Last year, TikTok quietly updated its privacy policy to allow the app to collect biometric data on U.S. users, including “faceprints and voiceprints” — a concerning change that the company declined to detail at the time or during a subsequent Senate hearing held last October. Today, the tech company was again asked about its intentions regarding this data collection practice during a Senate hearing focused on social media’s impact on homeland security.
TikTok’s earlier privacy policy change had introduced a new section called “Image and Audio Information” under the section “Information we collect automatically.” Here, it detailed the types of images and audio that could be collected, including “biometric identifiers and biometric information as defined under U.S. laws, such as faceprints and voiceprints.”
The policy language was vague as it didn’t clarify whether it was referring to federal law, state laws or both, nor did it explain why, exactly, this information was being collected or how it might be shared.
To learn more, Senator Kyrsten Sinema (D-AZ) today asked TikTok’s representative for the hearing, its chief operating officer, Vanessa Pappas, if the biometric data of Americans had ever been accessed by or provided to any person located in China.
She also wanted to know if it was possible for this biometric data to be accessed by anyone in China.
Pappas didn’t directly answer the question with a simple yes or no but rather went on to clarify how TikTok defines biometric data.
Noting that everyone has their own definition of what “biometrics” means, Pappas claimed TikTok did not use “any sort of facial, voice or audio, or body recognition that would identify an individual.”
She further explained that such data collection was only used for video effects and stored locally on users’ devices, where it’s subsequently deleted.
” … the way that we use facial recognition, for example, would be is if we’re putting an effect on the creator’s video — so, you were uploading a video and you wanted to put sunglasses or dog ears on your video — that’s when we do facial recognition. All of that information is stored only in your device. And as soon as it’s applied — like that filter is applied and posted — that data is deleted,” Pappas said. “So we don’t have that data.”
In other words, the TikTok exec saying that ByteDance employees in China would have no way of collecting this data from TikTok’s U.S. users in the first place because of how this process works at a technical level. (TikTok, of course, has hundreds of filters and effects in its app, so analyzing how each one works independently would take technical expertise and time.)
Notably, this is the first time the company has responded to U.S. Senators’ inquiries about the app’s use of biometrics, as the question brought up during the October 2021 hearing was essentially dodged at the time. When Senator Marsha Blackburn (R-TN) followed up with TikTok for more information after that hearing, the question about facial recognition and voiceprints hadn’t been included on the list of questions TikTok returned to her office later that year in December.
The biometrics issue also didn’t come up in the letter TikTok sent to a group of U.S. senators in June 2022 to answer follow-up questions about Chinese ByteDance employees’ access to TikTok U.S. users’ data, after BuzzFeed News’ damning report on the matter. Instead, that letter was focused more on how TikTok had been working to move its U.S. users’ data to Oracle’s cloud to further limit access from staff in China.
The lack of understanding about TikTok’s use of biometrics aspect raised further concerns in April 2022, when the ACLU pointed out that a new TikTok trend involved having users film their eyes up close, then using a high-resolution filter to show the details, patterns and colors of their irises. At the time of its report, over 700,000 videos had been created using the filter within a month’s time, it said. (Today, TikTok’s app reports only 533,000+ videos.) In an email to TechCrunch, the ACLU had also suggested taking a look at Oracle’s biometric technology, given its plans to host TikTok user data.
In addition to questions about biometric data collection, TikTok was also asked in today’s hearing whether it was tracking users’ keystrokes.
This related to an independent privacy researcher’s finding, released in August, which claimed the TikTok iOS app had been injecting code that could allow it to essentially perform keylogging. Ireland’s Data Protection Commission also requested a meeting with TikTok after this research was released.
At the time, TikTok explained the report was misleading, as the app’s code was not doing anything malicious but was rather used for things like debugging, troubleshooting and performance monitoring. The company also said that it used keystroke information to detect unusual patterns to protect against fake logging, spam comments and other behavior that could threaten its platform.
At today’s hearing, Pappas again stressed that TikTok was never collecting the content of what was being typed, and that, to her knowledge, this had been “an anti-spam measure.”
Comment