KEY POINTS

  • TikTok collected user identifiable data belonging to Android users, analysis shows
  • This was discovered by an independent investigation looking into the app's older versions
  • The Chinese-owned app collected data without permission for more than a year

TikTok collected identifiable user data without permission and in violation of Google's policies, a report said.

Chinese video-sharing app TikTok was discovered to have been collecting user data for more than a year, an investigation from The Wall Street Journal revealed. The app tracked Android smartphone users' media access control (MAC) addresses for a period of 18 months.

MAC addresses can be used to identify users' smartphones. This data allows companies to track users even if they have changed the privacy settings on their devices and is considerably valuable for advertising purposes.

These unique identifiers could be used for “potentially more invasive forms of tracking,” The Verge noted.

The Chinese app's unauthorized acquisition of MAC addresses is a direct violation of Google's policies. In 2015, Google's Play Store and Apple's iOS App Store banned the collection of MAC addresses.

TikTok, however, was able to circumvent the policy and collect the identifiers by exploiting a bug. The app was then able to cover its tracks using an extra layer of encryption.

TikTok currently has a wide userbase, and the Android app has been installed by more than 100 million Android users around the globe. App analytics firm Sensor Tower noted that TikTok currently has more than 89 million installs in the U.S. alone, Business Insider reported. This revelation, then, comes as a huge concern.

The WSJ discovered the illegal behavior when it looked at the past version of the TikTok app. It found that the company only stopped collecting MAC addresses in November last year. This means it had been stealing identifiers since May 2019.

To its defense, TikTok said it no longer collects MAC addresses.

“We are committed to protecting the privacy and safety of the TikTok community,” a TikTok spokesperson told Business Insider.

“We constantly update our app to keep up with evolving security challenges, and the current version of TikTok does not collect MAC addresses. We always encourage our users to download the most current version of TikTok,” the spokesperson continued.

Google is currently investigating the findings.

The news comes at an inopportune time for TikTok as the government has threatened to ban the app for security reasons. 

President Donald Trump set a September 15 deadline for Chinese-owned TikTok to be acquired by an American company President Donald Trump set a September 15 deadline for Chinese-owned TikTok to be acquired by an American company Photo: AFP / Lionel BONAVENTURE