Already under fire for its speculative connections to the Chinese government and national security concerns, TikTok was dealt another blow last week when it was discovered to have been engaging in undisclosed user tracking in the Android version of its app.
Google policies forbid Android apps from collecting MAC addresses without explicitly asking the user for permission; the Wall Street Journal reports that only about 1% of all apps on the platform attempt to do so. Surreptitious user tracking that passes MAC addresses back to the host is strictly forbidden and can get an app banned from the Play Store.
That appears to be exactly the sort of user tracking that TikTok was doing, at least until late last year. Older versions of the app were reportedly using an extra layer of encryption to collect MAC addresses without the user or Google being aware of what was going on. The addresses were being harvested for about 15 months, from about September 2018 to November 2019. The practice seemed to cease around the time that US government scrutiny of the app picked up.
MAC addresses are a particularly sensitive element of user tracking as they are unique to each device. Embedded at the hardware level in network firmware, they are very difficult to permanently spoof or change. Android does have a feature that allows users to temporarily spoof a MAC address for privacy, but it is not something that the average phone user would be expected to know about. The typical Android advertising ID changes between sessions so that users cannot be persistently tracked by third parties.
It is also unclear if spoofing would have even helped in this case, as TikTok appears to have made use of a known bug in Android (which still remains unpatched) to obtain the MAC addresses. Discovered in 2018, the bug is present in all versions of Android prior to 9 and provides apps with a way to access regular OS WiFi broadcasts that contain the BSSID and network name, IP range, gateway IP and DNS server addresses in addition to the device MAC address.
Potential fallout for TikTok’s user tracking
TikTok is already facing a virtual death sentence in the United States, with weeks left to find a new owner that will move all of its operations out of China. It doesn’t appear as if this new user tracking controversy will change those terms in any significant way, but it does help to validate the Trump administration’s hard line against the Beijing-based company and potentially makes it easier to justify a removal from app stores. If parent company ByteDance does not sell to an American company by November 12th it will no longer legally be able to do business in the US; the likely immediate consequences of this would be closure of its various offices in the country and pressure on Google and Apple to remove it from the US versions of their app stores.
Microsoft appeared to be the early strong suitor for the company, and Twitter has also recently expressed some interest. ByteDance stated that it was open to selling TikTok in early August as talk of a potential US ban ramped up; investors have valued the company at about $50 billion.
While the US does not have a federal mechanism by which to fine TikTok for these breaches of privacy, individual states may opt to take action. At the very least, the surreptitious user tracking is likely in violation of the terms of the California Consumer Privacy Act. The age demographics of TikTok, which skew young with roughly half of its user base under the age of 18, may also cause it to run afoul of both state and federal child privacy protection laws. A violation of the federal Children’s Online Privacy Protection Act would trigger a probe that would not go away simply by relocating operations to the US.
There is also already some pressure in Congress for the app to be removed from Apple and Google’s services immediately on the basis of this user tracking incident. Senator Josh Hawley (R-MO) commented on the Wall Street Journal’s report, stating that Google should remove the app from the store if an investigation finds that the app collects the personally identifiable information of children. This is another potential legal issue that would not be resolved simply by moving house to the US.
While TikTok’s most immediate problems are loss of access to its two largest foreign markets (India and the US), it may also be facing fresh problems in the EU. The General Data Protection Regulation (GDPR) regards MAC addresses as a form of personal and protected information. GDPR requirements stipulate that TikTok would have had to provide notice prior to user tracking and get their consent, including providing them with a legal reason as to why it was necessary to collect the information. Failure to do so could put TikTok on the hook for substantial fines in the region, with the GDPR allowing for up to 4% of a company’s annual turnover to be collected as a punitive measure.