X's Biometric Data Collection Policy: Analysis and Criticisms

Overview of the New Policy

  • Effective Date: September 29, 2023.

  • Purpose: X Corp. (Elon Musk's company, formerly Twitter) has updated its privacy policy to seek user consent for collecting biometric data.

  • Stated Reasons: The collection is for "safety, security and identification purposes" to combat impersonation attempts and enhance platform security.

  • Target Users: Initially, the biometric policies are intended for premium users.

  • Context: This change comes amid significant scrutiny over X's inadequate account authentication process and widespread fraud on the platform.

What is Biometric Data?

  • Definition: Biometric data includes highly sensitive and permanent personal information such as face scans and eye scans.

  • Permanence & Risk: Unlike temporary credentials like passwords or Social Security Numbers, biometric data is permanent. Its misuse can lead to life-long consequences for an individual due to the inability to change or revoke it.

Author's Arguments and Claims Regarding X's Biometric Policy

  • The author (through the cited experts and analysis) argues that X's new biometric data collection policy poses significant risks and is deeply problematic due to:

    • Vagueness and Lack of Transparency: The policy is unclear on what specific data is collected and lacks details on retention, deletion, and storage methods.

    • Inherent Risks of Biometric Data: Its permanent nature means misuse can have irreversible, lifelong consequences.

    • Potential for Misuse by Authoritarian Regimes: Concerns that X may be more compliant with requests from such regimes, leading to the handover of sensitive user data.

    • Discriminatory Impact: Biometric technologies have a documented history of higher false positives for people of color, raising concerns about fairness.

    • Setting a Dangerous Precedent: X's actions could lead other companies to adopt similar practices without adequate global privacy protections, creating a "wild West" scenario.

    • Legal Vulnerabilities: X's practices may violate state-level laws (e.g., Illinois BIPA), as indicated by a proposed class-action lawsuit.

Reasons Behind the Claims

  • User Privacy and Free Expression: Many users are unaware of the privacy and free expression implications of such data collection.

  • Inability to Assess Risk: The lack of transparent information prevents users from making informed decisions about their risk level.

  • Irreversible Consequences: Unlike other data, biometric information cannot be changed if compromised, leading to permanent vulnerability.

  • Historical Precedent: Past lawsuits against major tech companies (Google, Meta, and Tesla) demonstrate the significant legal and financial risks associated with inadequate biometric data handling.

  • Gaps in Federal Protection: The absence of federal laws specifically for biometric data in the U.S. exacerbates the risks, making state laws the only current safeguard.

Broader Implications and User Reactions

  • "Domino Effect": Nora Benavidez expresses concern that X's move into biometrics could set a precedent, inspiring other companies to adopt similar practices. This could lead to a "wild West" scenario, especially given the existing gaps in global (and particularly U.S.) privacy policy protections.

  • User Exodus: Some users have indicated they would leave the platform if biometric data collection becomes mandatory for all accounts, highlighting the high-risk perception of biometric data among the public.

  • Need for Thoughtfulness: Experts emphasize the critical need for companies to be thoughtful when handling biometrics, acknowledging its inherent high risk and public wariness due to past mishandling of such data by other companies.

Other Data Collection by X

  • Job Recommendation Services: The updated privacy policy also states that X "may collect and use your personal information (such as your employment history, educational history, employment preferences, skills and abilities, job search activity and engagement, and so on)" for job recommendation services and advertising.

Key Individuals and Organizations Cited

  • Nora Benavidez: Senior Counsel and Director of Digital Justice and Civil Rights at Free Press.

  • Tatiana Rice: Senior Counsel at the Future of Privacy Forum.

  • CyberScoop: The news outlet publishing the article, which contacted X for comments on retention/deletion policies but received no response.

  • Bloomberg: The news outlet that first reported on X's updated biometric policy.

Alternative Arguments/Possible Justifications for Biometric Data Collection

  • Enhanced Security and Safety: Biometric data collection could significantly improve platform security by making it harder for unauthorized users to access accounts and by combating impersonation attempts and fraud more effectively than traditional methods.

  • Combating Spam and Bots: Implementing biometric verification for certain actions or accounts could drastically reduce the number of bot accounts and spam on the platform, leading to a cleaner and more trustworthy user experience.

  • Proof of Humanity: Biometrics can serve as a robust method to verify that users are real human beings, which is crucial for maintaining the integrity of online interactions, especially for features requiring high trust or for premium subscriptions.

  • Streamlined User Experience: For users who opt-in, biometric authentication (e.g., face or fingerprint recognition) can offer a more convenient and faster login experience compared to typing usernames and passwords.

  • Potential for Age Verification: In some policy contexts, biometric data might offer a reliable way to verify user age, which could be necessary for compliance with age-restricted content or services.