TikTok Tracked Android Users’ MAC Addresses Without Consent wsj.com

Kevin Poulsen and Robert McMillan, Wall Street Journal:

TikTok skirted a privacy safeguard in Google’s Android operating system to collect unique identifiers from millions of mobile devices, data that allows the app to track users online without allowing them to opt out, a Wall Street Journal analysis has found.

[…]

The identifiers collected by TikTok, called MAC addresses, are most commonly used for advertising purposes. The White House has said it is worried that users’ data could be obtained by the Chinese government and used to build detailed dossiers on individuals for blackmail or espionage.

Two things can be true here:

  1. This practice is not unique to TikTok. The Journal says that the method for scraping MAC addresses on Android devices is well known, but not necessarily widely used. Uber tracked iPhone serial numbers until a few years ago and hid that mechanism from App Store reviewers.

  2. It is a privacy-hostile practice that is always intolerable.

I point this out mostly because the Journal’s article is bookended by claims that this is especially concerning in TikTok’s case. However:

Apart from the MAC address, the Journal’s testing showed that TikTok wasn’t collecting an unusual amount of information for a mobile app, and it disclosed that collection in its privacy policy and in pop-ups requesting the user’s consent during installation.

Like I wrote last week, there is no difference between TikTok’s data collection behaviours and those of any other mainstream social media app. The difference is solely whether that data is easily accessible by a government, perhaps even directly.

I do not see it as outlandish to have an elevated concern about Chinese government involvement. Two years ago, Apple was compelled by local law to move Chinese users’ iCloud data to servers run by a state-connected company. This is a step beyond, say, Russian laws that require user data to be stored on servers located within the country. Apple maintains that it holds the encryption keys; subpoenas for Chinese users’ data are now handled by Chinese courts instead of American ones.

TikTok’s data collection is not particularly invasive, nor is it as all-encompassing as an iPhone backup. If you are concerned about Chinese government access of tracked data, you should be concerned about all kinds of tracking. This is not a China problem, nor is it a TikTok problem — it is a logical extension of marketers’ obsession with tracking. It should not be a surprise that this easily-deanonymized data is a gold mine for government abuse.