TikTok skirted a privacy safeguard in Google’s Android operating system to collect unique identifiers from millions of mobile devices, data that allows the app to track users online without allowing them to opt out, a Wall Street Journal analysis has found.
The tactic, which experts in mobile-phone security said was concealed through an unusual added layer of encryption, appears to have violated Google policies limiting how apps track people and wasn’t disclosed to TikTok users. TikTok ended the practice in November, the Journal’s testing showed.
The findings come at a time when TikTok’s Beijing-based parent company, ByteDance Ltd., is under pressure from the White House over concerns that data collected by the app could be used to help the Chinese government track U.S. government employees or contractors. TikTok has said it doesn’t share data with the Chinese government and wouldn’t do so if asked.
The identifiers collected by TikTok, called MAC addresses, are most commonly used for advertising purposes. The White House has said it is worried that users’ data could be obtained by the Chinese government and used to build detailed dossiers on individuals for blackmail or espionage.
TikTok, which said earlier this year that its app collects less personal data than U.S. companies such as Facebook Inc. FB, -0.02% and Alphabet Inc.’s GOOGL, -0.79% GOOG, -0.70% Google, didn’t respond to detailed questions. In a statement, a spokesperson said the company is “committed to protecting the privacy and safety of the TikTok community. Like our peers, we constantly update our app to keep up with evolving security challenges.” The company said “the current version of TikTok does not collect MAC addresses.”