Published on

TikTok’s Secret Data Harvesting Exposed

Introduction

An investigation by The Wall Street Journal has revealed that TikTok, the widely popular short video app owned by China's ByteDance, engaged in a banned data-collecting process that harvested highly personalized information from users for over a year. This practice involved the collection of MAC addresses, a unique identifier assigned to devices that can connect to the internet, which can be used for creating detailed user profiles.

Understanding MAC Addresses & Google’s Restrictions

A MAC address, or Media Access Control address, is akin to a person's name, unique and unchanging, unlike an IP address, which can be shared among multiple devices. In 2015, Google restricted access to MAC addresses for third-party developers on Android devices, prohibiting the collection of identifying data without explicit user consent. However, TikTok managed to bypass these regulations by implementing an added layer of encryption, which indicated intentionality in the secretive collection of sensitive data.

For 18 months, ending in November 2019, TikTok collected users' MAC addresses in direct violation of Google's rules. This revelation coincided with U.S. President Donald Trump's executive order that could potentially ban TikTok in the United States, which targeted its Beijing-based parent company, ByteDance.

Industry Response & Security Concerns

In response to questions about its privacy practices, TikTok stated that it is committed to protecting user privacy and claims that the current version of the app no longer collects MAC addresses. However, experts have raised alarms concerning various security flaws that have been discovered within the app. Cybersecurity firm Check Point found vulnerabilities that could allow hackers to access user accounts and manipulate content feeds.

The flawed security was reported to TikTok's parent company, ByteDance, in November, and the company claimed that the vulnerabilities were subsequently addressed in a newer version of the app.

Broader Context of Cybersecurity Issues

Concerns surrounding TikTok are not isolated; numerous significant cybersecurity incidents can be traced back to Chinese entities. For example, Chinese military officers were charged with orchestrating a data breach at Equifax in 2017, exposing the personal data of nearly half of all Americans. Furthermore, a global hacking campaign known as Cloudhopper, reportedly centered on obtaining commercial secrets, has also been attributed to Chinese hackers.

Reports indicate ongoing issues with multiple Chinese apps, including ad fraud and unauthorized data collection, as well as systematic programs to harvest data from the phones of travelers entering Xinjiang. Tourist reports suggest that phones are forcibly unlocked at border checkpoints, exposing users to significant privacy risks.

Lastly, a recent investigation revealed that more than 1,300 Android apps could gather location data and unique device identifiers without user consent, raising further questions about privacy safeguards in the technology industry.

Keywords

TikTok, data harvesting, MAC addresses, Google restrictions, cybersecurity, privacy, ByteDance, executive order, data breach, ad fraud, Xinjiang.

FAQ

Q: What kind of data was TikTok collecting?
A: TikTok was found to be collecting MAC addresses, which are unique identifiers for devices, allowing for highly personalized user profiles.

Q: How long did TikTok collect this data?
A: TikTok collected users' MAC addresses for 18 months, from mid-2018 until November 2019.

Q: What actions did Google take regarding TikTok?
A: Google had previously restricted access to MAC addresses for all third-party developers on Android and prohibited the collection of identifying data without user consent.

Q: What security vulnerabilities were discovered in TikTok?
A: Cybersecurity researchers found significant vulnerabilities that allowed hackers to access user accounts and manipulate content feeds.

Q: Has TikTok addressed these security issues?
A: TikTok stated that they have corrected these flaws in a newer version of their app, although concerns about data privacy persist.