TikTok, the Chinese-owned video app that Donald Trump’s administration is incoherently threatening to ban from the U.S. and may be gearing up for a court fight in response, quietly collected persistent identifiers from Android devices for 15 months, according to a report in the Wall Street Journal.
According to the Journal, an analysis of numerous versions of TikTok found that the app used a technical loophole to collect MAC addresses from Android devices in the 15 months ending in November 2019, apparently in violation of Google policy. MAC addresses are persistent identifiers that generally can’t be changed on on phones via any method short of rooting a device or buying a new one. Apple locked down access to MAC addresses in 2013, according to the paper, and Google did the same in 2015.
The Journal analysis found that TikTok, owned by Beijing-based ByteDance, used a widely known, unpatched security hole to acquire MAC addresses on Android without disclosure or any ability for users to opt out. TikTok then bundled it with other data like an advertising ID, potentially violating Google policies prohibiting apps from connecting ad IDs to any persistent identifier (known as ID bridging) without the “explicit consent of the user.” While TikTok users could reset their ad IDs through the app’s settings, ByteDance’s possession of the persistent MAC addresses might have made that a useless gesture.
Possession of a user’s MAC address could also expose them to future tracking—which is obviously not a good look with respect to allegations from U.S. officials that ByteDance could use TikTok to spy on Americans on behalf of the Chinese government. There’s never been any publicly released hard evidence to suggest those concerns are anything but theoretical. The Trump administration’s brazenly transactional approach to TikTok, including demands that ByteDance sell the app to a U.S. company like Microsoft or Twitter and that the U.S. Treasury should get a cut of the deal, suggests that raising the specter of espionage could partially be a pretext to strong-arm ByteDance. While various app store policies may prohibit the practice, collecting MAC addresses is not exactly Mr. Robot-level hacking.
According to the Journal’s report, however, ByteDance also used a custom layer of encryption to send the bundled data back to its servers. Experts told the Journal those measures could be designed to prevent Apple or Google from noticing the violations of their policies, but it could also be an additional layer of security for mundane purposes.
ByteDance has insisted that no user data collected in the U.S. is ever sent to China, and the simplest explanation as to why it would want to collect MAC addresses is to plump up its lucrative ad business. The date ByteDance stopped collecting the data, though, is just a week after the U.S. reportedly launched a national security review of TikTok. That sure sounds like someone quickly realized this wouldn’t look good under scrutiny, regardless of whether practically everyone else is engaged in shady tracking practices. It’s also possible that collecting MAC addresses from younger users without disclosure or an opt-out function could get it into trouble with the Federal Trade Commission, which enforces the Children’s Online Privacy Protection Act.
Joel Reardon, AppCensus co-founder and a University of Calgary assistant professor, told the Journal he reported the loophole to Google in June 2019 and was told the company was already aware of it.
“It’s a way of enabling long-term tracking of users without any ability to opt-out,” Reardon told the paper. “...I was shocked that [the loophole] was still exploitable.”
“We constantly update our app to keep up with evolving security challenges, and the current version of TikTok does not collect MAC addresses,” a TikTok spokesperson told the Verge. “We always encourage our users to download the most current version of TikTok.”