Published On: Wed, Aug 12th, 2020

TikTok found to have tracked Android users’ MAC addresses until late final year

Until late final year amicable video app TikTok was regulating an additional covering of encryption to disguise a tactic for tracking Android users around a MAC residence of their device that skirted Google’s policies and did not concede users to opt out, The Wall Street Journal reports. Users were also not sensitive of this form of tracking, per a report.

Its research found that this secluded tracking finished in Nov as US inspection of a association dialled up, after during slightest 15 months during that TikTok had been entertainment a bound identifier but users’ knowledge.

A MAC residence is a singular and bound identifier reserved to an Internet connected device — that means it can be repurposed for tracking a particular user for profiling and ad targeting purposes, including by being means to re-link a user who has privileged their promotion ID behind to a same device and therefore to all a before profiling they wanted to jettison.

TikTok appears to have exploited a famous bug on Android to accumulate users’ MAC addresses that Google has still unsuccessful to plug, per a WSJ.

A mouthpiece for TikTok did not repudiate a piece of a report, nor rivet with specific questions we sent — including per a purpose of this opt-out-less tracking. Instead she sent a next statement, attributed to a spokesperson, in that association reiterates what has turn a go-to explain that it has never given US user information to a Chinese government:

“We always inspire a users to download a many stream chronicle of TikTok,” a matter added.

With all eyes on TikTok, as a latest aim of a Trump administration’s fight on Chinese tech firms, inspection of a amicable video app’s doing of user information has fundamentally dialled up.

And while no renouned amicable app height has a hands purify when it comes to user tracking and profiling for ad targeting, TikTok being owned by China’s ByteDance means a season of notice capitalism has warranted it unwelcome courtesy from a US boss — who has threatened to anathema a app unless it sells a US business to a US association within a matter of weeks.

Trump’s emplacement on China tech, generally, is centered on a explain that a tech firms poise threats to inhabitant confidence in a West around entrance to Western networks and/or user data.

The US supervision is means to indicate to China’s Internet confidence law that requires firms to yield a Chinese Communist Party with entrance to user information — hence TikTok’s fatiguing rejection of flitting data. But a existence of a law creates such claims formidable to stick.

TikTok’s problems with user information don’t stop there, either. Yesterday it emerged that France’s information insurance watchdog has been questioning TikTok given May, following a user complaint.

The CNIL’s concerns about how a app rubbed a user ask to undo a video have given broadened to ring issues associated to how transparently it communicates with users, as good as to transfers of user information outward a EU — which, in new weeks, have turn even some-more legally formidable in a region.

Compliance with EU manners on information entrance rights for users and a estimate of minors’ information are other areas of settled regard for a regulator.

Under EU law any bound identifier (e.g. a MAC address) is treated as personal information — definition it falls underneath a bloc’s GDPR information insurance framework, that places despotic conditions on how such information can be processed, including requiring companies to have a authorised basement to collect it in a initial place.

If TikTok was concealing a tracking of MAC addresses from users it’s formidable to suppose what authorised basement it could explain — agree would positively not be possible. The penalties for violating GDPR can be estimable (France’s CNIL slapped Google with a $57M excellent final year underneath a same framework, for example).

The WSJ’s news records that a FTC has pronounced MAC addresses are deliberate privately identifiable information underneath a Children’s Online Privacy Protection Act — implying a app could also face a regulatory examine on that front, to supplement to a raise of US problems.

Presented with a WSJ’s findings, Senator Josh Hawley (R., Mo.) told a journal that Google should mislay TikTok’s app from a store. “If Google is revelation users they won’t be tracked but their agree and intentionally allows apps like TikTok to mangle a manners by collecting determined identifiers, potentially in defilement of a children’s remoteness laws, they’ve got some explaining to do,” he said.

We’ve reached out to Google for comment.

About the Author