Apple iPhone users will soon be face-to-face with the future of identity verification. Apple’s new iPhone X will allow users to unlock their phones just by looking at the screen. The company’s new identity system, called Face ID, is an unlock protocol designed to replace Touch ID, Apple’s fingerprint-based system. If successful, iPhone X will bring the facial recognition experience to the masses.
Biometrics and Security
Eyes, mouth, and nose must be easily viewed by infrared light for Face ID to work fluidly, and one concern is whether Apple’s Face ID can be tricked. Based on history, there could be some reason for worry. When Apple launched Touch ID in 2013, it took ethical hackers just two days to fool the device with a manufactured fingerprint. Iris scan security for the Galaxy S8 also proved relatively easy to compromise.
With Touch ID, Apple claimed odds of 1 in 50,000 when it discussed whether a random individual’s fingerprint could unlock an iPhone. According to a September Forbes article, Apple’s Philip Schiller, SVP of Worldwide Marketing, said at a recent even that the company estimates a random face would succeed once in 1 million attempts. It’s still unknown if these statistics will be proven accurate.
Apple does not recommend its facial biometric scan feature for use by children under 13—their facial characteristics are not fully formed and can change rapidly—or by identical twins. The phone still requires a passcode after five failed attempts at bio-recognition.
Biometrics and Case Law
Another issue regarding biometrics is the lack of case law when it comes to law enforcement and the privacy of your password. A number is something you know; a fingerprint or face is something you have. Recently, a court in Minnesota ruled that your finger could be forcibly used to unlock a phone while you cannot be forced to divulge a password. The LA Times reported that a California court reached a similar conclusion.
Biometrics and Privacy
Apple has said that user photos taken to set up Face ID will remain on the user’s phone, and not be shared with the company unless the individual opts to share. However, your mug may already exist in another massive biometric database.
The Federal Bureau of Investigation (FBI) has developed the Next Generation Identification (NGI) database to supplement IAFIS, the bureau’s criminal data repository. NGI stores biometric data—fingerprints, iris scans, palm prints, and more. The Bureau holds an estimated 400 million photos in NGI. A 2016 Government Accountability Office (GAO) report raised concerns about the system’s security measures.
Recently, Georgetown Law’s Center for Privacy and Technology released a study called The Perpetual Line-up. It estimated that at least 117 million Americans have already landed in NGI.
NGI data comes from numerous sources including local police departments, motor vehicles offices, and more. The study’s authors raised the question of whether such databases, which in the past contained only data on known criminals, should be expanded to include all law-abiding citizens. You can view Georgetown Law’s interactive map to see how your state regulates the use of your driver’s license photo and more.
Biometrics and You
From smart phone security to unlocking computers, biometrics could soon become (or may already be) a part of your everyday life. Take the time to think through the technology’s security and privacy issues, so you can make an informed decision about how much of your biometric information you are willing to share.