Until late last year, the social video app TikTok used an extra layer of encryption to hide a tactic to track Android users via the MAC address of their device that violated Google’s policies and did not allow users to opt out, reports The Wall Street Journal. Users were also not informed about this form of tracking, according to its report.
The analysis found that this hidden tracking ended in November when the US review of the company called, after at least 15 months during which TikTok had collected the fixed identifier without the users’ knowledge.
A MAC address is a unique and fixed identifier assigned to an Internet-connected device ̵
TikTok seems to have exploited a known bug on Android to collect users’ MAC addresses that Google has not yet connected per WSJ.
A spokeswoman for TikTok did not deny the contents of her report, nor did she engage in specific issues we sent – including the purpose of this opt-out tracking. Instead, she sent the following statement, attributed to a spokesman, in which the company reiterates what has become a complaint that it has never provided US user data to the Chinese government:
Led by our Chief Information Security Officer (CISO) Roland Cloutier, who has decades of experience in law enforcement and the financial sector, we are committed to protecting the integrity and security of the TikTok community. We are constantly updating our app to keep up with evolving security challenges, and the current version of TikTok does not collect MAC addresses. We have never provided any TikTok user data to the Chinese government, nor would we do so if asked.
“We always encourage our users to download the latest version of TikTok,” the statement added.
With all eyes on TikTok, as the latest target of the Trump administration’s war on Chinese technology companies, scrutiny of the social video app’s handling of user data has inevitably emerged.
And while no popular social app platform has its hands clean when it comes to user tracking and ad targeting, TikTok is owned by China’s ByteDance means that its taste of surveillance capitalism has received the unwanted attention of the US president – who has threatened to ban the app if it does not sell its US operations to a US company within a few weeks.
Trump’s fixation on China technology is generally centered on the claim that technology companies pose a threat to national security in the West through access to Western networks and / or user data.
The US government can point to China’s security legislation on the Internet that requires companies to give the Chinese Communist Party access to user data – thus TikTok’s emphatic denial of sending data. But the existence of the law makes such claims difficult to hold.
TikTok’s problems with user data do not end either. Yesterday it was revealed that France’s security guard for data protection has been investigating TikTok since May after a user complaint.
CNIL’s concerns about how the app handled a user request to delete a video have since been broadened to include issues related to how openly it communicates with users, as well as user data transmissions outside the EU – which have become even more legally complex in recent weeks in the region.
Compliance with EU rules on data access rights for users and the processing of minor information are other areas of concern for the regulator.
According to EU law, all fixed identifiers (eg a MAC address) are treated as personal data – which means that they fall under the block’s GDPR data protection framework, which sets strict conditions for how such data can be processed, including requirements for companies to have a legal basis for collecting it in the first place.
If TikTok hid its tracking of MAC addresses from users, it’s hard to imagine what legal basis it might require – consent would certainly not be possible. The penalties for violating the GDPR can be significant (France’s CNIL released Google with a $ 57 million fine last year under the same framework, for example).
The WSJ’s report states that the FTC has said that MAC addresses are considered personally identifiable information under the protection of children’s privacy – which means that the app can also meet a regulatory probe on that front to add to its pile of US problems.
Senator Josh Hawley (R., Mo.) presented the WSJ’s results, told the newspaper that Google should remove TikTok’s app from its store. “If Google tells users that they will not be tracked without their consent and knowingly allows apps like TikTok to break their rules by collecting persistent identifiers, possibly in violation of our children’s privacy laws, they have some explanations to make,” he said. .
We have contacted Google for comments.