“Privacy Is a Fundamental Human Right” – Apple Opens Up on Face ID Security But Is It Turning Users Overconfident?
Unlike other tech giants, Apple has always openly talked about its data collection practices, the reasons behind such collection and how it plans to keep that data secure. The company has today launched a revamped Privacy website that makes the information more easily accessible to its consumers amid growing security concerns about its newly introduced Face ID.
"Great experiences don’t have to come at the expense of your privacy and security," Apple on Face ID concerns
"At Apple, we believe privacy is a fundamental human right," the site says. "And so much of your personal information - information you have a right to keep private - lives on your Apple devices."
This is a noteworthy point since the company has time and again focused on how so much of computation happens right on the device to make sure that no personal information has to leave the comparatively safer walls of an iPhone.
"Your heart rate after a run. Which news stories you read first. Where you bought your last coffee. What websites you visit. Who you call, email, or message."
This is important not only because it reassures Apple users that the Cupertino iPhone maker continues to design its products and services keeping user privacy at the core, but it will also hopefully push other tech companies to be more forthcoming about their data collection practices.
"Whether you’re taking a photo, asking Siri a question, or getting directions, you can do it knowing that Apple doesn’t gather your personal information to sell to advertisers or other organizations."
In today's privacy-focused launch, the company again reiterated that "great experiences don’t have to come at the expense" of user privacy and security.
Launch of iPhone X Face ID brought in new user security concerns
Biometrics will never be a secure way to replace tedious passcodes, but people continue to prefer Touch ID over passwords and with Face ID, many will switch to the facial authentication system. In a white paper released today, Apple assures that the "facial matching is performed within the secure enclave using neural networks trained specifically for that purpose," which means data never leaves the user device.
Along with an emergency switch, there will be several cases when Face ID won't work (but it won't be a feature fail) and you will be required to use your passcode:
- The device has just been turned on or restarted.
- The device hasn’t been unlocked for more than 48 hours.
- The passcode hasn’t been used to unlock the device in the last 156 hours (six and a half days) and Face ID has not unlocked the device in the last 4 hours.
- The device has received a remote lock command.
- After five unsuccessful attempts to match a face. (What happened to Craig Federighi during the Keynote demo)
- After initiating power off/Emergency SOS by pressing and holding either volume button and the side button simultaneously for 2 seconds.
The new site and the white papers essentially outline Apple's commitment to privacy as it introduces more personal and potentially sensitive features and services.
Is Apple making its users overconfident?
Security researchers, however, worry that Apple's assurances on the security of its features make users overconfident that no one can access their personal data. "You know every hacker in the world is going to hammer on this," Rich Mogull, a security analyst, said.
If the last two years are any hint, it has become more profitable to target Apple products, including its iCloud, iPhones and Macs. There's no such thing as unhackable products and some analysts are concerned that Apple users don't do enough to protect themselves, falling more easily even for the social engineering campaigns as they believe in the rhetoric of Apple products being unbeatable.
"People shouldn't look at this and think it can't be defeated," security expert Peter Fu wrote. "It's just another type of lock and any lock can be picked."
"You are giving bad guys more and more incentive to try to compromise that secure enclave," Fu added talking about Apple's decision to store everything sensitive, including Apple Pay data and the Face ID, in one place.
Apple, after all, is a business and has its own interests in getting more people on board the new Face ID trend, without thinking too much about the eventual security repercussions.
The revamped site also carries information on how the company collects and uses data in other products and features, including encryption, Safari data collection through Differential Privacy, Apple Pay, Health, iCloud, and HomeKit. Interested users can head over to the Privacy site to learn more about these, or check out this white paper for specifics on Face ID.