The Devil in the Lock Screen
- September 16, 2017
- Clayton Rice, K.C.
On September 12, 2017, Apple CEO Tim Cook unveiled the iPhone X with facial recognition technology. The device features an edge-to-edge screen without the iconic Touch ID home button. The phone will be unlocked by recognizing the user’s face. The next day US Senator Al Franken D/Minn, a ranking member of the Senate Judiciary Subcommittee on Privacy, Technology and the Law, sent a letter to Mr. Cook asking ten questions about the privacy and security implications of Face ID. Here they are:
1. Apple has stated that all faceprint data will be stored locally on an individual’s device as opposed to being sent to the cloud. (a) Is it currently possible – either remotely or through physical access to the device – for either Apple or a third party to extract and obtain useable faceprint data from the iPhone X? (b) Is there any foreseeable reason why Apple would decide to begin storing such data remotely?
2. Apple has stated that it used more than one billion images in developing the Face ID algorithm. Where did these one billion face images come from?
3. What steps did Apple take to ensure its system was trained on a diverse set of faces, in terms of race, gender, and age? How is Apple protecting against racial, gender, or age bias in Face ID?
4. In the unveiling of the iPhone X, Apple made numerous assurances about the accuracy and sophistication of Face ID. Please describe again all the steps that Apple has taken to ensure that Face ID can distinguish an individual’s face from a photograph or mask, for example.
5. Apple has stated that it has no plans to allow any third party applications access to the Face ID system or its faceprint data. Can Apple assure its users that it will never share faceprint data, along with the tools or other information necessary to extract the data, with any commercial third party?
6. Can Apple confirm that it currently has no plans to use faceprint data for any purpose other than the operation of Face ID?
7. Should Apple eventually determine that there would be reason to either begin storing faceprint data remotely or use the data for a purpose other than the operation of Face ID, what steps will it take to ensure users are meaningfully informed and in control of their data?
8. In order for Face ID to function and unlock the device, is the facial recognition system “always on,” meaning does Face ID perpetually search for a face to recognize? If so: (a) Will Apple retain, even if only locally, the raw photos of faces that are used to unlock (or attempt to unlock) the device? (b) Will Apple retain, even if only locally, the face prints of individuals other than the owner of the device?
9. What safeguards has Apple implemented to prevent the unlocking of the iPhone X when an individual other than the owner of the device holds it up to the user’s face?
10. How will Apple respond to law enforcement requests to access Apple’s faceprint data or the Face ID system itself?
Senator Franken asked for a reply by October 13, 2017.
I am concerned, here, with the Senator’s ninth question and the implications it raises for the ethical responsibility of lawyers to protect confidential client information. A lawyer’s smartphone may contain a trove of client data extending beyond communications that are privileged to other information imparted to the lawyer in circumstances of confidentiality. (See: Tony Romm. Apple is facing questions from the U.S. Senate on the privacy protections in iPhone X and Face ID. Recode. September 13, 2017)
It didn’t take long for bloggers to ask the same questions as Senator Franken. In a post titled The five biggest questions about Apple’s new facial recognition system published by The Verge on September 12, 2017, Russell Brandon wrote: “Like Touch ID before it, Face ID raises real questions about compelled unlocking. If you’re detained by police, they won’t be able to guess your password – but they would be able to hold the phone up to your face until you pass a Face ID scan. It’s a major privacy concern, and one many users don’t think about until it’s too late.” And in a post to Quartz on the same day titled Five privacy and security concerns about Apple’s new FaceID facial recognition Dave Gershgorn asked: “Will police be able to use your face to unlock your phone without a warrant? Matthew Segal, a legal director for Massachusetts ACLU, says it’s not yet clear how this might work in practice. (I’m sure we’ll find out when the lawsuits start rolling in.)” (See also: David Kravets. What you should know about privacy and Apple’s FaceID on iOS 11. Ars Technica. September 13, 2017)
The legal terrain here is not the same in the United States and Canada. A Fourth Amendment warrant based on probable cause is required to search a cell phone in the United States even when it is seized incidental to an arrest. Although a search warrant is also required in Canada under s. 8 of the Charter of Rights, law enforcement has more leeway to rummage around in the closets of devices seized without a warrant during a lawful arrest. (See: Riley v California, 134 S.Ct. 2473 (2014); and. R v Fearon,  3 SCR 621)
The weight of Fifth Amendment jurisprudence in the United States is that a passcode for a cell phone is protected by the right against self-incrimination but a fingerprint is not. In a piece titled Apple’s Use of Face Recognition in the new iPhone: Implications posted to the American Civil Liberties Union blog on September 14, 2017, Jay Stanley said this about the right against self-incrimination: “Some courts have ruled that if law enforcement has a warrant to search your phone, they can require you to provide your fingerprint to open it up, reasoning that biometrics are identifiers, not testimony. But under the current cases, it is more difficult for the government to force you to divulge a passcode. The doctrine is both murky and still developing, but it’s likely that courts would see face prints the same way they’ve seen fingerprints.”
