An investigation from the Wall Street Journal revealed that the company gathered users’ device MAC addresses without informing them, or even Google. The report notes that the short video app collected this data for 15 months, up until last November when an app update was released. TikTok also used an additional layer of encryption to mask the data it captured. It’s standard practice to apply encryption on your internet traffic to prevent snooping. However, the additional customer layer applied by the short video app was unusual and didn’t have any visible security benefits. [Read: Apple clashes with Microsoft, Google, and Facebook over cloud gaming] Companies collect MAC addresses or similar identifiers to get more data about their customers for targeted advertisements. Because hardware MAC addresses don’t change over time, it helps advertisers recognize an individual and their habits quickly. Google forbids developers from collecting persistent identifiers such as MAC addresses or IMEI numbers to use with Advertising ID (an identifier used in Android for ad-tracking). The company banned this practice in 2015. A study published in 2018 from analytics firm AppCensus suggested that nearly 1.4% of Android apps collected MAC addresses. In a statement, TikTok said its current version of the app doesn’t collect MAC addresses: In his executive order to bar US firms’ transactions with the app, President Donald Trump accused the app of collecting “vast swaths of information from its users.” This new revelation of the app’s sneaky data collection practice might give Trump & Co. one more reason to block TikTok. Microsoft, which’s leading the race to acquire the app, might also have its work cut out in convincing the government to approve the deal.
