- TikTok tracked the MAC addresses of Android phones despite Googleâ€™s privacy protections.
- The practice ended in November.
- The news comes just as the President is threatening a ban on the service for potential spying.
TikTok already faces the threat of a US ban due to concerns about potential Chinese spying, and its latest privacy incident wonâ€™t help matters.
TheÂ Wall Street Journal has learned that TikTokâ€™s app was tracking the MAC addresses (the hardware identifiers for networked devices) of Android users for at least 15 months despite Google policies and systems forbidding the practice. It reportedly used a well-known â€œworkaroundâ€� security hole to get the data as well as an â€œunusualâ€� extra layer of encryption that masked the approach.
The company didnâ€™t notify TikTok users or give them a choice regarding the data collection. When users first ran the app on a new device, TikTok bundled the MAC data with information including the semi-anonymous advertising ID used to track user behavior. You can reset the advertising ID on a phone, but you canâ€™t change the MAC address.
TikTok ended the tracking with an update on November 18, the WSJ said. TikTok didnâ€™t directly address the claims when the newspaper reached out for comment, but did say the â€œcurrent versionâ€� of its app doesnâ€™t gather MAC addresses.
Google said it was investigating both the reportâ€™s findings and those of an anonymous Reddit post from April, but it declined to comment on the loophole. AppCensusâ€™ Joel Reardon said he filed a bug report with Google about the hole in June 2019, but the flaw was clearly exploitable past that point.
Thereâ€™s no mention of similar tracking for iOS users. Both Apple and Google officially banned apps from reading MAC addresses several years ago.
The behavior isnâ€™t unique to TikTok, with AppCensus estimating that about 1.4% of Android apps exploiting the loophole to send the MAC address. The encryption was odd, however, and it wasnâ€™t clear just what TikTokâ€™s intentions were for the data. It also follows just weeks after iOS 14 revealed that TikTok was accessing iPhone clipboards more than necessary.
Both Google and TikTok might have to answer more questions.
The findings come at the worst possible time for TikTok. President Trump and other American politicians are pushing for TikTok to sell itself to a US company over concerns its Chinese parent company ByteDance might ask it to collect sensitive data for surveillance. TikTok has always denied collecting data for China and made a point of distancing itself from ByteDance, but this could easily fuel suspicions even if the data is used only for advertising and other business purposes.
There are already calls for action, too. Senator Josh Hawley, a politician known for criticizing the behavior of internet companies, told the WSJ that Google should pull TikTok from the Play Store due to both breaking the rules and possible violations of child privacy laws. This wonâ€™t necessarily lead to legal action beyond the potential ban, but itâ€™s evident that both Google and TikTok might have to answer more questions.