When technology companies boast about the security of their products, it’s as if a gauntlet has been thrown down for people to prove otherwise.
At the September unveiling of Apple’s iPhone X, it was claimed that its new Face ID system, which allows people to unlock their phones by simply looking into the camera, had a one-in-a-million chance of being breached by a random person. The challenge was eagerly taken up by hackers and tech enthusiasts who were keen to give Apple a black eye, but it was a ten year-old boy from New York, Ammar Malik, who caused the Cupertino firm embarrassment when he managed to repeatedly unlock his mother’s phone with his own face, and on one occasion his father’s phone, too.
As the family gave interviews to the world’s press, it seemed like a cute story of how family resemblance tricked sophisticated tech, but it also raised questions about the security of this kind of biometric access and whether features like Face ID are even necessary at all.
Apple had already warned that twins might be able to access each other’s iPhones using Face ID, but as tales emerged of brothers with bigger age differences managing to pull off the same trick, Bloomberg broke a story suggesting that the accuracy of Apple’s face-recognition may have been purposefully depleted to facilitate easier manufacturing.
This was denied, but by this point the idea of Face ID having a flaw (or two) had taken hold. Wired magazine spent thousands of dollars trying to trick it with the help of hackers, mask makers and make-up artists; they failed, but a Vietnamese security firm, Bkav, published a video claiming that they'd breached Face ID using a mask that cost only $150 to make. Their claims prompted some questions about methodology which went unanswered, but public unease over Face ID was evident in any case. A poll of 2,000 Britons earlier this month revealed that 79 per cent preferred to use a passcode or fingerprint to unlock their phones, and that more than a quarter considered face identification to be a bad idea.
It’s telling that Apple took unprecedented steps before the launch of Face ID to educate and reassure us. Over the course of a six-page document, it describes how the geometry of the face is mapped using tools including an infrared camera and a dot projector, how it makes allowances for changes in your appearance and, crucially, how the resulting data is kept safely on your phone and isn’t sent back to Apple or to any third parties.
That may have provided comfort to those who had visions of a Minority Report-style dystopia, but it was never going to address the more fundamental ideological problems with using your body to unlock technology. "Biometric information is a username, not a password," writes author and software developer Gojko Adzic in a comprehensive blog post on this topic. "It is much easier to force someone to give up their biometric data than a piece of information." In other words, biometric systems such as Face ID may say "I am here", but not necessarily "I want the contents of my device to be made available".
Critics have already voiced concern over how this flaw can be exploited – and not just by criminals, but by police and government.
The fundamental problem with unlocking things using biometric data, critics contend, is that it’s not secret. Passwords, for all their flaws, are things you can choose not to reveal, while our faces are, in the main, clearly visible. The concern prompted by the Vietnamese hacking experiment is that as modelling and 3D printing techniques become more sophisticated, biometric data will become easier to fake. And once that data is compromised, you can’t change it in the way you might change a password. Your face and your fingerprints are associated with you forever.
Where systems like Face ID score highly is convenience. It's much easier to touch a phone with your thumb or gaze into its sensors than to key in a four or six digit password, and the enthusiasm for simple, instant unlocking techniques can be seen in the flood of new research. The last few weeks has seen reports of breakthroughs in palm print ID in San Francisco, a London university analysing patterns of veins in a fingertip, Indian scientists using accelerometers to identify people based on the way they move, and a New York computer science department using Doppler radar to assess the unique size and shape of your heart.
This sits alongside the inevitable surge in facial identification innovation, as competing phone manufacturers play catch-up with Apple and other services begin work on similar systems.
But given that fingerprints and passcodes currently serve us perfectly well, what’s behind all this, other than getting us to spend more money?
In an article for TechCrunch, Natasha Lomas outlines how the ability of the iPhone X to detect changes in facial expression will open up huge possibilities in augmented reality entertainment, but the corollary of that could end up being “hyper-sensitive expression-targeted advertising” and “granular user profiling”, as our smiles and frowns are analysed and acted upon. Facial analysis is likely to be one of those long games, where we’re introduced to the technology in a benign way and its capabilities are then extended later on – or, as Lomas puts it, “normalising and encouraging the use of facial tracking for all sorts of other purposes.”
When technology works in new and unexpected ways, it can be incredibly compelling. Unlocking something by looking at it is the stuff of science fiction, and it’s a very normal human response to find that delightful.
Indeed, for the vast majority of us, Face ID and its various cousins will dovetail perfectly with our lives and present us with no problems.
But for anyone whose work involves a great degree of authority, responsibility, even secrecy, the flaws of biometric identification are worth remembering. Particularly if you have an evil twin.