At a US Senate hearing yesterday on the impact of social media on homeland security, TikTok Chief Operating Officer Vanessa Pappas bore the brunt of the questioning (watch the hearing here, and read Pappas’ written testimony here). Lawmakers repeatedly asked her if American users’ data could be accessed by the government of the People’s Republic of China. This line of questioning stems from a small change to TikTok’s privacy policy last year that gave it permission to collect biometric data including “faceprints and voiceprints,” as well as a report from BuzzFeed News earlier this year on how US data could be accessed in China

TikTok’s relationship with ByteDance, its Chinese parent company, has long been an issue for the US government. Former President Donald Trump attempted to force ByteDance to sell the popular social media app to an American company in 2020, though it never happened. According to The New York Times, President Biden has been negotiating with TikTok in private over “steps that could mitigate the government’s concerns.” Apparently though, his efforts aren’t sufficient for TikTok skeptics.

In an effort to allay concerns over how it handled data, in June this year, TikTok announced that all US traffic was now being routed through American computer company Oracle’s cloud infrastructure. Some user data is still backed up to TikTok-owned servers in Singapore and Virginia for now, but the company says that it plans to delete them in the future. 

That same day, however, BuzzFeed News released a report detailing how “engineers in China had access to US data between September 2021 and January 2022, at the very least.” In one recording seen by BuzzFeed News, a director called one Beijing-based engineer a “Master Admin” with “access to everything.” Whether traffic was being routed through the US or not, ByteDance employees in the PRC seemingly had access to it, at least for a time.

With TikTok’s overall data handling processes under scrutiny, its decision to collect biometric data from US users is understandably drawing ire from lawmakers. In June last year, it updated its privacy policy to include a new section called “Image and Audio Information” as part of “information we collect automatically.” It stated that TikTok may “collect information about the images and audio that are part of your User Content,” listing examples like identifying objects seen or the words spoken in a post. Crucially, it also stated that TikTok “may collect biometric identifiers and biometric information as defined under US laws, such as faceprints and voiceprints, from your User Content.”

[Related: A look inside TikTok’s seemingly all-knowing algorithm]

Other than that, the privacy policy is incredibly vague on what the biometric data is being collected for and how it could be used. (It’s worth noting that this section is absent from the privacy policy for EU users where data protection laws are much stronger.)

According to TechCrunch, Senator Kyrsten Sinema of Arizona asked Pappas, TikTok’s COO, if biometric data from US users had “ever been accessed by or provided to any person located in China,” and if doing so was possible. Pappas avoided giving a direct answer, instead, according to TechCrunch, she explained that Tiktok didn’t use “any sort of facial, voice or audio, or body recognition that would identify an individual.” 

Pappas apparently elaborated, explaining that what TikTok called “biometric” data was only used to apply filters—like the ones that add sunglasses or dog ears to your videos—and was deleted from the user’s device immediately afterwards. 

This would seem to suggest that engineers in China would be unable to access the data as it doesn’t exist, however Pappas did not state that directly. 

As well as facing questions about biometric data handling, Pappas was also asked about reports that TikTok’s in-app browser could log keystrokes. She responded by saying that TikTok had not collected the contents of what was typed, and that it had been used as “an anti-spam measure.”

Whether Pappas’ responses at yesterday’s hearing are enough to satisfy US lawmakers remains to be seen. The company, meanwhile, appears to be carrying on business as usual. Today, TikTok announced a new feature that it’s rolling out to users called “Now,” which allows them to capture moments with both the front and back camera (a hallmark of the up and coming app, BeReal).

According to Bloomberg, the national security review of TikTok is still ongoing, and despite the fact that it paints itself as a global company, it is still very much owned by ByteDance.