TikTok is harvesting private biometric data without consent

TikTok is harvesting private biometric data

A US Judge has ruled that TikTok is harvesting private and biometric data without consent. This means that it uses facial recognition and AI to build a database of highly personal information – all while you thought you were using a cute and fun video/dance app.

The matter came to a head through 21 separate class actions in California and Illinois last year. Illinois is the only U.S. state to enact the Biometric Information Privacy Act (BIPA) and, therefore, the only one that can pursue the illegal collection and use of biometric data.

The U.S. District Court for the Northern District of Illinois found: “…TikTok used a complex system of artificial intelligence (A.I.) to recognise facial features in user videos and recommend stickers and filters. Algorithms are also a means to identify a user’s age, gender, and ethnicity. Data uses a Chinese cloud and is shared with third-parties without consent.”

The Illinois Court mandated that TikTok pay a US$92 million settlement to the plaintiffs. Other States and countries will now follow suit. In an unexpected move, TikTok simply said, “While we disagree with the assertions, rather than go through lengthy litigation, we’d like to focus our efforts on building a safe and joyful experience for the TikTok community.” So, US$92 million is small change to this blatant data-harvester that monetises us!

Co-lead counsel Beth Fegan from lawfirm FeganScott said: “Biometric information is among the most sensitive of private information because it’s unique and it’s permanent. Users’ data follows them everywhere, and potentially for a lifetime. It’s critical that their privacy and identity is protected by stalwart governance to guard against underhanded attempts at theft.”

BIPA has teeth needed to protect us

BIPA, or the Biometric Information Privacy Act, has a very simple but far-reaching definition of a biometric identifier (paraphrased). It is described as a “…retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry. This results in biometric data that means any information, regardless of how it is captured, converted, stored, or shared, based on an individual’s biometric identifier used to identify an individual.”

“Confidential and sensitive information” means personal information that can uniquely identify an individual or an individual’s account or property. Examples include genetic testing/marker, a unique identifier number, an account/PIN/pass-code/driver’s license or a social security number.

We would go on, but here is the kicker. No private entity may collect, capture, purchase, receive through trade, or otherwise obtain a person’s or a customer’s biometric identifier or biometric information, unless it first informs the subject in writing. That excludes agreement to complex privacy terms that people never read.

TikTok is harvesting private biometric data without consent. We have reported many times that TikTok is one of the most dangerous data-harvesting apps on the planet. Not because its owned by Beijing head-quartered ByteDance, which uses Chinese clouds and is subject to China’s sovereign law. No, it is because, from day one, we saw it as a significant threat to privacy. Gradually the fun façade fades. We find that it now knows who you are, where you live, approximate ages, gender and sexual orientation, race and perhaps creed. It fact it analyses your vocal tracks too to find pertinent keywords (speech to text). Dangerous enough for a dance routine but deadly to business or personal secrets.

You did not give your permission to TikTok to violate your fun videos.

The US Government saw this too and demanded TikTok US be sold to a trusted US company. The sticking point was that TiKTok would not reveal its AI to any purchaser. It has not met any sale deadlines with the Chinese Government making a startling revelation, it would rather shut TikTok down in the US than let it be part of a forced sale. Instead uses the Oracle cloud to store US data. That does not stop it exfiltrating data to any other cloud.

GadgetGuy’s take – strength to BIPA and Illinois

Last year Facebook agreed to pay US$550 million because it violated BIPA – the amount for its users in one state alone. The culprit was Facebook’s ‘tag suggestions’ service, a feature that recognises people in your photos to link them to their accounts.

The case dragged on five-years, and Facebook decided to pay rather than fight any more. But a U.S. District Judge James Donato of California, overseeing the case, has decided that the amount is nowhere enough. If it applied to the whole of the U.S., the maximum possible penalty could have reached $47 billion.

At the end of the day, TikTok is incredibly popular and millions of people enjoy using it every day. However, users need to have a clear understanding about what data is being collected by the platform, and where the risks are. Our privacy has never been more at risk, and global policy to protect us has not caught up. For more, read our commentary on how privacy is the single greatest issue facing humanity.