The policy, which takes effect Sept. 29, follows intense scrutiny over X’s lack of account authentication and rampant fraud across the platform.
An X spokesperson told Bloomberg, which first reported the news, that the biometric policies are for premium users and that a biometric matching process “will also help X fight impersonation attempts and make the platform more secure.”
However, the move to offer users the chance to provide government IDs for identity matching or verification using biometric data creates a number of risks in itself, critics say.
“This kind of data collection is becoming more common on platforms and most people aren’t aware of the way it affects their privacy and free expression rights,” says Nora Benavidez, senior counsel and director of digital justice and civil rights at the nonprofit Free Press. “In particular, one of my concerns is that Musk has a tendency to comply with requests for information from authoritarian regimes, even more than his predecessors. I can imagine a likely scenario where personal and permanent information about us that this platform is collecting is given to some regime that seeks it.”
Biometric data, which can include information like face scans and eye scans, is considered incredibly sensitive because, unlike a password or Social Security Number, it is permanent. That permanence means that misuse can have life-lasting effects on an individual.
“This policy currently is quite vague,” says Benavidez. “We don’t know what biometric data means. It could mean eye scans or other kinds of permanent personal tendencies.” She also noted concerns about the potential discriminatory impact of biometric matching technologies, which have historically had much higher false positives for people of color.
Despite a lack of federal protections for biometric data, its collection has resulted in a history of legal trouble for major tech companies. Both Google and Meta have also incurred significant damages in the state of Illinois over their biometric collection practices.
Last month, X was named in a proposed class action lawsuit claiming the company violated Illinois’ Biometric Information Privacy Act by not providing individuals with adequate notice that it was collecting biometric data. Tesla, where Musk is also CEO, was also hit with a biometric privacy lawsuit in Illinois last year.
X is hardly the latest company to embrace biometrics as a form of identity verification, especially as more states push for age verification to use internet services. Tatiana Rice, senior counsel at the Future of Privacy Forum, says that while biometric verification can be an effective and secure way of verifying identities, it needs to come with considerations for user privacy.
Currently, X doesn’t provide information like how long biometric data is retained or if it’s deleted. X did not respond to CyberScoop’s request for comment on its retention and deletion policies.
“In these policies, usually there’s more information that would allow users to better assess what level of risk they have,” Rice said. “Usually, you need to be able to delete that data, for example, because storing biometric data on a server is much more risky than storing it on a person’s device.”
Rice noted that states including Illinois and Texas specifically require companies to share information on how they store and secure biometric data.
While it appears that X will only collect biometric data from premium accounts, some users have said they will leave the platform if the collection becomes mandatory for all accounts.
“This showcases that you do need to be really thoughtful about people’s biometrics, specifically because it is inherently high risk and people are wary of that,” said Rice. “We’ve seen a lot of companies mishandle biometric data, so needing to be thoughtful as you continue to use biometric authentication methods is just really important.”
Updated Aug. 31, 2023: To include additional commentary.