TikTok Tracked User Data Using Tactic Banned By Google (marketwatch.com) 46
An anonymous reader quotes a report from MarketWatch: TikTok skirted a privacy safeguard in Google's Android operating system to collect unique identifiers from millions of mobile devices, data that allows the app to track users online without allowing them to opt out, a Wall Street Journal analysis has found. The tactic, which experts in mobile-phone security said was concealed through an unusual added layer of encryption, appears to have violated Google policies limiting how apps track people and wasn't disclosed to TikTok users. TikTok ended the practice in November, the Journal's testing showed.
The identifiers collected by TikTok, called MAC addresses, are most commonly used for advertising purposes. The White House has said it is worried that users' data could be obtained by the Chinese government and used to build detailed dossiers on individuals for blackmail or espionage. In a statement, a spokesperson said the company is "committed to protecting the privacy and safety of the TikTok community. Like our peers, we constantly update our app to keep up with evolving security challenges." The company said "the current version of TikTok does not collect MAC addresses."
The identifiers collected by TikTok, called MAC addresses, are most commonly used for advertising purposes. The White House has said it is worried that users' data could be obtained by the Chinese government and used to build detailed dossiers on individuals for blackmail or espionage. In a statement, a spokesperson said the company is "committed to protecting the privacy and safety of the TikTok community. Like our peers, we constantly update our app to keep up with evolving security challenges." The company said "the current version of TikTok does not collect MAC addresses."
why are people so worried about? (Score:5, Funny)
They don't do it anymore, so there's no problem. CPP are benevolent cultural leaders. Move along.
_________________________
Sent from my Huawei
Re: (Score:3)
Re: (Score:2)
Google doesn't need to know your MAC to do what they want to do, which is find out where you are. They only need to know what MACs you can see, especially of APs whose names are more likely to change than their MACs. If you're logging in, what value does your MAC have?
Re: (Score:2)
Re: (Score:2)
*Google* changes your WiFi MAC, under Android 10.
They just don't need to snoop like that when people are logging in, and telling Google who they are. No need to guess.
MAC Addresses? (Score:3)
I'm not an Android developer, but I did a quick Google search and it looks like it's pretty commonly done, though extra permissions are needed.
Re: (Score:2)
it's anyway 8 months old news, apparently, that for some reason someone found out would be a beautiful contribution to today's selected wall street journal's headlines. how could they know that other 'content aggregators' would spread it around. that was not the intent, honest to god!
Re: MAC Addresses? (Score:5, Informative)
From Android 6.0
Access to Hardware Identifier
To provide users with greater data protection, starting in this release, Android removes programmatic access to the deviceâ(TM)s local hardware identifier for apps using the Wi-Fi and Bluetooth APIs. The WifiInfo.getMacAddress() and the BluetoothAdapter.getAddress() methods now return a constant value of 02:00:00:00:00:00.
You can select permissions to get Mac address but those are from external devices.
Re: (Score:1)
Changing your MAC on older Android (Score:4, Informative)
How to change your mac address on Android.
https://www.droidviews.com/cha... [droidviews.com]
Re: (Score:2)
Getting them from external devices seems like it would be a big security concern
Re: (Score:2, Interesting)
Re: (Score:2)
That said, the claimed reasons for the concern may have some validity to them. The American government has an interest in a monopoly on intelligence about its citizens.
They can't do that to our citizens! Only we can do that to our citizens! [youtube.com]
Four Pinocchios. Both before the merger and 2019 (Score:5, Informative)
That statement gets four Pinocchios. Totally false.
The most recent national security review of Tik Tok was widely published in 2019:
https://www.nytimes.com/2019/1... [nytimes.com]
Senatorss Chuck Schumer (a leading Democrat) and Tom Cotton (R, Arkansas) requested the administration conduct the prove after Bytedance violated the terms of the original acquisition.
When Bytedance first tried to buy Musical.ly (US Tik Tok), Bytedance promised regulators that they would keep the US app separate and not merge it with the Chinese app, Tik Tok, which is heavily influenced by the Chinese government. Violating that is why the the head DEMOCRAT in the Senate asked the administration to conduct this national security review.
