This week’s Apple X announcement was not more than a few hours old, and the questions began to come in. Apple’s introduction of Face ID facial recognition on its new phone – although already available in some form on several Android phones – generated curiosity, concerns and creativity.  Unfortunately, the details about specifically how the recognition feature will really work are yet unknown.  All the public knows right now is that the phone’s facial “capture” function, powered by an updated camera and sensor array, will direct 30,000 infrared dots around a user’s face and create a hashed value that will presumably be matched against a user’s face during the unlocking procedure.

The questions and issues this raises are too numerous and varied to address in a single blog post. I will simply point out that the concerns over Face ID range from spoofing (e.g., Can the phone be unlocked by a picture? [Apple says no, explaining that the system will map the depth of faces]) to security (e.g., Is the “face map” or hashed value stored in a database which can be breached? [Apple, says no, like fingerprints in Apple’s current Touch ID feature, the face map will be securely stored locally on the device]).

One issue that I thought was particularly interesting, however, relates to the ability of apps residing on a phone to interact with facial captures. Unless disabled, Face ID could potentially be “always on,” ready to capture facial images to authenticate the unlocking of the phone, and possibly capturing facial images as the user interacts with the unlocked phone.  So, clients have asked: Will the apps on the phone be able to access and use those facial captures?

Fascinating question! Imagine the applications. An app would be able to discern all kinds of new demographic information about users, and possibly gauge information about a person’s mood, location, age, and health.  Moreover, could an app evaluate on a real-time basis a user’s emotional response to interactions with a particular app or web page?

As far as I know, Apple has not made any specific statements about whether facial capture data will be available to apps, except as a replacement for older iPhone’s Touch ID function that allows users, among other things, to use Apple Pay or log into protected apps such as for mobile banking (which presumably will be able to be opened now with a look, instead of a touch). As we know, however, Apple does make other device specific information available to apps (e.g., geolocation), typically after a user expressly consents to such sharing and the app developer itself has expressly agreed to certain privacy practices as outlined in the Apple developer agreement.

In the case of facial captures, a number of legal principles would come into play. Some federal and state laws already treat biometric data, including facial imagery, as personally identifiable information for a variety of purposes.  For example, the definition of “personal information” under COPPA (The Children’s Online Privacy Protection Act) includes photos, videos, and audio recordings that contain a child’s image or voice. Thus, in general, a service provider cannot collect or store images of children under 13 without prior verified parental consent.  On the state level, a number of states in recent years have amended their breach notification statutes to include the unauthorized access to unique biometric data such as facial imagery (in conjunction with the disclosure of an individual’s name) as a trigger for notification requirements.  In addition, a number of states have also enacted biometric privacy laws, including the notorious Illinois law commonly known as BIPA, which generally imposes data security requirements on the storage of facial captures and other biometric information.  And of course, internationally, under existing laws and the soon to be effective GDPR in Europe…well, don’t get me started….

So, the answer to the question is, “We’ll see.” First, we have to see what Apple has to say about this.  Will they make facial capture data available to apps?  If so, what kind of prior user notification and consent will be needed?  If not, will Face ID only be used by third-party apps to authenticate users and nothing more?  Second, to the extent Apple agrees to make such data available, how will companies manage it?  Will they be able to store it, and if so how will they comply with COPPA, BIPA, and all the other existing and emerging laws related to the capture and storage of biometric data, both domestically and internationally.  How will they secure the data? What kinds of changes, if any, will be required to their technical infrastructure, privacy policies, data security policies, incident response policies, etc., etc., etc.?

The potential opportunities presented by the use of facial imagery are significant. If Face ID is reliable enough, users will feel more comfortable using it (as happened with iPhone’s Touch ID fingerprint function) and it will spread to other devices and other industries.  There are, however, numerous issues to be resolved.  We are awaiting more word from Apple which will help us understand Face ID and allow us to advise on the most practical way to capitalize on these opportunities.  Stay tuned!