People post pictures and recordings of themselves every day online. It feels harmless, and for the most part, it is. But new technologies can add a dangerous layer to casual social media posting: the possible extraction, without our knowledge or consent, of our biometric identifiers.
Biometric identifiers are measurements of our personal, unchangeable biological characteristics that uniquely identify us — like fingerprints and faceprints. Biometric identifiers can also be captured from the patterns in our eyes or the sound of our voices. Unlike other forms of personal information, biometric identifiers can’t be changed, even once compromised. People can change their names and addresses to shield their whereabouts and identities from individuals who seek to harm them, but they can’t change their faces. And, since biometric identifiers can be collected surreptitiously and at a distance, they offer a surveillance capability unlike any other technology in the past, making it dangerously easy to identify and track us at protests, AA meetings, counseling sessions, political rallies, religious gatherings, and more.
This danger isn’t far off into the future. The technology exists now: A special scanner can already identify you by your iris from 40 feet away. Fingerprints have been extracted from photos of exposed fingers, taken both up close and from a distance. Because this can happen at a distance, or from recordings posted online, it’s possible without our knowledge or consent. For many of us, hitting the record button to create content online can now pose an unintentional privacy risk that could result in the loss of control over our most sensitive information.
Last month, TikTok users started a seemingly innocuous trend that highlights the irises in their eyes. Users show their eyes up close, then use a high resolution filter to show the details, patterns, and colors of their irises. What started as a new filter in response to the popular TV series “Euphoria” has turned into a rapidly-growing trend: More than 700,000 videos have been created in the span of around a month. However, as these videos proliferated, so did concerns about people inadvertently exposing their unique biometric identifiers to collection through automated scanning of these iris images. Such scanning is a form of biometric technology similar to face recognition and fingerprinting.
Despite TikTok users expressing concern, the company has not answered critical questions, including whether TikTok has partnered with companies selling iris recognition technology, whether they’re harvesting this sensitive data, where it’s being hosted, or what they might use this data for. The lack of transparency is a big part of the problem.
From using facial recognition to automatically recognize and search for people’s faces — even those people who are not on the app — to voice data technology to inform auto-captioning, many of TikTok’s key features rely on their ability to capture mass amounts of data, raising a host of data collection and privacy issues. This includes a recent class action lawsuit in Illinois that accused TikTok of collecting subscribers’ biometrics and other personally identifying data, tracking the data and, in some cases, sharing it with third parties without consent. The lawsuit alleged that the collection of biometric identifiers without consent violated the Illinois Biometric Information Privacy Act (BIPA), which protects Illinoisians’ right to privacy by establishing guardrails for how companies can collect and use people’s biometric identifiers.
TikTok’s parent company ByteDance, for its part, denied these accusations, although as part of a settlement they did agree to pay $92 million to individuals whose interests were represented by the class action, as well as to hire a third-party firm for three years to oversee data privacy training for employees, and to avoid collecting biometrics and location data from users without notifying them and without complying with BIPA and similar laws.
The language used in TikTok’s updated policy is vague, raising questions about how it might be applied or abused. For example, there’s a line in the policy saying: “Where required by law, we will seek any required permissions from you prior to any such collection.” Companies should commit to only collecting and using people’s sensitive biometric identifiers with express prior consent. Unfortunately, intense industry lobbying over the course of years means that very few states have laws requiring consent before companies can collect people’s biometric identifiers. Only Illinois, Texas, and Washington have enacted these kinds of biometric privacy laws. Nor is there a comprehensive federal policy on how companies should go about storing, selling, or sharing this incredibly important personal information. These sparse restrictions are a nightmare for our civil liberties. Companies, like Clearview AI for example, have offered up massive biometric databases to private companies, police, federal agencies, and wealthy individuals, allowing them to secretly track and target whomever they wished using this technology.
If businesses like TikTok have access to our biometric identifiers, there is little regulation defining what they can’t do with them, which is what could make trends like the Euphoria filter so concerning. TikTok is not the only social network operating in a largely unregulated environment where personal data drives corporate profits, and it’s also not the only company sitting on a ton of biometric data. That means that we all need to be vigilant about the growing number of apps and filters that take our most personal data in exchange for creating entertaining content. Companies like TikTok have an obligation to protect their more than 1 billion monthly users’ privacy.
As long as an app claims the right to collect and store biometric data, it is critical that users are given the resources they need to understand what they’re giving away, as well as the ability to protect that information. Particularly, companies should obtain active user consent through a transparent process before collecting biometric identifiers, and include provisions that allow users to deny consent to such data collection without any penalties. And on a bigger scale, more states must join places like Illinois in enacting legislation that ensures that companies only use our biometrics with our knowledge and consent.
The stakes are high, wide-ranging, and unpredictable: When apps have access to our most personal information, there are endless avenues for exploitation.