When Apple’s new iPhone X arrives next month, its Face ID technology will introduce a new era of convenience—but also new risks of broad face-based surveillance by corporations and governments.
Apple’s strong record on privacy means it’s likely to deploy the facial recognition tool responsibly, but that doesn’t account for third-party companies that plan to integrate Face ID into their apps. Such companies could seek to assemble their own databases of faces and, in the worst case scenario, use a facial database to identify consumers online and in the streets for ad purposes.
Apple has yet to disclose full details of how Face ID will operate, though a source familiar with the tool says there is a plan to prevent app makers from violating user privacy. Meanwhile, outside of a single state law, consumers will have little recourse if companies begin to collect images of their face without consent.
Facing a Pandora’s Box
Facial recognition technology is not new. Casinos have used it for years and, more recently, Samsung and Microsoft began offering it as a feature for consumers to unlock their phones and laptops. What’s different is the hype over Apple’s iPhone X is likely to thrust facial recognition into the mainstream like never before.
Face ID, in a nutshell, is about Apple replacing fingerprints with facial images as a security feature on the iPhone X. For consumers, this means they’ll be able to unlock their phone just by looking at it, and also to use their face as a means to authorize in-app transactions with banks and retailers.
The feature has been hailed for its convenience, but it has also raised concerns that third parties—namely law enforcement or thieves—will be able to unlock iPhone Xs against their owners’ will just by pointing it at them. But there’s also a more subtle worry that Face ID will give Apple and its app partners an easy way to create a massive database of consumer faces.
The privacy fear is that iPhone-enabled facial recognition will be used not just for signing into apps and devices, but also for surveillance and marketing. For instance, malls or restaurants might capture facial images of customers walking in the door, and then use data obtained from app makers to identify who they are.
So far, Apple has smoothed over privacy concerns by noting Face ID is entirely self-contained within the phone: The facial image, which is created with a special camera on the device, is stored only on the iPhone and never shipped back to Apple. This means that, while consumers’ photos and other content are regularly transferred to Apple’s iCloud storage service, this won’t be the case with their facial recognition data.
This is good news, but what about the banks and other companies that plan to rely on Face ID with their apps? A retailer’s app, for instance, might ask an iPhone owner to use Face ID to approve a transaction, but then also use the process to capture an image of the customer’s face.
In response to a question about third parties’ use of Face ID, Apple said in a statement that “users’ privacy has been a priority since the very beginning.” The company added it would provide more details about Face ID closer to time of the product’s release in early November.
“The most unknown part of Face ID is the third-party aspect. It could be troubling if third-party app developers have carte blanche to access the hardware,” said Chris Dore, an attorney with Edelson PC, a law firm that has won high-profile cases involving companies that used apps to collect consumer data without their permission.
App makers typically get permission to collect data through terms-of-service agreements, which very few consumers bother to read. In theory this could be a way for app makers to vacuum up millions of facial images.
“Hopefully Apple is aware of this and will have a way of sand-boxing third party’s use of Face ID,” said Dore, using a term that describes walling off an app’s access to certain features of a smartphone.
Fortunately, that appears to be exactly what Apple plans to do so. A source familiar with Face ID, who was not authorized to speak publicly, confirmed the company will indeed “sandbox” the new iPhone’s facial recognition capacity in a way that prevents app makers from harvesting biometric data. If Apple does implement such an approach, it would be consistent with how the company handles its so-called Touch ID, which lets users authorize purchases with a finger or thumbprint.
All of this is reassuring for privacy advocates, but it also underscores how, in the United States, there are virtually no restrictions on how companies can exploit powerful facial recognition tools.
A Law to Scan Our Faces
The privacy features built into Face ID are likely to limit misuse of a powerful technology. At the same time, Dore worries the new iPhone will increase the popularity of facial recognition, and lead unscrupulous companies to exploit it.
Former NSA contractor Edward Snowden took to Twitter soon after Apple announced Face ID to express similar concerns:
Such fears may be justified as, right now, there is little to prevent companies from scanning the faces of their customers and creating databases from those images.
Wal-Mart, for instance, experimented with facial recognition as a tool to detect shoplifters. Meanwhile, Facebook has used its “tagging” feature for photos to assemble what is likely the most comprehensive record of human faces in history.
In response to this phenomenon, the state of Illinois passed a law that requires companies to obtain permission from consumers before collecting biometric data, including facial scans.
Get Data Sheet, Fortune’s technology newsletter.
Already, consumers have brought class action suits against Facebook, Google and the digital scrapbook site Shutterfly for allegedly failing to abide by the law. The companies are pushing back aggressively in court, claiming the law doesn’t apply to them, but a series of decisions have so far gone against them. Meanwhile, a stealthy effort in 2016 by the tech industry to persuade Illinois lawmakers to rescind the law came up short.
Two other states, Washington and Texas, have passed their own versions of a biometric law, but, as they provide no right for consumers to sue, they are not expected to have much impact.
All of this may one day lead to calls for federal rules about how and when companies can collect consumers’ faces. For now, though, their best hope may be to rely on Apple’s technology to prevent a convenient feature from turning into a surveillance tool.