TikTok’s Android app collected users’ MAC addresses for 18 months in violation of the platform rules, as discovered by a Wall Street Journal investigation on Tuesday. The addresses would have served as a unique identifier for each user’s device, making them valuable for both advertising and potentially more invasive forms of tracking.
By 2015, both iOS’s App Store and the Google Play Store had banned the collection of MAC addresses as a matter of policy, but TikTok was still able to obtain the identifier through a loophole. A study cited by the Journal found that nearly 350 apps on the Google Play Store had taken advantage of a similar loophole, generally for ad-targeting purposes.
TikTok discontinued the practice in November of last year, a shift in policy the Journal attributes to mounting political pressure from Washington.
The revelation comes at a delicate time for TikTok, which is facing difficult questions from the White House over its Chinese parent company’s level of access to US user data. Last week, the White House issued an executive order to cut off all US transactions with the company, beginning September 20th, if it is not able to complete a sale of its US operations by that time. The company is currently in talks with Microsoft, but it is unclear how far the deal will proceed.
The Journal findings cut against the best argument in TikTok’s defense, that the system doesn’t collect any more data than a standard mobile app. While most often used for ad tracking, collecting MAC addresses is among the more invasive forms of the practice.
Reached for comment, TikTok emphasized that it had discontinued the practice. “We constantly update our app to keep up with evolving security challenges, and the current version of TikTok does not collect MAC addresses,” a representative said. “We always encourage our users to download the most current version of TikTok.”
Update 8:10PM ET: Updated with statement from TikTok.