The Chinese company has been accused of spying on millions of Android TikTok users using a technique banned by Google.  According to a Wall Street Journal report, TikTok used a banned tactic to bypass the privacy safeguard in Android to collect unique identifiers from millions of mobile devices, data that allows the app to track users online without allowing them to opt out.  

TikTok was exploiting a loophole to collect MAC addresses for at least 15 months.   The practice reportedly stopped in November 2020.   MAC addresses are considered personally identifiable information under COPA (the Children’s Online Privacy Protection Act).   It is the unique identifier found in all internet-enabled communications devices, including Android- and iOS-powered devices.   MAC addresses can be used to target advertising to specific users or track and build dossiers of individuals.  Apple’s iOS blocks third parties from reading MAC addresses as part of a privacy feature added in 2013, but on Android, the exploitable loophole remains.

Although the investigation found that TikTok did not collect an unusual amount of data and typically was upfront about what was being captured, the Journal found that the parent company ByteDance took major steps to use extraneous steps” to “conceal the data it captures.”  

What to do?

  • Avoid using Android devices to access TikTok.
  • If you are going to use a mobile device to access TikTok use one that uses Apple IOS

What can you do to when this happens to you?

  • If you think your device has been compromised consult your service provider on remedial repair.
  • Change your passwords


SecurityWeek News on January 14, 2021

Report: TikTok Harvested MAC Addresses By Exploiting Android Loophole | SecurityWeek.Com

“This USVBA Cyber Alert is provided by our partner, 171 Comply. Please visit their website to learn more about CMMC and their services.”