Is Your Face ID Being Held Without Your Consent…or Your Knowledge?
Face ID is just one form of biometric identification that is used in a variety of ways. Sometimes it’s for convenience and sometimes for security. Scanning your face, fingerprint and other unique attributes is a great way to guarantee it’s really YOU logging into your devices, and not a threat actor breaking through your password. Face ID is also an efficient way to tag your friends on social media and for law enforcement to catch criminals!
Since coming onto the scene, face ID has been revolutionary — yet this poses dangers, too. Consider, for example, what would happen if a threat actor compiled enough photos, videos and audio of you to effectively generate an AI in your likeness. Deepfaking is a serious threat to organizations and individuals alike.
What if it’s not a cybercriminal, though? What if legitimate security software scans, and keeps, your face ID?
The Case Against Eufy Security Camera
That’s not a hypothetical question. Anker Technologies, creators of Eufy security camera, is currently embedded in a lawsuit about whether or not they have been taking and storing identifying data without people’s permission.
What exactly is Eufy? The security system uses facial recognition technology to provide an extra layer of security for your home. This system can be used to unlock doors and gates, as well as to monitor activity in and around your home.
So what’s the problem?
A class action lawsuit accusing them of “corporate voyeurism” has arisen. Among the accusations include claims that the company has not been adequately securing their databases, despite advertising end-to-end encryption. Since Internet of Things devices are famously easier to exploit than, say, your work computer, you can understand why it’s so important to adequately protect communications over WiFi.
Another allegation suggests that their security cameras have been storing images of everyone they catch onscreen. This footage is supposed to be stored locally only, on the user’s home network, so as to protect everyone’s identity and the user’s data. Yet even if the user does not agree to back up to cloud storage, all of the audio and video footage captured by their devices has been uploading to the cloud anyway. Accusers in this lawsuit also suggest that this data was not only shared to the cloud, but also shared with other user accounts.
What This Means for Face ID
The less you post online, the less cybercriminals can use against you. Although we can’t control what our software companies do, we can reduce how many devices we have connected to WiFi. We can host IoT devices on an isolated network so their compromise doesn’t lead to a breach of all our systems. We can also go back and delete old photos and videos that we don’t want available online anymore. Although it’s true what they say, and the internet is forever, it’s still beneficial to make sure not just anyone can stumble across that media.
If you’re a Eufy user, what will happen next? Only time, and a court of law, will tell.
Conclusion
Data privacy is no joke. While this incident is reflective of how capable advanced technology has become (for good and bad), there is also a lesson here. Depending on what you do, where you work and your role in the organization, you may also handle people’s PII from time to time. Do you intake phone numbers or emails? Ask for full names? Maybe even handle store credit cards? You are legally responsible for properly and securely managing that information. To what extent, depends on your position.
Be careful what systems you connect to your home and private WiFi, too. You never know what breaking news will come knocking on your door next.
References