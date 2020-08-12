Google realized that TikTok did use the private data of thousands of users despite privacy policies.

TikTok is already facing the threat of a US ban due to concerns about possible Chinese espionage, and its latest privacy incident won’t help.

The Wall Street Journal learned that the TikTok app was tracking the MAC addresses (the hardware identifiers for networked devices) of Android users for at least 15 months despite Google’s policies and systems prohibiting the practice.

It reportedly used a known “workaround” security hole to obtain the data, as well as an additional “unusual” layer of encryption that masks the approach.

The company did not notify TikTok users or give them a choice regarding data collection. When users first ran the app on a new device, TikTok included the MAC data with information that included the semi-anonymous advertising ID used to track user behavior.

You can reset the advertising ID on a phone, but you cannot change the MAC address.

TikTok stole data from millions of users

TikTok ended the follow-up with an update on November 18, the WSJ said. The app did not directly address the claims when the newspaper reached out for comment, but said the “current version” of its app does not collect MAC addresses.

Google said it was investigating both the report’s findings and those of an anonymous Reddit post from April, but declined to comment on the loophole.

Joel Reardon of AppCensus said he submitted a bug report to Google about the hole in June 2019, but that the flaw was clearly exploitable after that point.

No similar tracking is mentioned for iOS users. Both Apple and Google officially banned apps from reading MAC addresses several years ago.

The behavior is not unique to TikTok, and AppCensus estimates that around 1.4% of Android apps take advantage of the loophole to send the MAC address. However, the encryption was strange and it was unclear what TikTok’s intentions were for the data. It also follows just a few weeks after iOS 14 revealed that TikTok was accessing iPhone clipboards more than necessary.

Both Google and TikTok may have more questions to answer.

The findings come at the worst possible time for TikTok.

President Trump and other American politicians are pushing for TikTok to be sold to an American company over concerns that its Chinese parent company, ByteDance, may ask it to collect sensitive data for surveillance.

TikTok has always denied collecting data for China and has endeavored to distance itself from ByteDance, but this could easily fuel suspicion even if the data is used only for advertising and other business purposes.

There are also calls to action. Senator Josh Hawley, a politician known for criticizing the behavior of Internet companies, told the WSJ that Google should remove TikTok from the Play Store due to both rule breaking and possible violations of children’s privacy laws.

This won’t necessarily lead to legal action beyond the possible ban, but it is clear that both Google and TikTok might have to answer more questions.



