FOX Business’ Charlie Gasparino gives updates on TikTok and presumptive Democratic presidential nominee Joe Biden’s vice president pick.
TikTok unleashed a privacy protection in Google’s operating system from Google to collect unique identifiers from millions of mobile devices, data that allows the app users to track online without having to choose, an analysis by the Wall Street Journal has found.
The tactic, which experts said in mobile phone security, was hidden by an unusually added layer of encryption, appears to have compromised Google policies, restricting how apps track people and were not disclosed to TikTok users. TikTok ended the practice in November, revealing testing of the Journal.
TIKTOK SUING TRUMP ADMIN OVER BAN SIN TIN TUESDAY: REPORT
The findings come at a time when TikTok’s Beijing-based parent company, ByteDance Ltd., is under pressure from the White House over concerns that data collected by the app could be used to help the Chinese government track U.S. government employees or contractors. TikTok has said it does not share data with the Chinese government and would not do so if requested.
The identifiers collected by TikTok, called MAC addresses, are mostly used for advertising purposes. The White House has said it fears data from users could be obtained by the Chinese government and used to build detailed files on individuals for extortion or espionage.
TikTok, which said earlier this year that its app collects less personal data than U.S. companies such as Facebook Inc. and Alphog Inc.’s GOOG + 1.48% Google, did not answer detailed questions. In a statement, a spokeswoman said the company is “committed to protecting the privacy and security of the TikTok community. Like our peers, we are constantly updating our app to keep up with new security challenges.”
| Ticker | Security | Last | Change | Change% |
|---|---|---|---|---|
| FB | FACEBOOK INC. | 259.89 | +3.76 | + 1.47% |
| GOOGL | ALPHABET INC. | 1,507.24 | +26.70 | + 1.80% |
The company said “the current version of TikTok does not collect MAC addresses.”
Most major mobile apps collect a range of data about users, practices that privacy advocates have long found alarming, but that tech companies defend as delivering highly customized experiences and targeted ads. Data collection varies by company.
War of the administration of the drum on SUN TECHNOLOGY EXPANDS
About 1% of Android apps collect MAC addresses, according to a 2018 study by AppCensus, a mobile app analytics firm that consults with companies about their privacy practices.
A Google spokesman said the company reviewed the Journal’s findings and declined to comment on the time it takes for some apps to collect MAC addresses.
The Trump administration’s national security concerns prompted ByteDance to announce a sale of TikTok’s U.S. operations to several suitors, including Microsoft Corp. When asked if the company was aware of this data collection issue, a Microsoft spokesman declined to comment.
The problem involves a 12-page “media access control,” or MAC, address, which is a unique number found in all Internet-ready electronics, including mobile devices.
The MAC address is useful for ad-driven apps because it can not be reset or changed, allowing app makers and third-party analytics companies to build consumer behavior profiles that are maintained by any owner short of privacy measures to to get new phone. The Federal Trade Commission has said MAC addresses are considered personally identifiable information under the Child Privacy Act.
“It’s a way to enable long-term tracking of users without accepting opportunity,” said Joel Reardon, an assistant professor at the University of Calgary and co-founder of AppCensus, Inc. “I see no other reason to collect it. “
YOU CAN RECEIVE UP TO $ 12 IN GOOGLE PLUS CLASS ACTION SETTLEMENT
Apple Inc. locked iPhone MAC addresses in iPhone in 2013, and prevented third-party apps from reading the identifier. Google did the same two years later in Android. TikTok circumvented this limitation on Android by using a solution that allows apps to get MAC addresses via a more circular route, the Journal test said.
The security hole is widely known, as rarely used, Mr Reardon said. He filed a formal bug report on the issue with Google last June after discovering that the latest version of Android would not close for a while. “I was shocked that it was still useful,” he said.
Mr Reardon’s report was about the disk in general, not specifically for TikTok. He said that when he submitted his bug report, the company told him that it already had a similar report on file. Google declined to comment.
