way for sharing user information with third parties without permission.

Apple's other line of defense against privacy abuse is the review that all apps undergo before they hit the App Store. But the company does not review the source code of all apps, instead relying on random spot checks or complaints, according to 2011 Congressional testimony from Bud Tribble, one of the company's "privacy czars."

With the iPhone X, the primary danger is that advertisers will find it irresistible to gauge how consumers react to products or to build tracking profiles of them, even though Apple explicitly bans such activity. "Apple does have a pretty good historical track record of holding developers accountable who violate their agreements, but they have to catch them first - and sometimes that's the hard part," the ACLU's Stanley said. "It means household names probably won't exploit this, but there's still a lot of room for bottom feeders."

(Reporting by Stephen Nellis; Editing by Jonathan Weber and Edward Tobin)

https://www.yahoo.com/news/app-developer-access-iphone-x-face-data-spooks-050850786--finance.html


Comments

Post a Comment

Popular posts from this blog

BMW traps alleged thief by remotely locking him in car

BMW traps alleged thief by remotely locking him in car Stealer's Wheel? Seattle police department quotes "Watchmen" movie in a recap of the recent arrest. Tech Culture by Gael Fashingbauer Cooper December 4, 2016 5:00 PM PST It's maybe the most satisfying arrest we can imagine. Seattle police caught an alleged car thief by enlisting the help of car maker BMW to both track and then remotely lock the luckless criminal in the very car he was trying to steal. Jonah Spangenthal-Lee, deputy director of communications for the Seattle Police Department, posted a witty summary of the event on the SPD's blog on Wednesday. Turns out if you're inside a stolen car, it's perhaps not the best time to take a nap. "A car thief awoke from a sound slumber Sunday morning (Nov. 27) to find he had been remotely locked inside a stolen BMW, just as Seattle police officers were bearing down on him," Spangenthal-Lee wrote. The suspect found a ke...
Read more

Report: World’s 1st remote brain surgery via 5G network performed in China

World’s 1st remote brain surgery via 5G network performed in China Published time: 17 Mar, 2019 13:12 ·           A Chinese surgeon has performed the world’s first remote brain surgery using 5G technology, with the patient 3,000km away from the operating doctor. Dr. Ling Zhipei remotely implanted a neurostimulator into his patient’s brain on Saturday, Chinese state-run media  reports . The surgeon manipulated the instruments in the Beijing-based PLAGH hospital from a clinic subsidiary on the southern Hainan island, located 3,000km away. The surgery is said to have lasted three hours and ended successfully. The patient, suffering from Parkinson’s disease, is said to be feeling well after the pioneering operation. The doctor used a computer connected to the next-generation 5G network developed by Chinese tech giant Huawei. The new device enabled a near real-time connection, according to Dr. Ling.  “You barely feel that th...
Read more

New ATM's: withdraw money with veins in your finger

New cash machines: withdraw money with veins in your finger Cash machine technology that reads the pattern of finger veins is already available in Japan and Poland   By Telegraph Reporters 6:59PM BST 15 May 2014 Cash machines could soon be installed with devices that identify customers by reading the veins in their fingers. The technology is already being rolled out in Poland, where 1,730 cash machines will this year be installed with readers, negating the need for a debit card and Pin. Developed by Hitachi, the Japanese electronics firm, the machines read the patterns of the veins just below the surface of the skin on your finger using infra-red sensors. The light is partially absorbed by haemoglobin in the veins to capture a unique finger vein pattern profile, which is matched to a profile. The technology is used by Japanese banks and also in Turkey, offering “groundbreaking levels of accuracy and speed of authentication”, Hitachi said, which in t...
Read more