TikTok’s new privacy policy alludes to the collection of biometric data. This is a clear case of collecting data you don’t need.
Last year, President Donald Trump threatened to ban TikTok in the United States, alleging that its Chinese backing created a national security problem. TikTok managed to stick around the U.S. by partnering with U.S. companies Oracle and Walmart. With two U.S. companies willing to invest in the service, Trump allowed the app to stay. Earlier this month, though, TikTok’s new privacy policy put the app back in the headlines.
The new policy states, “Among other clarifying changes, we have added more details about the information we collect and how it’s used, including clarifications related to, for example, collection of user content information, use of data for verification, ad related choices, data sharing with third party services, and data storage/processing practices.”
If you scroll a bit farther down, under the “Information We Collect Automatically” section is a subsection titled “Image and Audio Information.” It reads:
“We may collect information about the images and audio that are a part of your User Content, such as identifying the objects and scenery that appear, the existence and location within an image of face and body features and attributes, the nature of the audio, and the text of the words spoken in your User Content. We may collect this information to enable special video effects, for content moderation, for demographic classification, for content and ad recommendations, and for other non-personally-identifying operations. We may collect biometric identifiers and biometric information as defined under US laws, such as faceprints and voiceprints, from your User Content. Where required by law, we will seek any required permissions from you prior to any such collection.”
If this doesn’t concern you, it should. The policy is vague, meaning that it will be difficult to challenge. It gives access to your biometric information, which means that if the information they collect is stolen in a breach, now someone has access to whatever TikTok pulled from you. The biometrics listed above does not constitute a conclusive list, and TikTok leaves it open to interpretation as to what that means. On top of this, why does TikTok need your biometric identifiers? What benefit do they hope to provide to users by collecting this information? Even if it is for filter or special effects (lawyer dog anyone!), why is the data being stored? And collected. It’s vague, so we don’t know if our biometrics are sitting on a TikTok server.
While this is something every user of TikTok should be aware of, it should also concern businesses. Many businesses, healthcare facilities in particular, use fingerprint scans to identify staff members. Other businesses use retina scans, palm prints and other biometric security features. So, if one of your employees is a TikTok user (which is likely given the app’s popularity), and that user has their information hacked, now your business is potentially exposed. It’s not as far off of a thought as you might think, criminals will think of even more ways they can use that data for nefarious purposes.
Privacy is a major concern for consumers today. People don’t want everyone to have all of their information and they don’t want to be tracked, which is why we’re seeing the end of third-party cookies. It’s why we’ve seen the enactment of the CCPA and GDPR. It’s the fuel behind the digital transformation movement.
If you are a business owner or business leader, it’s incredibly important to ensure your data stays secure to protect the privacy of your customers, employees, clients and business partners. In light of TikTok’s new privacy policy, if your business uses biometrics, it’s imperative that you verify IAM controls and credentialing, along with regular security reviews.