In its first-ever Congressional hearing, TikTok successfully dodged questions about what it plans to do with the biometric data its privacy policy permits it to collect on the app’s U.S. users. In an update to the company’s U.S. privacy policy in June, TikTok added a new section that noted the app “may collect biometric identifiers and biometric information” from its users’ content, including things like “faceprints and voiceprints.”
The company was questioned by multiple lawmakers on this matter today during a hearing conducted by the Senate Subcommittee on Consumer Protection, Product Safety, and Data Security. The hearing was meant to be focused on social media’s detrimental impacts on children and teens, but often expanded into broader areas of concern, as the lawmakers dug into the business models, internal research, and policies being made at Snap, TikTok and YouTube.
Sen. Marsha Blackburn (R-TN) asked specifically why TikTok needed to collect a wide variety of biometric data, “such as faceprints, voiceprints, geolocation information, browsing and search history,” as well as “keystroke patterns and rhythms.”
Instead of directly answering the question, TikTok’s VP and Head of Public Policy Michael Beckerman responded by pointing out that many outside researchers and experts have looked at its policy and found that TikTok actually collects less data than many of its social media peers. (He also later clarified in another round of questioning that keystroke patterns were collected in order to prevent spam bots from infiltrating the service.)
Blackburn pressed on to ask if TikTok was putting together a comprehensive profile — or “virtual dossier” — on each of its users, including younger kids and teens, which included their biometric data combined with their interests and search history.
Beckerman deferred answering this question as well, saying that: “TikTok is an entertainment platform where people watch and enjoy and create short-form videos. It’s about uplifting, entertaining content.”
While the senator’s line of questioning was a bit confusing at times — she once referred to this dossier as a “virtual you,” for example — it’s worth noting that we don’t have a full picture today as to what TikTok is doing with the data it collects from its users outside of what’s outlined in its privacy policy and, per TikTok’s 2020 blog post, how some of that data plays a role in its recommendation algorithms. And given the chance to set the record straight over its plans to collect biometric data with regard to minor users, TikTok’s policy head skirted the questions.
In a line of follow-ups on its data collection practices led by Senator Cynthia Lummis (R-WY), Beckerman was asked if this sort of “mass data collection” was necessary to deliver a high-quality experience to TikTok’s users. She noted the company’s policy allowed for the collection of the person’s location, device model of their phone, browsing history outside and inside TikTok, all the messages sent on TikTok, IP address, and biometric data.
In response, Beckerman said “some of those items that you listed off are things that we’re not currently collecting.”
He also said that the privacy policy states TikTok would get user consent if it were to begin collecting those items in the future.
Though not immediately clear, his statements were likely in reference to the clause about biometric data collection. In June, TikTok declined to detail the product developments that necessitated the addition of biometric data to its list of disclosures about the information it automatically collects from users. But at the time, the company told TechCrunch it would ask for user consent in the case such data collection practices began.
The senator said the committee would follow up with TikTok on this question.
Both senators were concerned about TikTok’s connection to China, given its parent company is Beijing-based ByteDance. But the issue of over-collection of user data — particularly with regard to children and minors — isn’t just a geopolitical concern or, as Trump believed, a national security threat. It’s a matter of transparency.
Privacy and security experts generally think that users should understand why a company needs the data it collects, what is done with it, and they should have the right to refuse to share that data. Today, users can somewhat limit data collection by disallowing access to their smartphone’s sensors and other features. Apple, for example, implements opt-outs as part of its mobile operating system, iOS, which pops up consent boxes when an app wants to access your location, your microphone, your camera, or your contacts.
But there is much more data that apps can track, even when these items are blocked.
Following the questions about data collection practices, Lummis also wanted to know if TikTok had been built with the goal of keeping users engaged for as long as possible. After all, having a treasure trove of user data could greatly boost this sort of metric.
In reply, Beckerman pointed to the app’s “take a break” reminders and parental controls for screen time management.
Lummis clarified that she wanted to know if “length of engagement” was a metric the company used in order to define success.
Again, Beckerman skirted the question, noting “there’s multiple definitions of success” and that “it’s not just based on how much time somebody’s spending [on the app],”
Lummis then restated the question a couple more times as Beckerman continued to dodge answering directly, saying only that “overall engagement is more important than the amount of time that’s being spent.”
“But is it one of the metrics?,” Lummis pushed.
“It’s a metric that I think many platforms check on how much time people are spending on the app,” Beckerman said.