TikTok used a nefarious method to track Android users that violated Google’s Play Store policies.
A new report in the Wall Street Journal details how the Chinese-owned app hid its tracking behavior. TikTok collected unique MAC addresses of devices for advertising purposes. The app skirted a privacy safeguard Google employs in Android to keep that information safe.
The damning discovery comes as ByteDance is facing renewed pressure from the US government to sell its TikTok operations. These findings just further what we already knew – TikTok uses shady practices to track its users. Just recently, an update to the iOS 14 beta revealed that TikTok was accessing users’ clipboards every few keystrokes. The behavior could be viewed as a form of keylogging, though TikTok says it was an anti-spam measure.
The US worries that the Chinese government could access the collected data. That’s because a 2017 law in China requires all Chinese companies’ to comply with CCP government requests involving national security. Accordingly, President Trump recently signed two executive orders to ban US companies from doing business with ByteDance and WeChat. It’s an effective ban on TikTok operating in the US without explicitly banning the app itself.
Google says it is investigating the WSJ report and the claim that TikTok used encryption to circumvent its monitors. MAC addresses are unique device identifiers that cannot be reset or deleted, like cookies. Retaining MAC addresses known to belong to a specific person allows advertisers to build profiles based on web searches and more.
The Federal Trade Commission considers MAC addresses as personally identifiable information, protected under the Children’s Online Privacy Protection Act (COPPA). TikTok already paid a record fine to the FTC for violating COPPA regulations once. If these MAC address allegations turn out to be true, that’s another COPPA violation.
TikTok bypassed Android’s restrictions on gathering MAC addresses through a security hole to track users.
TikTok collected the MAC addresses of its Android users for at least 15 months. A TikTok spokesperson says, “the current version of TikTok does not collect MAC addresses.” That’s not what the Wall Street Journal found, however.
“TikTok bundled the MAC address with other device data and sent it to ByteDance when it was first installed and opened on a new device. That bundle also included the device’s advertising ID, which is supposed to give consumers’ anonymity while advertisers use the information,” the WSJ report reads.
Storing MAC addresses allows ByteDance to ID bridge when a user changes devices. That’s why when you uninstall and delete TikTok, if you reinstall it, you’ll see the same recommendations. TikTok knows who you are based on a unique device identifier. It collected that information upon each new install to build a device profile of TikTok users.