I don't know if you made up that lie, or repeated it after hearing it elsewhere. If you heard it elsewhere, somebody has been blatantly lying to you, taking you for a fool.
Re: (Score:1)
Just his cabinet lol (Score:5, Informative)
I don't know if you're aware, but Steven Mnuchin, who led the probe into Tik Tok and Bytedance, is a member of Trump's cabinet. He's the guy mentioned in the article.
He's the same guy who has been in the news this week announcing the president's executive orders regarding covid relief, and is the president's chief negotiator with the Dems for the covid bills.
This government also fined Bytedance over data collection violations in February 2018 - more than two years before the Tulsa rally.
Your post was utter bullshit and if you didn't know that when you wrote it, you do now. Ans here is a key point - everybody else reading this thread knows that too. At this point, trying to "look good" by claiming the opposite of the facts will utterly backfire on you - you'll just look like compulsive liar; you will not save face that way. Your "out" to save face is to say either of these two things:
1. Wow, the article I had read sure was bullshit after all, thanks for the info.
2. Ah, I hadn't heard anything about Tik Tok until recently, wasn't aware there had been years of investigations and fines paid ever since shortly after the acquisition. I hadn't heard any of that, so I had thought it all started a few months ago when I started seeing it on Slashdot. Thanka for the info.
Those are replies that you can use to avoid looking like a total liar, a sack of crap.
Re: (Score:2)
Re: (Score:2, Informative)
Re: (Score:1)
You fucking fail at reading as it disproves your claim of "It is quite interesting that this offensive against TikTok started shortly after the Tulsa rally." when quite obviously it happened WELL BEFORE THEN.
Go the fuck back to school.
Re: (Score:2)
I don't care why they're finally doing something (Score:2)
right. Just that they are. Ban all the CCP malware. Can we go after Zoom, Tencent, and Netease next? Please?
Re: (Score:2)
Why the hell? (Score:5, Insightful)
How does Android allow any old app to pick up unique identifiers like MAC addresses?
That's insane. I'm sure there are ways to do it on iOS too (I doubt the methods are sanctioned if so) but in my admittedly limited knowledge of mobile app development, its seems like something that the app stores would look for and reject - especially on hugely popular apps like this.
Why would anything at the application layer ever need access to the low-level hardware address of anything?
Re: (Score:3)
iOS 7 removed the ability for apps to directly pull the Wi-Fi hardware MAC, however an easy search on StackOverflow over the years shows that people have been able to utilize IP and arp table methods for finding it.
iOS 14 is going to introduced randomized Wi-FI MAC addresses as well, but how that works for apps I don't know yet.
Re:Why the hell? (Score:5, Interesting)
IPv6 is a bigger threat I think. The use of NAT with IPv4 unintentionally had the positive effect of obfuscating individual computers on the Internet. IPv6 has enough addresses that there's no need for anything like NAT, so each address becomes a globally unique identifier [google.com].
Going forward, I think what's going to happen is that the physical network layer is going to be virtualized before giving non-OS software access to it. So your physical MAC address may be 01:23:45:67:89:0A but only the OS sees this. The virtualization layer presents this as a different number to any apps which are running, and handles the translation between the real and virtual address in packets.
Randomized MAC addresses are better in that they also prevent identification of the hardware from the local network side. But introduces the possibility of address collisions. The whole point of IPv4, IPv6, and MAC addresses is to prevent collisions - that's why there are so many of them, and we have to come up with band-aid fixes when they run out (like NAT in IPv4). So there are pros and cons to randomizing the MAC address. Back in the late 1990s when SSL was relatively new, my workplace was behind a NAT. I was browsing Amazon and somehow ended up with someone else's login token (I assume someone also at my company who was browsing Amazon at the same time). I could browse their order history, and presumably I could've placed an order using their billing info. That's the risk that's introduced when you switch to an identifier scheme which can potentially result in ID collisions, like randomized MAC addresses. (Of course if the address space is huge, the odds of a collision can be incredibly low. There are something like 280 trillion possible different MAC addresses. The problem is more with your randomization algorithm being only pseudo-random, so collisions end up being more common due to your address generation only being pseudo-random.)
