TikTok has been collecting unique identifiers from millions of Android devices without their users’ knowledge using a tactic previously prohibited by Google because it violated people’s privacy, new research has found.
The app concealed the practice, which can track users online without their consent, with an added layer of encryption, according to analysis by and a report in the Wall Street Journal (WSJ). TikTok, owned by Beijing-based parent company ByteDance Ltd., appears to have stopped the practice in November, according to the report.
The identifiers collected by TikTok are called MAC addresses, which are unique to a device and used as its network address in a network segment. They are typically assigned by device manufacturers and aren’t usually changed or altered. For this reason, they are valuable to companies and third parties wanting to send targeted advertising to mobile device users, as they provide unique insight into customer behavior.
WSJ research found that TikTok collected MAC addresses for at least 15 months, ending with an update released Nov. 18 of last year. The app bundled the MAC address with other device data and sent it to ByteDance upon the app’s first installation and opening on a new device, according to the report.
That data bundle also included the device’s advertising ID, which is a 32-digit number aimed at allowing advertisers to track consumer behavior while still allowing the user to maintain some anonymity and control over their information, the WSJ found.
Indeed, mobile apps collect various data on users for advertising purposes, which has always been a point of contention for privacy advocates. Companies have defended the practice as helping them provide a personalized experience for their users.
TikTok is an enormously popular video-sharing app, especially in the United States. Its popularity has surged even higher since the beginning of the coronavirus pandemic in March, when stay-at-home orders were first put in place and people began using social-media mobile apps even more than usual to stay in touch.
The WSJ’s finding is not the first time TikTok has been accused of dodging data-collection practices and come at a critical time in the investigation and scrutiny of these tactics.
President Trump recently threatened to ban the app in the United States out of fear that it’s surreptitiously collecting data on U.S. government employees and contractors to use in China’s cyber activities against the United States. His comments came at a time when companies such as Microsoft, among others, were seeking to purchase the app, which would make it subject to U.S. laws on privacy and data collection.
TikTok has said it doesn’t share data with the Chinese government and would not violate user privacy even if asked, according to the WSJ. However, many security experts have warned that due to the security flaws of the app and China’s stance on cybersecurity, it’s likely the Chinese government has access to whatever data the app does.
TikTok not only has been targeting Android devices with its alleged shady data-collection practices. The app previously came under fire for reading Apple iPhone users’ cut-and-paste data, something that was discovered in February and which TikTok’s owners promised the app would stop doing in March.
However, in late June, a new iPhone privacy feature in Apple iOS 14 that shows a banner alert to let people known if a mobile app is pasting from the clipboard seemed to reveal that the practice was still going on.
Complimentary Threatpost Webinar: Want to learn more about Confidential Computing and how it can supercharge your cloud security? This webinar “Cloud Security Audit: A Confidential Computing Roundtable” brings top cloud-security experts from Microsoft and Fortanix together to explore how Confidential Computing is a game changer for securing dynamic cloud data and preventing IP exposure. Join us Wednesday Aug. 12 at 2pm ET for this FREE live webinar with Dr. David Thaler, software architect, Microsoft and Dr Richard Searle, security architect, Fortanix – both with the Confidential Computing Consortium. Register Now.