X (formerly Twitter) is moving forward with new infrastructure changes as it continues its transformation into becoming a “one-stop-shop” social platform for users.
The updated policy, which goes into effect on September 29, states that with a user’s consent, X may:
- Collect and use their biometric information – facial recognition, fingerprints, iris scans, etc. – for “safety, security, and identification purposes.” However, it doesn’t expand upon how it plans to collect that data or what it will do with that information.
- Collect and use your personal information, specifically, “employment history, educational history, employment preferences, skills and abilities, job search activity and engagement… to recommend potential jobs for you, to share with potential employers when you apply for a job, to enable employers to find potential candidates, and to show you more relevant advertising.”
This comes at an interesting time for X (and the industry) as justified concerns surrounding the collection of biometric data continue to rattle regulators and lawmakers.
In July, X Corp. was named in a class-action lawsuit alleging violations of the Illinois Biometric Information Privacy Act (“BIPA”).
Under BIPA, an individual or entity like X cannot gain access to and/or maintain possession over an individual’s biometrics unless they:
- Inform that person in writing that biometric identifiers or information will be collected or stored;
- Inform that person in writing of the specific purpose and length of term for which such biometric identifiers or information are being collected, stored, and used; and
- Receive a written release from the person for the collection of his or her biometric identifiers or information.
At no surprise, the Illinois Legislature has previously held (and codified) that “biometrics are unlike other unique identifiers that are used to access finances or other sensitive information,” and therefore, cannot be sold, leased, traded, or otherwise profited from.
During that same month, OpenAI’s Sam Altman debuted his latest ambitious attempt at capitalizing off of artificial intelligence (AI) with Worldcoin, a blockchain-based global verification system that proves our “humanness” through an eyeball-scanning “orb.”
The Andreessen Horowitz-backed startup, having already raised close to $250 million, has already experienced an initial wave of success and signups, most recently in Argentina after signing a single-day record of 9,500 Argentinians. Despite this, the premature technology that requires users to give up their biometrics in exchange for a digital currency that doesn’t really exist yet has privacy enthusiasts and regulators rightfully concerned that it presents a threat to the economy and national security.
Is my biometric data safe?
Last month, Kenya, one of the participating countries, suspended its endorsement of Worldcoin as the government conducted a comprehensive investigation into its data collection practices.
Given that biometrics are unique to each individual and cannot be “given back” once it’s been shared with a third party, the individual, unfortunately, has no legal recourse in ever being “compensated” or put back into the position they would have been in prior to handing over that information. In other words, identity theft and fraud are extremely likely to occur with the only action being that the individual withdraws their consent from that particular service or transaction.
A recent article from The Verge made reference to iOS developer Steve Moser and his recent blog post about Twitter and LinkedIn working on supporting “Passkey” – a new passwordless authentication standard that was developed by the nonprofit FIDO Alliance and the World Wide Web Consortium.
First introduced by Apple, “passkeys” are able to utilize your biometrics (facial recognition, fingerprints, or custom PIN) to log into your account(s), eliminating the need for a user to remember their password or even typing it in. Through public-key cryptography, Passkey creates a secure link between the user’s device and a third-party website or mobile app.
The FIDO Alliance, however, claims passkey technology to be more secure than traditional password encryption. Specifically, it believes that this biometric data “continues to stay on the device and is never sent to any remote server.”
That sounds nice, but how can consumers be sure? Exactly the problem.
As X ventures into new realms of data collection, it faces the dual challenge of maintaining user trust while aligning with evolving privacy regulations – especially given the highly controversial changes its CEO Elon Musk has continued to implement (impression-based payouts and allowing political ads from candidates ahead of the 2024 U.S. election) that has positioned the former Twitter platform as a pure “pay-to-play” ecosystem that is fueled by Musk’s personal biases.