TikTok Tracked Your MAC Address: Now What?

Well, it could be worse. TikTok could be suffering some gigantic data breach that exposes your account credentials and private video snippets to the world. But the alternative isn’t much better, privacy-wise: a recent Wall Street Journal report found that the popular social network tracked Android users’ MAC addresses for at least 15 months, only eliminating the practice as part of a November update to the app last year.

Did they disclose this to Android users? No; not in any meaningful way that a regular person would be expected to find, at least — tiny fonts in an unread privacy policy shouldn’t count. In fact, I would bet that they didn’t disclose it at all, given that the practice was technically not permitted by the Android operating system at the time. TikTok had to employ a workaround to make the tracking happen, and it then packaged that data along with other identifying characteristics for parent company ByteDance. As the WSJ’s Kevin Poulsen and Robert McMillan wrote:

“TikTok bundled the MAC address with other device data and sent it to ByteDance when the app was first installed and opened on a new device. That bundle also included the device’s advertising ID, a 32-digit number intended to allow advertisers to track consumer behaviour while giving the user some measure of anonymity and control over their information.”

If you’ve been TikToking for any length of time, there are a few steps you can take to addresses this issue, but know that the advertising world is a mess. The more data that leaks out about you, the easier it is for companies to associate all that data together and make it incredibly difficult to ever truly separate yourself from everything they know about you. User profiles are what adtech is all about, and you didn’t just hear that from me.

On Android, I’d start by resetting your advertising ID. Again, this won’t make you anonymous, but it’s at least something you can do to make it ever so slightly harder for companies to associate your behaviours with you and your device. You’ll generally find the option to reset your Advertising ID in Settings > Privacy > Advanced > Ads.

Screenshot: David Murphy

While you’re here, consider opting out of ad personalisation entirely. That won’t prevent apps from tracking you in plenty of other ways, but it’ll at least cut one tool out of their arsenals.

Next, I would visit Android’s Network & Internet settings (Settings > Network & Internet), and then tap on your wifi connection. Tap on the gear icon to the right of whatever network it is you’re connected to, tap on Advanced, and tap on Privacy. Select the option to use a randomised MAC instead of your device’s MAC, and you’ll be a little bit harder to track that way, too. You’ll have to set this up for each wifi network you connect to, which will get annoying, but it’s an option.

Is that all you can do? Not quite. If you really, really hate tracking, you can try using other third-party apps to sever the connection between your phone and various advertising services. Or, heck, run all your network traffic through different privacy-themed VPNs to try and limit the characteristics that can be associated with you.

However, there’s no guarantee that the very apps you download won’t still be able to glean some information about you — especially if they’re tracking whatever you’re doing when you’re logged-in and using them.

I’d offer more ideas, but trying to keep companies from building profiles based around your usage patterns, identifying information, and persistent identifiers seems like a Sisyphean task. I run adblockers in my browsers and funnel all of my devices through a Pi-hole server running AdGuard, and even then, I feel like it’s a lost cause. That’s the price I pay to look at pictures of Pomeranians from around the world at a moment’s notice, I suppose.

All you can do is outfit yourself with the best tools and blockers you can get, and know that using another company’s app — especially when it’s free — means that you’re “paying” for it with all the information about you that other companies, mainly advertisers, can use to serve you crap.

But, hey, at least TikTok isn’t scanning your clipboard anymore. This is an improvement, right?

Log in to comment on this story!