iPhone X
The iPhone X with Face ID. Reuters/Stephen Lam

As Apple fans worldwide make lines outside stores to purchase the new iPhone X, the device’s Face ID feature is being scrutinized by advocacy groups.

The American Civil Liberties Union and the Center for Democracy and Technology told Reuters their concerns on whether Apple can enforce privacy rules for the iPhone X’s facial recognition technology.

The Face ID feature works to unlock the device, confirm Apple Pay payments, use Animoji and much more. It will also work with third-party apps. Face ID runs through the iPhone X’s TrueDepth camera system, which maps the user’s face with 30,000 infrared dots.

The organizations are uneasy about how parts of the Face ID data can be accessed by third-party developers who use the information for app features. Privacy experts are concerned about the inability to control what developers do with the information when it leaves the smartphone, as well as whether the company’s disclosure policies correctly alerts users about how the data is being used.

The Face ID data is transferred to Apple’s Secure Enclave, according to the feature’s security paper. The information is only available to the Secure Enclave and never leaves the device, is not sent to Apple and is not included in device backups.

However, app developers could take some pieces of information off the iPhone X “as long as they seek customer permission and not sell the data to third parties," according to contract terms seen by Reuters. That information can allow developers to get a “rough map of the user’s face and a stream of more than 50 kinds of facial expressions.” Developers won’t be able to unlock a person’s iPhone X with the information. Apple’s Face ID security paper says the unlocking function is mostly based on mathematical representations of the user’s face.

However, the map and expressions can be taken off the device, stored on developer’s servers, and can help track how many times a user blinks, smiles or raises an eyebrow.

Privacy experts are worried app developers could use the facial expressions to analyze emotional responses to advertisements shown in apps. While Apple disallows developers from doing that, there is a concern that rogue developers could still try.

“Apple does have a pretty good historical track record of holding developers accountable who violate their agreements, but they have to catch them first - and sometimes that’s the hard part,” ACLU senior policy analyst Jay Stanley told Reuters. “It means household names probably won’t exploit this, but there’s still a lot of room for bottom feeders.”

Some app developers might fall into that act because they might not completely read Apple’s agreements. An app developer said “Apple’s non-negotiable developer agreement is long and complex and rarely read in detail,” while consumers might also not know what they’re agreeing to.

There have been other security concerns regarding the Face ID, like the use of the feature against the user. At the end of the day it’s up to users if they want to use the Face ID feature on the iPhone X, Michael Osakwe from consumer information site NextAdvisor.com told international Business Times. It’s also important to have a strong passcode, since the Face ID isn’t the only way to unlock the iPhone X.

“The choice to opt into Face ID is a personal one,” said Osakwe. “Consumers should be aware of iOS 11’s SOS feature which allows users to manually disable Face ID quickly if they feel that the feature will be used against them. Also, consumers should have a strong passcode on their phones in addition to their Face ID profiles.”

Apple is set to release the iPhone X on Friday 8 a.m. local time.