It looks like TikTok’s week just got worse.
A recent report by the Wall Street Journal revealed that the embattled social media network tracked unique user data from millions of mobile devices that users cannot opt-out. In particular, the practice involved collecting MAC addresses (a unique number that identifies a device on a network) of Android users for at least 15 months, despite Google’s privacy protections.
According to security experts, TikTok used a well-known “workaround” security hole to obtain the data—all while masking the approach using an unusual added layer of protection. TikTok ended the practice with an update in November 2019, the report noted. When asked for comment, the company didn’t directly address the claims but said the “current version” of its app does not gather MAC addresses.
The findings couldn’t have come at a worse time for TikTok. In the U.S., President Donald Trump signed an executive order this August, which moved to ban TikTok over privacy concerns.
“The spread in the United States of mobile applications [in particular, TikTok and WeChat, which are] developed and owned by companies in the People’s Republic of China (China) continues to threaten the national security, foreign policy and economy of the United States,” said the executive order.
TikTok’s parent company, ByteDance, is also under pressure from the White House to sell its operations in the country or shut down completely. Currently, Microsoft is in talks to purchase the company, but rumor has it that Twitter is also looking to jump into the fray. (Read: TikTok’s looming ban is the latest in rocky relationship with US government)
TikTok didn’t notify its users—or give them a choice to opt-out—regarding the data collection. This meant that TikTok users who ran the app for the first time in their phones had no way of knowing that their phone’s MAC address was being collected and used for advertising. The White House has previously raised concerns that data collected by TikTok, as well as WeChat, could be obtained by the Chinese government and used for blackmail or even espionage.
In response, a spokesperson for TikTok said that the company is “committed to protecting the privacy and safety of the TikTok community. Like our peers, we constantly update our app to keep up with evolving security challenges.”
For its part, Google said that it was looking into the findings, but declined to comment further. Before the Wall Street Journal, an anonymous Reddit post last April already exposed the loophole. If the report were proven to be true, TikTok would be in violation of Google’s policies, which bans apps from reading MAC addresses. Apple also has a similar policy in place.
Despite the controversy, TikTok isn’t the only app that exploits the loophole to collect MAC addresses. In fact, over 1.4% of all Android apps were found to use the loophole to collect unique user data, according to a 2018 report by privacy analysis firm AppCensus. In addition, security experts have found TikTok’s encryption odd, noting that at this point, it’s unclear how it plans to use this data.
TikTok’s latest privacy concern has already reached U.S. legislators, some of whom have already called to remove the app from stores over the latest issue. Sen. Josh Hawley of Montana, known for his tough stance on tech behavior, said that allowing apps like TikTok to remain in stores despite repeated privacy violations sets a bad precedent.
“Google needs to mind its store, and TikTok shouldn’t be on it,” he added.