Report: TikTok Harvested MAC Addresses By Exploiting Android Loophole

The ongoing controversies surrounding TikTok hit a new gear on Thursday with a bombshell report accusing the Chinese company of spying on millions of Android users using a technique banned by Google.

According to a Wall Street Journal report, TikTok used a banned tactic to bypass the privacy safeguard in Android to collect unique identifiers from millions of mobile devices, data that allows the app to track users online without allowing them to opt out.

TikTok, based in Beijing, China, has been described as a national security threat in the U.S., and has been in the headline over concerns that data collected by the TikTok app could be used to aid government spying activities.

[ ALSO READ: US Insists on Need to Ban TikTok ]

The Wall Street Journal said TikTok was exploiting a loophole to collect MAC addresses for at least 15 months.   The practice stopped in November 2020. 

MAC addresses are considered personally identifiable information under COPA (the Children’s Online Privacy Protection Act).   It is the unique identifier found in all internet-enabled communications devices, including Android- and iOS-powered devices.   MAC addresses can be used to target advertising to specific users or track and build dossiers of individuals.

TikTok responded to the WSJ’s findings by saying “the current version of TikTok does not collect MAC addresses” but the investigation found that the company had been harvesting that data for many months.

Apple’s iOS blocks third parties from reading MAC addresses as part of a privacy feature added in 2013, but on Android, the exploitable loophole remains.