TikTok collected data from mobile devices to track Android users: report

Video app TikTok, which has come under intense scrutiny from the U.S. government, sidestepped Google policy and collected user-specific data from Android phones that allowed the company to track users without allowing them to opt out, according to an analysis conducted by The Wall Street Journal.

The report released Tuesday comes on the heels of President Trump signing an executive order that targets Beijing-based ByteDance, the parent company of TikTok. The order essentially gives the Chinese tech company 45 days to divest from the app or see it banned in the U.S.

“The spread in the United States of mobile applications developed and owned by companies in the People’s Republic of China continues to threaten the national security, foreign policy, and economy of the United States,” the executive order states. “At this time, action must be taken to address the threat posed by one mobile application in particular, TikTok.”

The White House has grown increasingly wary of TikTok, with the administration claiming that TikTok is selling American user data to the Chinese government. TikTok has repeatedly said that it has not and would never do so.

The data that was taken from the Android phones is a 12-digit code called a “media access control” (MAC) address, according to the Journal. Each MAC address is unique and are standard in all internet-ready electronic devices. MAC addresses are useful for apps that are trying to drive targeted ads because they can’t be changed or reset, allowing tech companies to create consumer profiles based off of the content that users view. 

Under the Children’s Online Privacy Protection Act, MAC addresses are considered by the Federal Trade Commission to be personally identifiable information.

A 2018 study from AppCensus, a mobile-app firm that analyzes companies’ privacy practices, showed that roughly 1 percent of Android apps collect MAC addresses.

“It’s a way of enabling long-term tracking of users without any ability to opt-out,” Joel Reardon, co-founder of AppCensus, told the Journal. “I don’t see another reason to collect it.”

Back in 2013, Apple safeguarded its phones’ MAC addresses and Google did the same with Android phones in 2015. However, TikTok got around this by accessing a back door that allows apps to get a phone’s MAC address in a roundabout way, the Journal’s analysis reveals.

The Journal says that TikTok utilized MAC addresses for 15 months, ending with an update in November 2019.

“We are committed to protecting the privacy and safety of the TikTok community,” a TikTok spokesperson told The Hill in a statement, citing the “decades of experience” of company chief information security officer Roland Cloutier.

The spokesperson added: “We constantly update our app to keep up with evolving security challenges, and the current version of TikTok does not collect MAC addresses. We have never given any U.S. user data to the Chinese government nor would we do so if asked.”

Google told the Journal that it was “committed to protecting the privacy and safety of the TikTok community. Like our peers, we constantly update our app to keep up with evolving security challenges.”

Microsoft, which has said that it is actively working to purchase the wildly popular app, declined the Journal’s request for comment.