The Face of Enterprise Security

It's the time of year when Apple pops out a new iPhone to extract any money that may be lying around a consumer's wallet. The newest one (do we call it iPhone "Ecks" or "ten" or what?) has some interesting technology in it called FaceID.

As we know now, it's a biometric system, similar to the fingerprint-using TouchID, that can recognize a user's face and authenticate them. When Touch ID first appeared, many were concerned that the biometric data of a user would be spread around the Apple ecosystem. It took some major explaining by Apple of how things worked -- the actual data never left the phone and third parties only saw a yes/no that the phone generated -- to calm those fears down.

There has been no similar uprising about the FaceID technology, since Apple has been assumed to be doing the same thing as it did with Touch ID to preserve user anonymity. They even explicitly said that to privacy advocates in September. That may be true on a technical basis, but some interesting things are now coming out on how Apple will share FaceID with developers.

Reuters has reported that, based on a contract they had seen, developers will be able to get facial information from the new iPhone. While the developers have to agree to seek customer permission for this as well as agree not to sell the data to a third party, the resultant data may end up on the developer's servers.

Apple thinks it can enforce this approach by threatening to pull any non-compliant apps from its App Store, and pre-screen apps before allowing them on the store. Privacy advocates are not so convinced of Apple's ability to police this. There are only spot checks of source code performed by Apple, and they have never pulled an app from the Store because of poor information-sharing practices.

Even if an app was pulled, might a developer think that they could end up making more after the pull by selling the now unencumbered facial data that they have to some marketer?

If an employee is willing to share facial data (expressions for example) with some app, should the employer be concerned? It must depend on the context of that use.

Using FaceID to make a character in a game smile won't directly affect an employee's job performance. But twitching their cheek to effect spreadsheet cell selection might.

Apple is no doubt trying to make FaceID desirable to consumers by allowing developers to use it for their apps. However, this illustrates how the best intentions can go awry. An organization is faced with a different kind of shadow IT going on here. They and the user rely on one company to enforce the app-only, no-marketing doctrine without assurances that it will be effective. Besides unlocking a phone, the technology allows for a user's face to be continually monitored. Most users -- and their employers -- may not even considered that as a possibility. It's already here.

Related posts:

— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.