TikTok users received financial compensation up to $168 Wednesday as part of a privacy data class action settlement.
ByteDance, TikTok’s parent company, agreed to pay $92 million to settle allegations it harvested personal data without users’ consent.
TikTok users received a notification from the app Monday about submitting a claim for compensation. Some expressed confusion on social media and questioned whether the notification was part of a larger scam before media outlets confirmed the authenticity of the payout.
The settlement results from an amalgamation of 21 lawsuits, many of which were filed on behalf of minors, NBC News stated in an article Wednesday.
Documents filed in U.S. District Court in Illinois allege TikTok uses a “complex system of artificial intelligence to recognize facial features in users’ videos” and that it analyzes faces to “determine the user’s age, race/ethnicity, and gender … to recommend content and profiles for the user to follow.”
The suit also claims TikTok mined users’ information from draft videos that were never posted.
“By utilizing this private and biometric information,” the suit continues, “TikTok maintains a competitive advantage over other social media apps and profits from its use of improperly obtained data, all while failing to comply with the minimum requirements for handling users’ biometric data established by” the state’s Biometric Information Privacy Act, which guarantees people the right to take action against companies that collect biometric data without consent.
TikTok’s Terms of Service allow the harvesting of biometric data, but in doing so violated Illinois’ Biometric Information Privacy Act, the plaintiffs argued.
Lawyers who filed the suit said Illinois residents will receive five shares of the $92 million settlement as opposed to one because of the state’s privacy laws.
TikTok’s Response
Chief Operating Officer Vanessa Pappas told Congress in September the social media company does not use “any sort of facial, voice or audio, or body recognition that would identify an individual.”
However, TikTok’s privacy policy, which was updated in June, explicitly allows for the long-term collection and storage of U.S. user data. This includes faceprints and voiceprints.
“We may collect biometric identifiers and biometric information as defined under US laws, such as faceprints and voiceprints, from your User Content,” the policy states.
TikTok has officially denied all allegations but settled to prevent the case from going to trial.
“While we disagree with the assertions, rather than go through lengthy litigation, we’d like to focus our efforts on building a safe and joyful experience for the TikTok community,” the company said in a statement following the February settlement agreement.
TikTok will also have to change and disclose its data collection practices as a condition of the settlement.
Sign on the Dotted Line
The lawsuit didn’t come as a shock for many analysts and was likely anticipated by TikTok higher-ups themselves.
TikTok is one of the most invasive apps on the market today. In 2021, it was also the most downloaded, with 656 million installations. TikTok has now worked its way onto the phones of over a billion users.
Most see it as a benign video-sharing application that transformed a “vine” format into a global technology with substantial staying power. Eager to create an account to access their favorite influencer’s latest recipe or exercise tips, many users do not read the terms of service. If they did, they would be taken down a nefarious rabbit hole of data harvesting and location tracking.
Like all social media in 2022, TikTok collects user-generated content, including comments, photographs, livestreams, audio recordings, videos, and virtual item videos users choose to create with or upload to the platform.
However, the company’s privacy policy reveals how the app takes its data collection several steps further than most others on the market.
According to the privacy policy, TikTok collects data regardless of whether the user chooses to save or upload that content.
If users choose to link or sign up using a third-party social network or login service (such as Facebook, Twitter, Instagram, or Google), it collects information from those services, including contact lists and information relating to use of the platform.
“We automatically collect certain information from you when you use the Platform, including internet or other network activity information such as your IP address, geolocation-related data (as described below), unique device identifiers, browsing and search history (including content you have viewed in the Platform),” the privacy policy states.
It also ambiguously mentions that the app “may collect information about you from other publicly available sources.”
Taking bimetric faceprints, geolocation tracking, and third-party data harvesting into account, the most dangerous tool at TikTok’s disposal could be the ability to “keylog.” Keylogging, also known as keystroke tracking, allows an app to recover any data entered into a phone.
This could mean that “anyone using their phone with the TikTok app on it could be exposing username and password data without even realizing it,” said Matthew Fulmer, manager of cyber intelligence engineering at Deep Instinct.
“When looking at a breakdown of keylogging, it’s extremely easy to find the user and the password. If this is all being offloaded to external servers (which there is no clear understanding who has access to them), who knows that level of access might be readily available within certain companies.”
ByteDance insists the company doesn’t ship American user data to foreign servers, but Chinese entities are far more beholden to their government than those in the West. This means the Chinese government could (and most likely will) collect data from users. Additionally, hackers would have a treasure trove of data to exploit should TikTok’s servers become compromised.
Legislators are also particularly wary of TikTok and its invasive policies because the largest demographic of users is children and adolescents — a vulnerable market that may not understand the extent of privacy violations being carried out.
A Recurring Theme
Stateside, big tech and social media are wrestling with similar legal troubles.
In the last five years alone, the Federal Trade Commission has brought 76 cases against companies for violating their users’ privacy or security, including cases against Twitter, Facebook, Zoom, Google, YouTube, Uber and PayPal, according to The Hill.
Most recently, the state of Texas brought a new lawsuit against Google, alleging it violated the state’s biometric privacy law by “indiscriminately” collecting voiceprints and facial recognition data from users and non-users of the company’s products without their consent.
Texas Attorney General Ken Paxton claims the company’s broad application of facial recognition technology in Google Photos and its use of voice recognition technology in its line of smart speakers and other home products is a violation of the state’s Capture or Use of Biometric Identifier Act.
According to the complaint, Google scanned photos, identified subjects without user consent, and listened to conversations without opting into Google’s indiscriminate voice printing.
The complaint describes Google’s Nest Hub Max, a smart home display with a built-in camera, as “a modern Eye of Sauron—constantly watching and waiting to identify a face it knows.”
Amazon Inc. drew the ire of Congress earlier this year when it provided Ring doorbell footage to law enforcement 11 times over a 6-month period without the user’s permission. A letter from Amazon to Congress disclosing the fact was made public in June by U.S. Sen. Edward Markey. The Massachusetts Democrat sent a separate letter to Amazon in June questioning Ring’s surveillance practices and engagement with law enforcement.
The list of litigation and public outrage goes on and on. Unfortunately for users, progress will be slow concerning online privacy rights when $97 million settlements feel like little more than a slap on the wrist to leviathans like TikTok.
Are the information and personal data economy worth more than the cost of a few thousand $100 checks?