A report by the Wall Street Journal has indicted Chinese owned social media app, Tik Tok of spying on its Android users up until late 2019.
Investigators also discovered that Tik Tok did not inform its users of the existence of the tracking device; a fixed identifier, in the first place.
Tik Tok allegedly stopped tracking its android users in November, 2019 after the United States stated an intense scrutiny of the Chinese app and its parent company, ByteDance. The app had gathered vital information about its users for at least 15 months before US scrutiny forced it to discontinue the use of the fixed identifier without the knowledge of its users.
Investigators discovered that the app exploited a bug on Android devices to gather the MAC addresses of users. According to the Wall Street Journal, Google is yet to fix the bug.
A MAC address is a unique, fixed identifier assigned to devices with internet capabilities. The MAC address can be used to track, profile and target individual device users. This also allows whoever is doing the tracking to access the profiles of the targeted user on past devices or identities they have abandoned.
When confronted with the allegation, a spokeswoman for Tik Tok did not deny it but rather released a statement saying the parent company has never given harvested data from its US users to the Chinese Government.
“Under the leadership of our Chief Information Security Officer (CISO) Roland Cloutier, who has decades of experience in law enforcement and the financial services industry, we are committed to protecting the privacy and safety of the TikTok community. We constantly update our app to keep up with evolving security challenges, and the current version of TikTok does not collect MAC addresses. We have never given any TikTok user data to the Chinese government nor would we do so if asked. We always encourage our users to download the most current version of TikTok,” the statement said.
US President, Donald Trump has threatened to ban the app in the country unless it sells off its US stocks to a US company within the next one month, citing national security concerns. The fact that the parent company of Tik Tok, ByteDance is Chinese and China’s national security law requires social media companies to submit user data does not help the company’s stand.
Germany and France have also started its scrutiny of the app following growing complaints by users in those countries. France’s data regulator the CNIL started to investigate how Tik Tok handled a user request to delete a video but expanded it to include transfers of user data outside European Union (EU) borders in recent weeks.
Under EU law, fixed identifiers fall under the GDPR data protection framework and are treated as personal data. This means there are strict, legal conditions on how data obtained from MAC addresses can be processed by social media companies. If found guilty by the French, Tik Tok could be fined as much as $57m, just like it did Google last year.