Sens. Moran, Thune Call on FTC to Investigate TikTok’s Consumer Data Collection & Processing Practices
Aug 13 2020
WASHINGTON — Today, U.S. Senator Jerry Moran (R-Kan.) – Chairman of the Senate Commerce Subcommittee on Consumer Protection – and U.S. Senator John Thune (R-S.D.) – Chairman of the Senate Commerce Subcommittee on Communications, Technology, Innovation, and the Internet – called on Chairman Joseph Simons of the Federal Trade Commission to investigate TikTok’s consumer data collection and processing practices. In addition, Sens. Moran and Thune are seeking specific answers from the FTC related to allegations from a Wall Street Journal article that described TikTok’s undisclosed collection and transmission of unique persistent identifiers from millions of U.S. consumers until November 2019. This report also described questionable activity by the company as it relates to the transparency of these data collection activities, and the letter seeks clarity on these practices.
“There are allegations that TikTok discretely collected media access control (MAC) addresses, commonly used for advertisement targeting purposes, through Google Android’s operating system under an “unusual layer of encryption” through November 2019,” the senators wrote. “Given these reports and their potential relevancy to the “Executive Order on Addressing the Threat Posed by TikTok,” we urge the Federal Trade Commission (FTC) to investigate the company’s consumer data collection and processing practices as they relate to these accusations and other possible harmful activities posed to consumers.”
The full letter can be found here or below.
August 13, 2020
Dear Chairman Simons:
We write to you today regarding concerning reports from the Wall Street Journal indicating that the social media app developed by TikTok collected unique persistent identifiers from millions of devices without notice to consumers or providing a mechanism to opt out of such collection practices. More specifically, there are allegations that TikTok discretely collected media access control (MAC) addresses, commonly used for advertisement targeting purposes, through Google Android’s operating system under an “unusual layer of encryption” through November 2019. Given these reports and their potential relevancy to the “Executive Order on Addressing the Threat Posed by TikTok,” we urge the Federal Trade Commission (FTC) to investigate the company’s consumer data collection and processing practices as they relate to these accusations and other possible harmful activities posed to consumers.
While we understand and appreciate the various national security concerns raised against TikTok to date, the purpose of this inquiry is to raise specific attention to the practice highlighted in the mentioned reports, which also ties into the information security of Americans.
Considered personally identifiable information by the FTC under the Children’s Online Privacy Protection Act (COPPA) since the 2012 updates to the law, the agency has found that persistent identifiers, including MAC addresses, are reasonably linkable to specific consumers. Even though most of the consumers impacted in this case are not covered by COPPA, this category of information allows for user profiles to be created and maintained based on a consumer’s behavior online.
Understood to be largely banned by the policies of major app stores, like the Google’s Play Store, expert testing referenced in the Wall Street Journal described a “workaround that allows apps to get MAC addresses through a more circuitous route” that is not limited to TikTok. In this case, the company allegedly collected MAC addresses from unknowing consumers for at least 15 months and shared this information, bundled with other relevant personally identifiable information, with its parent-company ByteDance Ltd. to enable ongoing consumer tracking across accounts and apps. Additionally, the described data transfer traffic between TikTok and its parent-company reportedly used an “added layer of encryption” beyond standard encryption protocols for web traffic that affects the transparency of the transmitted information.
As members of the Senate Commerce, Science, and Transportation Committee, with oversight responsibility for the FTC and consumer data privacy, we respectfully request that the agency investigate these allegations and provide answers to the following questions:
- Does the FTC treat MAC addresses and other persistent identifiers as personally identifiable information in relation to its general consumer data security and privacy enforcement authorities under Section 5 of the Federal Trade Commission Act?
- Did TikTok provide any form of notice to consumers that MAC addresses were being collected by the app during the described period when this information was collected?
- Were consumers provided mechanisms of consent (in either opt-in or opt-out forms) to demonstrate any form of discretion in the collection of MAC addresses?
- What assurances can you provide Congress that MAC address collection practices by TikTok ended on November 18, 2019, as described in the article? Does the agency have any plans or processes in place to prevent these practices from being re-implemented?
- Has the agency been in contact with third party app store hosts, including Google, related to general MAC address collection practices by third party apps previously? Have complaints of third-party apps collecting MAC addresses, in conflict with app store policies, been brought to the agency before? If so, how has the agency previously addressed such concerns?
- Please describe in as much detail as possible the “loophole” that TikTok reportedly exploited in Google’s Play Store that allowed for its collection of consumers’ MAC addresses. Can the agency confirm that this issue was limited to this particular third-party app store? If not, is the agency in contact with other third-party app stores to confirm that these surreptitious collection practices are not occurring through their operating systems?
- Please describe in as much detail as possible the “extra layer of encryption” described in reports to protect and conceal TikTok’s collected and transmitted consumer information. In addition, please provide the specific impacts that this form of encryption has on the transparency of the data in transmission?
Thank you for your attention to this matter.
# # #