The Canadian Bar Insurance Association

Facial recognition technology raises privacy concerns

In Part 1 of a three-part series on privacy, Toronto privacy lawyer Sharon Bauer explores the threat landscape around facial recognition apps.

Facial recognition technology on mobile phones has wider privacy implications than many consumers realize, Toronto litigator Sharon Bauer tells

Apple’s recent launch of its iPhone X also marked the unveiling of its Face ID feature, which unlocks the phone when the owner looks at the screen.

Bauer, a partner with Wolfe Lawyers, says when it comes to privacy and security concerns, the public and media tend to focus on scenarios when you may be unwillingly forced by someone to look at your screen to unlock it.

“We saw the same kind of worry with fingerprint authentication. Apple has addressed this concern and claims that Face ID authentication is even more secure than fingerprint authentication” she says. “But it’s also a pretty narrow privacy issue. The broader and bigger issue that people are thinking less about relates to third-party app developers and the data they can collect through the TrueDepth camera on the phone.”

“Yes, all this facial recognition technology is super-convenient, but we should at least be aware of what we are giving up for this convenience,” Bauer adds.

She explains that the Face ID program uses the associated camera to build a three-dimensional mathematical model of the phone owner’s face. That information is then stored and encrypted on the device itself.

“Nobody has access to that information, not even Apple, so that is good in terms of security,” Bauer says.

However, she says the company also allows third-party app developers to make some limited use of the phone’s camera in a way similar to the popular Animoji feature, where someone can create animated characters using their own voice and facial expressions.

“These are cute, fun features and we can get a kick out of them. But we’re also giving these apps a great deal of data about your facial expressions,” she says.

Although the information developers can glean via the apps will not be enough to crack the locking mechanism, Bauer says there’s still the potential for enough data to be transmitted to concern users, especially when used in combination with other sources.  

“We’re slowly creeping into an age where facial mapping is becoming normal, but it quickly becomes a slippery slope where your phone becomes a spying tool,” she says. “We’ve already provided apps with demographic data about our age, sex, location and so on. Now, we’re providing psychographic data too, and the creation of personality categories based on how we react to ads that pop up.

“Developers can then use that information to create targeted ads to accommodate particular expressions. Someone with wrinkles might get an ad for face cream, or someone who’s depressed might get some medication marketed to them,” Bauer adds.

While developers must adhere to strict guidelines concerning privacy and user consent for the use of data in order to gain access to Apple’s app store, Bauer says a question mark remains over the enforcement of the guidelines.  

“The guidelines set by Apple are good steps in the right direction, but there are thousands of developers and individual apps. It’s a nearly impossible task to police each and every one of them,” she says. “While developers risk being removed from the app store if they do not adhere to the strict guidelines, it’s still a matter of trusting them to act properly and for Apple to enforce these safeguards.”

Bauer says the issue may come to a head later this year when the European Union's General Data Protection Regulation (GDPR) goes into effect.

The regulations, which replace the existing Data Privacy Directive with more comprehensive data privacy rules, come into force in May 2018 and apply to any organization that collects or processes personal information about EU residents. 

The GDPR also incorporates new rights for individuals whose personal information has been collected, such as the right to be forgotten, which allows people to object to and request the deletion of information about themselves under certain circumstances.

In addition, the new regulation takes an expansive approach when it comes to fines for non-compliance, which can reach as high as the larger of four per cent of an organization’s global turnover and 20 million euros.

Bauer says the broad applicability and steep fines associated with the GDPR could force more stringent data protection standards around the world.

“They are a very strict set of regulations that are going to spill into the way we view our data and provide consent for its use,” she says.

To Read More Sharon Bauer Posts Click Here
Lawyer Directory
BridgePoint Financial Services Inc.Toronto Lawyers AssociationMKD InternationalFeldstein Family LawLegal Print & Copy Inc.Deadline Law Jennifer ShuberForensic Restitution