The American Civil Liberties Union (ACLU) has raised privacy concerns about developer access to the facial expressions of iPhone X users. In particular, they say that Apple allows developers to capture facial expression data and store it on their own servers.
When the iPhone X was launched, Apple was careful to stress that the 3D face recognition model used by Face ID was stored only on the phone itself. The data is never transferred to Apple servers. But the ACLU says that app developers are allowed to transmit and store some face data …
Reuters explained what Apple allows app developers to do.
One concern is that app developers could use facial expressions to assess emotional responses to ads shown within apps. However, Apple already outlaws that, stating that developers are only allowed to use face data to power a legitimate feature of the app. Using it for marketing or advertising purposes is specifically prohibited.
App makers who want to use the new camera on the iPhone X can capture a rough map of a user’s face and a stream of more than 50 kinds of facial expressions. This data, which can be removed from the phone and stored on a developer’s own servers, can help monitor how often users blink, smile or even raise an eyebrow.
Some argue that rogue developers might still do it, as Apple’s review process can be hit-and-miss.
It’s also possible that developers might do it without realizing it’s not allowed.
With the iPhone X, the primary danger is that advertisers will find it irresistible to gauge how consumers react to products or to build tracking profiles of them, even though Apple explicitly bans such activity.
The issue seems worth raising for this reason – just to ensure that developers are fully aware that Apple doesn’t permit it. But as our own Benjamin Mayo noted, this isn’t unique to the iPhone X: it would be entirely possible to recognize expressions like smiles and raised eyebrows just by using the existing camera.
It should be stressed that app developers do not have access to anything like the amount of data needed to perform their own face recognition.