Until late last year social video app TikTok was using an extra layer of encryption to conceal a tactic for tracking Android users via the MAC address of their device which skirted Google’s policies and did not allow users to opt out, The Wall Street Journal reports. Users were also not informed of this form of tracking, per its report.
Its analysis found that this concealed tracking ended in November as US scrutiny of the company dialled up, after at least 15 months during which TikTok had been gathering the fixed identifier without users’ knowledge.
A MAC address is a unique and fixed identifier assigned to an Internet connected device — which means it can be repurposed for tracking the individual user for profiling and ad targeting purposes, including by being able to re-link a user who has cleared their advertising ID back to the same device and therefore to all the prior profiling they wanted to jettison.
TikTok appears to have exploited a known bug on Android to gather users’ MAC addresses which Google has still failed to plug, per the WSJ.
A spokeswoman for TikTok did not deny the substance of its report, nor engage with specific questions we sent — including regarding the purpose of this opt-out-less tracking. Instead she sent the below statement, attributed to a spokesperson, in which company reiterates what has become a go-to claim that it has never given US user data to the Chinese government:
Under the leadership of our Chief Information Security Officer (CISO) Roland Cloutier, who has decades of experience in law enforcement and the financial services industry, we are committed to protecting the privacy and safety of the TikTok community. We constantly update our app to keep up with evolving security challenges, and the current version of TikTok does not collect MAC addresses. We have never given any TikTok user data to the Chinese government nor would we do so if asked.
“We always encourage our users to download the most current version of TikTok,” the statement added.
With all eyes on TikTok, as the latest target of the Trump administration’s war on Chinese tech firms, scrutiny of the social video app’s handling of user data has inevitably dialled up.
And while no popular social app platform has its hands clean when it comes to user tracking and profiling for ad targeting, TikTok being owned by China’s ByteDance means its flavor of surveillance capitalism has earned it unwelcome attention from the US president — who has threatened to ban the app unless it sells its US business to a US company within a matter of weeks.
Trump’s fixation on China tech, generally, is centered on the claim that the tech firms pose threats to national security in the West via access to Western networks and/or user data.
The US government is able to point to China’s Internet security law which requires firms to provide the Chinese Communist Party with access to user data — hence TikTok’s emphatic denial of passing data. But the existence of the law makes such claims difficult to stick.
TikTok’s problems with user data don’t stop there, either. Yesterday it emerged that France’s data protection watchdog has been investigating TikTok since May, following a user complaint.
The CNIL’s concerns about how the app handled a user request to delete a video have since broadened to encompass issues related to how transparently it communicates with users, as well as to transfers of user data outside the EU — which, in recent weeks, have become even more legally complex in the region.
Compliance with EU rules on data access rights for users and the processing of minors’ information are other areas of stated concern for the regulator.
Under EU law any fixed identifier (e.g. a MAC address) is treated as personal data — meaning it falls under the bloc’s GDPR data protection framework, which places strict conditions on how such data can be processed, including requiring companies to have a legal basis to collect it in the first place.
If TikTok was concealing its tracking of MAC addresses from users it’s difficult to imagine what legal basis it could claim — consent would certainly not be possible. The penalties for violating GDPR can be substantial (France’s CNIL slapped Google with a $57M fine last year under the same framework, for example).
The WSJ’s report notes that the FTC has said MAC addresses are considered personally identifiable information under the Children’s Online Privacy Protection Act — implying the app could also face a regulatory probe on that front, to add to its pile of US problems.
Presented with the WSJ’s findings, Senator Josh Hawley (R., Mo.) told the newspaper that Google should remove TikTok’s app from its store. “If Google is telling users they won’t be tracked without their consent and knowingly allows apps like TikTok to break its rules by collecting persistent identifiers, potentially in violation of our children’s privacy laws, they’ve got some explaining to do,” he said.
We’ve reached out to Google for comment.