×

TikTok collected device-specific addresses of users’ smartphones via its Android app for at least 15 months over 2018-19, using a technique that Google had banned developers from using without user consent, according to a Wall Street Journal report.

TikTok tracked Android phones’ MAC (media access control) addresses — unique hardware identifiers assigned to a network interface — possibly for advertising purposes, per the Journal story. TikTok stopped the practice in November 2019, after U.S. scrutiny over the app ramped up. The popular video-sharing app is facing a potential ban in the U.S. over national-security concerns, given its ownership by Chinese internet giant ByteDance.

The TikTok Android app didn’t notify users of the MAC-address tracking. In addition, TikTok uses an “unusual” additional layer of encryption for user data it collects and transmits back to the company’s servers, which concealed the fact it had been tracking MAC addresses, according to the Journal report.

Asked about the report, a TikTok spokesperson didn’t deny the device-tracking allegations. In a statement, the TikTok rep said, “Under the leadership of our Chief Information Security Officer (CISO) Roland Cloutier, who has decades of experience in law enforcement and the financial services industry, we are committed to protecting the privacy and safety of the TikTok community. We constantly update our app to keep up with evolving security challenges, and the current version of TikTok does not collect MAC addresses. We have never given any U.S. user data to the Chinese government nor would we do so if asked.” TikTok announced the hiring of Cloutier, formerly chief security officer at ADP, in March 2020.

The TikTok rep added, “We always encourage our users to download the most current version of TikTok.”

According to the Google Play Developer Policy Center, an app’s advertising identifier “must not be connected to personally-identifiable information or associated with any persistent device identifier” — like a MAC address — “without explicit consent of the user.” In response to the WSJ story, a Google rep said, “We’re investigating these claims.”

The WSJ report prompted Sen. Josh Hawley (R-Mo.) to urge Google to kick TikTok off its app store. “TikTok skirted a privacy safeguard in Google’s Android OS to collect unique identifiers from millions of mobile devices, data that allows them to track users online without allowing them to opt out,” the senator’s press office tweeted. “Sen. Hawley is calling for Google to ban @tiktok_us from its platform.”

The news about TikTok’s surreptitiously device tracking comes as ByteDance is being forced by the Trump administration to divest TikTok’s U.S. operations to an American buyer — or face a ban.

President Trump last week issued an executive order that would outlaw business dealings with TikTok in the U.S. by Sept. 20 if TikTok’s U.S.-based business isn’t sold by then. The president invoked national security concerns for the ban, noting that Chinese authorities could demand ByteDance fork over any TikTok user data.

Microsoft said it was in talks about a TikTok acquisition and Twitter reportedly has held preliminary talks about a possible merger with TikTok.