Tiktok’s new privacy policy lets it harvest biometric data, including ‘faceprints and voiceprints’

TikTok quietly changed its US privacy policy this week to notify users it may start collecting ‘faceprint and voiceprint’ and other biometric data.

The app did not specify what the data would be used for but said it would ask for permission first, ‘where required by law.’

The update comes just three months after TikTok paid more than $90 million to settle a class-action lawsuit claiming it secretly recorded millions of members’ facial features and other biomarkers.

TikTok reportedly has 100 million users in the US alone.

Scroll down in video

TikTok has updated its privacy policy to notify US users it may record the ‘faceprint and voiceprint’ and other unique biometric data. Pictured: Grimes in a recent TikTok video

On Wednesday, an update to TikTok’s privacy policy announced the popular app ‘may collect biometric identifiers and biometric information’ from users’ videos.

Some apps gather biometrics to target ads or improve accessibility features, TechCrunch reported, like describing an Instagram photo or adding automated captions.

TikTok recently paid $92 million to settle a lawsuit claiming it violated Illinois strict biometric-data laws requiring consent before tracking users' data. Its possible the privacy policy update is a direct result of the suit

TikTok recently paid $92 million to settle a lawsuit claiming it violated Illinois strict biometric-data laws requiring consent before tracking users’ data. Its possible the privacy policy update is a direct result of the suit 

It can also help with face filters and augmented-reality effects.

The data could include ‘identifying the objects and scenery that appear, the existence and location within an image of face and body features and attributes, the nature of the audio, and the text of the words spoken,’ the company said. 

But it could also include personal biomarkers, like ‘faceprints and voiceprints,’ TikTok added, without clearly defining those terms.

Only a handful of states have biometric privacy laws, including Illinois, California, New York, Texas and Washington, suggesting users in other states may not be notified if their biometrics are being harvested.

While the policy says TikTok will notify users if it begins collecting biometric data, Insider points out the update is located in a section called ‘information we collect automatically,’ suggesting it may already be harvesting the info.

As password-protection becomes increasingly nebulous, many companies are turning to unique physical traits, like fingerprints, voiceprints and other markers, for security purposes. Even the shape of your face and nose can be used to identify you

 As password-protection becomes increasingly nebulous, many companies are turning to unique physical traits, like fingerprints, voiceprints and other markers, for security purposes. Even the shape of your face and nose can be used to identify you

Users have reported getting multiple pop-up messages informing them of the privacy policy update, according to TechCrunch, but some complained the page was not available when they tried to read it.

The policy appears to only updated in the US—privacy regulations are much stricter in Europe and Asia.  

In 2020, the White House attempted to ban TikTok from the US, claiming the fact that its Chinese parent company, ByteDance, posed a national security threat.

A court injunction blocked the ban from taking effect, though the Trump administration appealed the ruling.

On Friday, President Biden signed an executive order barring Americans from investing in some 59 Chinese companies the administration believes have ties to the Chinese military and the country’s surveillance industry.

His administration has not, however, taken an official stance on TikTok.

In February, TikTok paid $92 million to settle a class-action lawsuit claiming it violated the Illinois Biometric Information Privacy Act, one of the strictest in the nation.

Illinois’ law requires companies to obtain explicit permission before collecting biometric data, but the plaintiffs alleged TikTok used algorithms to identify users’ gender, age and ethnicity, according to the BBC, and sent the info to China.

Denying any malfeasance, TikTok said it was settling to avoid a protracted court case. 

Then-President Trump tried to ban TikTok in the US last year, claiming the Beijing-owned company posed a national security threat

Then-President Trump tried to ban TikTok in the US last year, claiming the Beijing-owned company posed a national security threat

‘While we disagree with the assertions, rather than go through lengthy litigation, we’d like to focus our efforts on building a safe and joyful experience for the TikTok community,’ the company said in a statement. 

It’s possible Wednesday’s update was a direct result of the lawsuit. 

TikTok has not responded to a request for comment from DailyMail.com.

Social media platforms have gotten into hot water for collecting biometric data before: in 2015, Facebook users in Illinois accused the platform of violating the state’s Biometric Information Privacy Act in collecting biometric data.

Facebook allegedly accomplished this through its ‘Tag Suggestions’ feature, which allowed users to recognize their Facebook friends from previously uploaded photos.

Facebook paid out $650 million in that case but, five years later, was hit with another class-action suit claiming it used the same tool on Instagram to harvest the biometrics of over a million users without their knowledge or consent.

In a statement to DailyMail.com at the time, a Facebook spokesperson said that the claims were false, and that Instagram does not use the facial recognition services offered on Facebook.

According to Instagram’s data policy, ‘If we introduce face-recognition technology to your Instagram experience, we will let you know first, and you will have control over whether we use this technology for you.’

In 2019, security firm Suprema revealed that a vast data breach exposed the biometric information of millions of people, including their fingerprints and facial scans.

The private data was found on a free site and contained sensitive information on a system used by banks, police and government offices, as well as thousands of other companies.

‘This could be used in a wide range of criminal activities that would be disastrous for both the businesses and organizations affected, as well as their employees or clients,’ the web privacy site VPNMentor wrote in a post about the discovery.

‘It’s one thing having your password hacked – passwords can be changed and replaced,’ Etienne Greeff, CTO of cybersecurity services provider SecureData, told MailOnline at the time.

‘But what happens when your biometrics are hacked? You can’t change your voice; you can’t replace your eyes and you can’t reset your fingerprints. Those things are constant, permanent and contain genetic data that is unique to you.’

WHAT ARE BEHAVIOURAL BIOMETRICS?

Physical biometrics, such as fingerprints, facial recognition and retinal scans, are currently more commonly used for security purposes.

However, behavioural biometrics – which include things like how you walk – are able to capture unique things about a person’s behaviour and movement.

They also include things such as voice ID and signature analysis.

Researchers from the University of Manchester have developed an AI biometric verification system that measures an individual’s gait or walking pattern. 

This non-intrusive technique can successfully verify people with 99.3 per cent accuracy after they walk over a pressure pad on the floor – and they don’t even need to take their shoes off. 

Behavioural biometrics are already used for authentication in financial institutions and businesses.

After people provide their biometric data, AI picks out specific data points which it processes using an algorithm. 

Read more at DailyMail.co.uk