How did Google get Pixel 4 face unlock this wrong?

Like many tech writers, I've been struggling to wrap my head around the brand-new Pixel 4's face unlock security #fail.

Before the phone was even released, BBC technology reporter Chris Fox discovered that his review unit had a deeply disturbing security flaw: The phone's only biometric security option, facial recognition, worked just fine if the subject's eyes were closed.

If you're a privacy and security nerd or pay attention to headlines about hack attacks at all, the "eyes closed" issue with Pixel 4 tears at the already frayed edges of your sanity. Imagining everything that could go wrong with your security and log-in tool should be everyone's job on every team, everywhere, especially at large tech companies with plenty of resources.

"By comparison," wrote Fox, "Apple's Face ID system checks the user is 'alert' and looking at the phone before unlocking." BBC noted that its review phone had an option in "settings" to require eye to be open, but this security setting was only on review phones. Prior to going public with the news, BBC confirmed with Google that it had indeed removed the "eyes open" feature for consumers. Basically they were getting facial unlock on their Pixel 4 phones that didn't care if the subject's eyes were open or closed.

Oh, and you read correctly the part about "face unlock" being the only biometric option for the phone. While fingerprint scanning is available on previous Pixels, Google removed the reader from Pixel 4 in favor of the company's secret sauce "Face ID" clone.

Is everyone at Google OK?

Obviously, there is a team, somewhere, that tested this or played with it and had a meeting where they said, "Yep this is totally safe." Pixel product manager Sherry Lin even called the Pixel 4's facial recognition "super secure" in a statement to press just before the phone's release.

It's worth pointing out that this is a flaw that has happened on other phones. In March 2018 it was discovered by users that Samsung's Galaxy S9 and S9 Plus phones were unlocking with their combo of iris scan and facial recognition, even when the user's eyes were closed. When one hacker found it could be tricked with a photo, a polite version of the reactions to this security disaster appeared in the CNET's headline "Galaxy S9 Intelligent Scan favors unlocking ease over security."

If you think I'm being too harsh, let me ask just one question: How? How does this kind of a very elementary mistake get past a lot of people paid to be smart about this exact kind of problem?

It's easy to jump to the conclusion that the people most affected by Pixel 4's totally-not-secure facial recognition don't work at Google.

People like parents whose children or teens might unlock an adult's phone to buy stuff, change content settings, send a mean message to Uncle Bob or unlock in-game purchases. Or anyone who has been roofied or had their privacy invaded by a lover, a vengeful ex or a stalker. And certainly not anyone who would be targeted by police for their skin color, by ICE for their papers, or by a group of assailants for gender, orientation, skin color, or their profession (like sex workers).

Surely someone in these categories works on the Android, Pixel or software security teams at Google. Perhaps they just didn't speak up — or they did and were sidelined, gaslit or ignored. You'd think that at the very least someone in PR would have dragged a Pixel team member over to a shiny PR workstation, pointed at the desk's forehead-shaped dent and said, "No more."

When Engadget reached out to Google for comment, we asked them how something like this could've slipped past its security teams.

Instead, Google sent us the following copy-pasted statement:

Stalk to unlock

The thing is, I love my Pixel 3, and I love being a Google Fi customer — but I also love security! More than any romantic partner, past or future, I am head over heels in love with not having my phone compromised or my accounts hijacked. My feelings for my 1Password account are so hot and heavy I swear I've seen the app blush. I adore the locks on my front door, and I'd send long-stemmed roses to my VPN if it were possible. I love love love not having my payments intercepted and my phone not getting loaded with stalkerware because a roommate went full creep.

Which is why Google's language ("if any Pixel 4 users are concerned") really sticks in my craw. There is no "if" here — every single Pixel 4 user should be house-on-fire alerted to this issue, and they should be really, hard-core concerned. It's incredibly disappointing for a whole lot of people that the Pixel 4 shipped like this. It sucks. But that doesn't mean Google should now start minimizing user security by pretending that being affected by a basically broken face unlock tool is some kind of personal choice. Though there is a perverse upside, from a security nerd perspective.

Facial recognition unlock is a topic of great and historic debate among infosec and digital rights dweebs (like me).

There are a lot of privacy questions around what happens with stored biometric data and hardly any answers that make anyone feel very good about it. Facial recognition for security has been rolled out and released to the public by a lot of companies, selling the general public on the features (convenience) and promises (security) while often failing at implementation, hoodwinking consumers into trading convenience for shoddy security and telling us to look at the shiny thing while snatching some very personal data. These companies have also pointedly not told anyone about the downsides and risks of using facial recognition, or biometrics for security, in general.

The thing is, a pin/password is still the best way to lock your phone — it's just not the most convenient. Any authority, attacker or abuser can hold your finger down or put your phone in your face. And they have. New York and Ohio cops have relied on corpses for unlocking suspects' phones. But not so with a regular password or passcode: These are protected by the Fifth Amendment's safeguards for self-incrimination. Meaning, passwords are considered testimony and body parts aren't.

In January 2019, there was a lot of celebrating online that facial recognition and fingerprints might now be as protected as a password, too. A California U.S. District Court judge ruled in one case that American cops can't force people to unlock a mobile phone with their face or finger.

Yet overlooked by most of the reporting, and specifically mentioned in the original article, was a strong warning to readers that this wasn't the final word. "The magistrate judge decision could, of course, be overturned by a district court judge," wrote Forbes. "Stick to a strong alphanumeric passcode that you won't be compelled to disclose."

Which is basically what Google is inadvertently, reluctantly, passive-aggressively doing at the end of the day with its Pixel 4 facial recognition debacle.

Ultimately what happens with Pixel 4's facial unlock security snafu remains to be seen. Let's hope no one is, you know, stalked or murdered or loses all their money or accounts as a result of phone intrusion.

I'm especially curious that Google is so hopped-up and adamant about its facial unlock's prowess against masks. It's a talking point being repeated everywhere, to everyone, and probably to people who don't even ask about the Pixel 4. You see, there's another problem with Pixel 4's facial recognition.

After a marathon of tests, my colleague Cherlynn Low discovered that the Pixel 4 literally thinks someone wearing makeup is a different person, and it locked her out. She explained:

I'll bet it's the same for facial hair, so guys, maybe don't slip while shaving.

Images: Carl Smith via Getty Images (Women with eyes closed); BJI via Getty Images (Man pointing up)