TikTok found to track user data on Android for 15 months
TikTok Android app collected phone's Mac Addresses
TikTok ended the practice last year
TikTok for Android phones has been found to track user’s MAC (Media Access Control) addresses for over 15 months before ending the practice back on November 18, last year. The Wall Street Journal’s investigative report sheds some light as to how this was possible as it violates several Play Store policies put in place by Google going back to 2015 when Google restricted third-party apps to collect a phone’s Mac address for pushing advertisements.
However, a familiar loophole allowed many apps to access and record Mac addresses until a formal bug report was submitted to Google last June by Joel Reardon, co-founder of AppCensus. He has indicated that this flaw is widely known and allows “long-term” tracking of user’s behaviour and target ads based on the advertising ID.
What all user data did TikTok collect?
In its report, the WSJ highlights that the TikTok Android app collected MAC addresses and other device data along with a 32-digit advertising ID which lets advertisers monitor user’s behaviour online in order to serve them ad recommendations.
The app reportedly binds the phone’s Mac address with advertising ID and sends it to ByteDance under an extra layer of encryption. Several security experts have hinted that it’s a total violation of Google’s privacy policy as it gives TikTok the ability to connect an old advertising ID to a new one in case the user resets it.
However, the Mac addresses can’t be modified, giving TikTok a way to use a technique called ID bridging and match advertising identifiers with MAC addresses. While ID bridging is mostly used by games, it doesn’t require the collection of MAC addresses which is something TikTok was doing. What’s even more surprising that the app sends all this data to Bytedance but under an extra layer of security so that it cannot be discovered by Google.
In a statement to the WSJ, TikTok ensured that the “current version” of the app does not collect MAC addresses. “TikTok is committed to protecting the privacy and safety of the TikTok community. Like our peers, we constantly update our app to keep up with evolving security challenges,” it added.
This privacy violation by TikTok comes at a time when the company is facing immense pressure from the US government and an impending ban if the company isn’t able to sell its US operations to a company based in the United States by September 20. Microsoft has been rumoured to be the frontrunner in acquiring TikTok in the US, Canada, Australia and New Zealand and according to a recent report, Bill Gates, co-founder of Microsoft is wary of the deal calling TikTok a “poison chalice”.
In India, TikTok is already facing a blanket ban that was implemented on June 29 along with 58 other apps that were found to be engaged in “activities which is prejudicial to sovereignty and integrity of India, defence of India, the security of the state and public order.” Following the order, TikTok was de-listed from the Play Store and Apple App Store. As per the latest report, TikTok in India is looking to hold off around 2,000 of its employees in India as discussions on its sale is underway.
Follow Us
Digit NewsDesk
Digit News Desk writes news stories across a range of topics. Getting you news updates on the latest in the world of tech. View Full Profile
