TikTok has recently been accused of bypassing Android security measures and tracking device owners online by collecting their MAC addresses. A majority of mobile apps today collect user data after a person agrees to specific terms and conditions. However, only a minuscule percentage of Android apps collect MAC addresses, a practice that violates Google's app store policy. TikTok was reportedly able to continue to gather these addresses for over a year, due to an extra layer of encryption which was concealed and not made known to people who downloaded the app.
This new violation comes to light during a tumultuous time for TikTok, as its Beijing-based parent company ByteDance Ltd. recently caught the ire of the White House over claims the popular app is a potential threat to national security. The Trump administration has continually voiced concern that TikTok's data collection could be used by the Chinese Government to track, monitor, and even blackmail government employees. Donald Trump had previously threatened to ban the app and recently went as far as to demand that a U.S. based company purchase TikTok for it to be able to continue operating within the U.S. ByteDance has been exploring selling TikTok to multiple companies since, including Microsoft and has continually, and firmly, denied sharing any data with the Chinese government.
The Wall Street Journal reports that while TikTok did in fact collect people's MAC addresses for over fifteen months, it ended this operation in November of 2019. TikTok bundled each MAC address, along with other data, when the app was first installed on a device during those fifteen months. That other data included the device's advertising ID - a unique code used to track consumer behavior somewhat anonymously. This is a much more common practice with mobile apps due to the fact that anyone can reset their advertising ID at any time and stop receiving ads specifically catered to them. That being said, if a company were to have additional unique data pertaining to a given device, the grounds for anonymity are blurred and a clear violation of data privacy rears its crooked head.
Why This Is Still A Big Deal
A MAC (Media Access Control) address is a code uniquely assigned to internet ready devices and cannot be changed or reset. Due to this fact, the numbers are considered personally identifiable information and are protected under U.S. privacy acts. For instance, Apple secured its MAC addresses in 2013, preventing any third parties from accessing that information, and Android followed suit two years later. By collecting these unique MAC addresses from people who downloaded TikTok, in addition to the advertising ID, ByteDance essentially had the capability to continually advertise to, or even identify, a specific person even after they've reset their advertising ID. To elaborate, if someone used TikTok during that fifteen-month period, they could have easily deleted the app, reset their advertising ID, then re-downloaded TikTok again from the same device (with the same MAC address) and still have their old advertising ID connecting to their old one. This technique is known as 'ID Bridging' and is another tactic that is banned by the Google Play Store.
Furthermore, this data collection was not originally spotted by Google because of an extra layer of encryption in place. It is important to note that this additional encryption does not add any security to the data being transferred from the user to ByteDance. It does however help hide exactly what sort of data collecting practices are being used, helping bypass the security measures that app stores like Google Play have in place to protect customers. Such identifiers would surely be flagged by Apple or Google and as a result, TikTok would not be available for download. While many U.S.-based social media companies use similar tactics on people and their devices, they still respect the sanctity of MAC address privacy. Although this information has only just come to light, and in spite of the practice understood to have been stopped, it is likely to further add to the claims by those suggesting ByteDance should sell TikTok to a U.S. company.
Source: WSJ