The company's executives at the time made an effort to placate privacy concerns with talk of strict on-device storage and end-to-end encryption, but did not mention third-party developer access.
Apple is allowing app developers to gain access to face data stored on iPhone X handsets, once permission is granted by individual users so that they can build apps using their facial features. The iPhone maker has always maintained that new features don't have to come "at the expense of your privacy and security". Privacy experts are concerned about the inability to control what developers do with the information when it leaves the smartphone, as well as whether the company's disclosure policies correctly alerts users about how the data is being used.
The Face ID data is transferred to Apple's Secure Enclave, according to the feature's security paper. A number of privacy groups, including the American Civil Liberties Union and the Center for Democracy and Technology, are now anxious that Apple may not be able to control how developers will use their access to sensitive biometric data once they transfer such data to their individual servers. That requires a mathematical representation of the user's face and not merely a visual map. Yet developers do still have access to a "rough" map of a user's face, as Reuters puts it, along with as many as 50 facial expressions that could tell a developer how exactly you raise your eyebrows or move your mouth, to name a few telling instances. Developers won't be able to unlock a person's iPhone X with the information.
The data that developers have access to is not the same as that used by Face ID, and it can not be used to unlock devices. The data can be removed from the phone and stored on the developer's own servers.
The contracts seen by Reuters make it clear that app developers must "obtain clear and conspicuous consent" from users before they do anything with facial data, and make it clear that data can only be collected and used for legitimate reasons relating to the functioning of an app. Developers are banned from de-anonymizing user data, and for using it for advertising or marketing purposes. Naturally, iOS will also continue to ask users to grant permission for an app to access any of the cameras on the iPhone X, although it's not yet clear whether a separate core iOS authorization will be required to access the TrueDepth camera's advanced facial recognition capabilities.
"It means household names probably won't exploit this, but there's still a lot of room for bottom feeders."
"When using Face ID, the app is notified only as to whether the authentication was successful; it can't access Face ID or the data associated with the enrolled face", the document says.