TikTok has been collecting MAC addresses for at least 15 months, ending with an update released November 18 last year, as ByteDance fell under intense scrutiny in Washington, the Journal’s Testing revealed.
TikTok bundled the MAC address with other device data and sent it to ByteDance when the app was first installed and opened on a new device. That bundle also included the device’s advertising ID, a 32-digit number intended to track advertisers’ consumer behavior while giving the user some measure of anonymity and control over their information.
Users with privacy awareness can reset the advertising ID from the device settings menu, an action roughly similar to deleting cookies in a browser.
Google’s Play Store policies warn developers that the “ad identifier should not be linked to personally identifiable information or associated with a persistent device identifier,” including the MAC address, “without the express consent of the user.”
Storing the unaltered MAC address would allow ByteDance to associate the old ad ID with the new one – a tactic known as “ID bridging” – which is prohibited in Google’s Play Store. “If you delete TikTok, reset the ad ID, reinstall TikTok and create a new account, that MAC address will be the same,” Mr Reardon said. “Your ability to start with a clean slate is lost.”
Despite the ban, ID bridging is fairly widespread, according to AppCensus, especially among free gaming apps. But it rarely concerns the MAC address, the most persistent identifier accessible in the current version of Android.
In a random study by AppCensus of 25,152 popular Internet-enabled Android apps in 2018, only 347, or 1.4%, were seen using the Android loophole to send the MAC address. Of those, only 90 were also transferred the built-in Android ID, which changes when the device is reset.
The Journal’s analysis confirmed some of the behavior accused in a widely discussed anonymous Reddit post in April that TikTok transmitted a range of personal data to ByteDance servers, including the MAC address. Google said it is investigating the claims in that post.
The Journal examined nine versions of TikTok released in the Play Store between April 2018 and January 2020. The Journal’s analysis was limited to researching what TikTok collects as newly installed on a user’s device, before the user creates an account and the accepts terms of service of the app.
In addition to the MAC address, the Journal’s test revealed that TikTok does not collect unusual amounts of information for a mobile app, and disclosed that collection in its privacy policy and in pop-ups requesting the user’s permission during installation.
Less typical are the measures that ByteDance takes to hide the data it creates. TikTok wraps most of the user data it conveys in an extra layer of custom encryption.
As with almost all modern apps, TikTok’s internet traffic is protected by the web’s standard encryption protocols, making it unlikely that an honorary doctor could steal information in transit. That makes the extra, custom code code that TikTok applies to user data seemingly extreme – unless it was added to prevent the device owner from seeing what TikTok was wearing, said Nathan Good, a researcher at the International Digital Accountability Council, a watchdog group that analyzes app behavior.
“TikTok’s improvement of this data makes it harder to determine what it does,” Mr Good said. That added layer of encryption makes it harder for researchers to determine if TikTok respects its privacy policies and various laws. He said he was not aware of a business purpose for the encryption.
“It does not provide an additional level of Internet security,” Mr Reardon agreed. “But it does mean we do not have transparency about what is being sent.”
It’s common for mobile apps to hide parts of their software to prevent them from being copied by competitors, but TikTok’s coding does not seem to hide a proprietary secret, said Marc Rogers, vice president of cybersecurity strategy at Okta, Inc., which provides services that allow users to log in securely online.
“My judgment is that the reason they are doing this is to override the detection by Apple or Google, because if Apple or Google saw them pass these identifiers, they would almost certainly reject the app,” said Mr. Rogers.
CLICK HERE TO READ MORE ABOUT FOXBUSINESS
Google should remove TikTok from its platform, he said. Josh Hawley (R., Mo.), in a statement to the Journal, when apprised about the findings. Sen. Hawley has been critical of TikTok and a hawk in general against China.
“Google should have the store in mind, and TikTok should not have to,” he said. “When Google tells users that they will not be tracked without their permission and knowingly allows apps like TikTok to break their rules by collecting persistent identifiers, possibly in violation of our children’s privacy laws, they have something to explain.