In an article titled How Secure Is The iPhone X’s FaceID? Here’s What We Know published by WIRED on September 12, 2016, Andy Greenberg summed up the problem this way: “Your face sits out in the open, displayed in public, and well-documented across social media platforms. Using it as a secret key is a little like writing your PIN on a Post-It note, slapping it on your forehead, and going for a stroll.”
What can the user do to protect an iPhone X from access by a thief; or from a warrantless search by the police – or a border agent? Apple’s SVP of Software Engineering, Craig Fegeright, has been reported as describing the backup this way: “On older phones the sequence was to click 5 times [on the power button], but on newer phones like iPhone 8 and iPhone X, if you grip the side buttons on either side and hold them a little while – we’ll take you to the power down [screen]. But that also has the effect of disabling Face ID. So, if you were in a case where the thief was asking to hand over your phone – you can just reach into your pocket, squeeze it, and it will disable Face ID. It will do the same thing on iPhone 8 to disable Touch ID.” (See: Matthew Panzarino. Interview: Apple’s Craig Federighi answers some burning questions about Face ID. TechCrunch. September 15, 2017)
But the scenario considered by Mr. Federight is based on the phone being in the user’s pocket and there is “a little while” to grip the side buttons. I wouldn’t expect many muggers to stand around tapping their toes for “a little while” as the target grips the buttons. And how many people have their phones in their pockets when waiting on street corners, sitting in coffee shops or standing in commuter trains? The theft scenario frequently plays out in a grab ‘n dash or when the user puts his or her phone down in a public place. It will take an instant for a thief to snatch a phone and point it at the user’s face.
The other option if someone snatches the phone is – don’t look at it and it won’t unlock. Imagine the reaction of police officers when users begin telling them they can’t describe a thief because they closed their eyes. Now that’s some face identification! (See: Daniel Cooper. You can disable the iPhone X’s FaceID if you’re in trouble. Engadget. September 15, 2017)
And that takes me back to Senator Franken’s ninth question that I will ask this way: Given the security flaw in Apple’s Face ID – how can lawyers reasonably protect the confidentiality of client data on an iPhone X?
The best choice for lawyers – for whom privacy must be the dominant consideration – is to use the passcode feature. Or, use a passcode in conjunction with Face ID. Although the constitutional landscape is caliginous the ethical one is not. In Alberta, The Law Society of Alberta is the statutory body governing the legal profession. The Society’s Code of Conduct, Rule 2.03, requires that a lawyer must hold in strict confidence all information concerning a client that is acquired in the course of the professional relationship. The commentary following Rule 2.03 emphasizes that the ethical rule of strict confidence is wider than the constitutionally protected evidentiary rule of lawyer and client privilege and “applies without regard to the nature or source of the information or the fact that others may share it”.
Be wary, then, of iPhone X. For the devil is in the lock screen.