In addition to not providing its users with a way to opt-out of data collection, the app’s tracking function was hidden by an added layer of encryption. That design indicates that this was a purposefully planned effort to secretively collect user data. This recent revelation is sure to even further complicate TikTok’s efforts to avoid a ban in the United States.
Since the app’s launch, there have been those who felt that it is a scourge on the internet. There have been many concerns surrounding TikTok’s true purpose and motivations. The White House is suspicious that collected data would be used to help the Chinese government track Americans while TikTok has maintained that they do not share any information with the Chinese government and would refuse to do so upon request.
TikTok was Secrectly Collecting Users’ MAC Addresses
The banned data-collecting practice that TikTok was using involved the collection of media access control (MAC) addresses. This is a rare practice with only about 1% of Android apps collecting MAC addresses according to a study by mobile-app analysis firm, AppCensus.
MAC addresses are particularly effective when collecting data on an individual because the number cannot be reset or altered. This means that the MAC address can be used to create a long-term and highly personalized user profile. AppCensus co-founder, Joel Reardon, described the MAC address’ purpose by saying, “It’s a way of enabling long-term tracking of users without any ability to opt-out. I don’t see another reason to collect it.”
Highlighting how specific a MAC address is to an individual, Reardon explained that even “If you uninstall TikTok, reset the ad ID, reinstall TikTok and create a new account, that MAC address will be the same.”
TikTok Worked Hard to Get those MAC Addresses
Smartphone manufacturers are aware that the MAC address is a very valuable piece of data. In 2013, Apple locked the MAC address on their phones, preventing third-party apps from accessing it. In 2015, Google did the same thing for its Android OS. Google’s Play Store even very clearly bans developers from the collection of identifying data without the explicit consent of the user. Rather than get that consent—or simply leave the MAC address alone—TikTok programmers decided to create a workaround and exploit a flaw in Android’s security to get the data they wanted.
TikTok also encrypted the data they collected to the point of raising suspicion. Nathan Good from the International Digital Accountability Council found the extra encryption questionable, saying “TikTok’s obfuscation of this data makes it harder to determine what it’s doing.”
Piggybacking off of Good’s point, Reardon explained that the encryption “doesn’t provide any extra level of Internet security, but it does mean that we have no transparency into what’s being sent out.”
Marc Rogers, VP of Cybersecurity Strategy at San Francisco based software company Okta, has his own theory as to why TikTok added the extra layers of encryption. “My guess is that the reason they do that is to bypass detection by Apple or Google because if Apple or Google saw them passing those identifiers back they would almost certainly reject the app.”
The fact that TikTok’s function collecting MAC addresses was bypassing security features and hidden in an additional layer of encryption adds credence to the United States’ worry that the social media app could be used by the Chinese government to create dossiers on those they declare persons of interest. China having that capability became an even more worrying possibility thanks to China’s new national security law aimed to squash dissidents and their sanctions against US officials.
It remains to be seen what will happen when President Trump’s deadline for the sale of TikTok comes on September 15th. Microsoft has been in talks to buy the app, but this new development may affect the deal. It could also reinforce Trump’s initial instinct to outright ban the app. Although, his main concern does seem to be that the US gets a cut of the sale price.