What happens if police force you to unlock your iPhone X with your face?
Imagine you’ve been detained at customs, waiting to cross the border. Or maybe you’ve been pulled over for a traffic violation. An officer waves your cell phone at you.
“Look at this. Is this yours?” he asks.
Before you can respond, a tiny infrared sensor in the phone has scanned your face. Matching those readings against the copy of your face that is stored in its archive, the phone concludes that its owner is trying to unlock it. The device lowers its defenses, surrendering its contents in moments to the law enforcement officer holding your phone.
Without you saying a word, he has gotten everything he wanted.
That’s the nightmare scenario that some privacy and security experts are raising after Apple on Tuesday unveiled its new iPhone X (pronounced iPhone’”10’), a device with powerful facial-recognition features. The technology, Apple said, replaces the home button and fingerprint reader that was so revolutionary just a few years ago with a new authentication system known as Face ID.
For all intents and purposes, Face ID works just like its predecessor, Touch ID. The only difference is that instead of scanning your fingerprint, the iPhone X scans your face. It’s an incredibly convenient feature, one that could raise security across the board by helping to curb the use of weak pass codes such as ‘121212.’
But the introduction of Face ID also instantly led to questions among civil liberties experts, who say the technology poses the risk of abuse.
“You have to work pretty hard to get me to put my fingerprint on a reader,” said Chris Calabrese, vice president for policy at the Centre for Democracy and Technology. “You have to work less hard to put a phone in front of somebody’s face.”
Can the police really force you to unlock your phone with just your face?
“There is some question whether or not they could get you to scan your face or your fingerprint,” said Susan Hennessey, a fellow at the Brookings Institution and a managing editor of Lawfare, a leading national security blog. “Ultimately, this is the next development in the already existing, open legal question.”
The law is ambiguous — and the uncertainty is likely to persist until a court case establishes clearer rules, analysts say.
While you can’t legally be compelled to give up your pass code, some analysts say, courts have ruled that law enforcement can compel you to give up your fingerprint under certain conditions. Under a standard known as ‘reasonable suspicion,’ you can be required to provide your fingerprint. Could the same standard be applied to your facial data? That’s what is unclear.
That said, Americans enjoy one additional layer of legal protection. Even if a police officer uses your biometric information to unlock a phone, he or she must still obtain a search warrant to search the phone.
Given how confusing the law can be on these issues, can’t there be some kind of technological solution?
A partial one may be in the works. The new version of Apple’s mobile operating system, iOS 11, is said to contain a failsafe that will not only disable Touch ID, but also potentially Face ID. By pressing the power button five times in quick succession, an iPhone will stop accepting biometric data as an unlocking mechanism and require a pass code, according to the researcher who discovered the feature in a beta version of iOS 11.
It is not clear how long the failsafe lasts before things revert to the regular mode. Apple did not respond to a request for comment.
“I’m told the TouchID disable already works for FaceID (it doesn’t require the home button, you just tap the side/power button 5x). Nice.
• Edward Snowden (@Snowden) September 12, 2017”
The failsafe could be the difference between protecting a user’s sensitive data and having his or her entire digital life on display. But it won’t work for everyone. In the heat of the moment, some may forget how to engage the failsafe. Some may not even know that such an option exists. Or they may not have the opportunity to turn it on before their device gets confiscated.
“Right, but that’s still fail-deadly. If they get it out of your hands before you mash the button, it’s all over.
• tormaid (@tormaid) September 12, 2017”
“Responsible companies need to ask themselves, ‘Where do we stop? Have we thought through the implications?’” said Katharina Kopp, director of policy for the Centre for Digital Democracy, a privacy advocacy group.
—The Washington Post Service
Published in Dawn, The Business and Finance Weekly, September 18th, 2017