Re:Why the hell? (Score:4, Informative)
and handles the translation between the real and virtual address in packets.
... which does absolutely nothing when the app can connect to a server, which will tell the app what it's IP address is.
Re: (Score:2)
But with IPv6 there is no reason for IP addressed to change, ever, regardless of which network the device is on. Connecting to your home WiFi? Got your IP. Connecting to your work WiFi? Now I know where you live and work. Friends? Mistresses? Retail shops? You can now be tracked everywhere you go by anyone, not just your mobile provider.
IPv6 not only obviates the need for NAT, it removes the capability for it entirely. Welcome to persistent tracking everywhere.
Re: (Score:2)
Most IPv6 implementations will use your MAC address (via EUI64) to create your IPv6 address, this way it is more determinate. However, just like with IPv4, one host can (and always does) have multiple IPv6 addresses, and thanks to NDP (which replaces ARP) you can discover if a psuedorandom IP address is in use before you begin using it. If it is, just generate a new address and repeat. Some IPv6 implementations already do exactly this (I know that, for example, Windows 10 implements IPv6 IP address randomiz
Re: Why the hell? (Score:1)
Re: (Score:2)
Why are other companies allowed to use MAC adresses anyway? Why isn't Apple suing them for trademark infringement? [instantrimshot.com]
It doesn't, anymore. For things like WiFi scanners (Score:2)
It's no longer available. Certain apps such as WiFi scanners get info about the network interface. That data used to be something like the output of ipconfig, including by chance the mac address.
The Mac address is no longer included.
Which MAC address? (Score:2)
I'm scouring this link and others like it and I can't find which MAC address they were gathering from Android.
I'm assuming they're talking about the phone Wi-Fi MAC address, which in the case of Android 10 by default a Wi-Fi connection is set to use a Randomized MAC and not the Phone MAC.
Not an Android developer here but if you're going to add that feature for Wi-Fi but still allow apps to access the Phone MAC when that's being used, welp, I don't know what we expected to happen.
Is anyone shocked by this? (Score:2)
It's fun to rip on them because of their dictator overlords, but a lot of their tactics are straight from Twitter or Facebook.
Re: (Score:3)
Slashdot is as even-handed as it gets.
Then again, our culture here values citations and facts (and rewards those). The editors have a very light touch with comments. Generally, if you managed to post it, it stays.
Exceptions have been made for copyrighted material, but otherwise, Slashdot is still the most active/least censored forum out there. There's no all-powerful moderators with fiefdoms.
Re: (Score:2)
As usual, USA invents something and China copy it.
Ahahahaha (Score:2)
we constantly update our app to keep up with evolving security challenges
So..they patch their app frequently to exploit newly discovered security holes when people are patching the old ones elsewhere or are otherwise able to track the intrusion?
What instead? (Score:2)
They’re collecting the IMEI now?
Re: (Score:2)
I can't be! (Score:1)
But, the CCP would NEVER violate rules or laws! They only exist to protest "The People"! ROFL
Seriously though, does it honestly surprise anyone that the CCP ignores rules and agreements, and does whatever the hell they want?
(Cue the Trump haters that will respond to my post with "Orange man bad!" or "Well, the US does it too!". lol)
So much for "news for nerds"... (Score:2)
The identifiers collected by TikTok, called MAC addresses,
So much for news for nerds :-(
WAT? (Score:1)
No, that is not their most common use, not by a very wide margin. It may be a fairly common auxiliary use, but I guarantee the use of MAC addresses for their intended purpose (i.e., allowing data-link-layer equipment and firmware and such to route packets to the correct physical device on any given physical network segment) is overwhelmingly more common. Most types of computer networks that are currently in widespread use, would not work at a
wonderful!Microsoft spent 50 billion to buy tiktok (Score:1)
Security via documentation isn't security (Score:2)
This is the problem with browser security and Android security. The target audience isn't the user / owner of the device. It's the advertisers. Google could implement secure systems to prevent userspace applications from getting unique IDs, like the MAC, without overt user consent. Instead they document "security" policies that requires bad actors to cooperate. It'll never work.
In these environments, it's the user that untrusted, not the third party code.