Looking Beyond TikTok: The Risks of Temu

Available Downloads

The Issue

The rapid proliferation of Chinese-owned and -operated applications (“apps”) such as TikTok have introduced new risks and exposed existing vulnerabilities into the regulatory, information security, and legal frameworks of the United States. While the social media juggernaut that is TikTok has received the lion’s share of attention, and understandably so, it is the tip of a much broader iceberg that requires greater attention and policy action from the federal government. The business practices of the fast-fashion platform Temu—including sale of goods produced using illicit labor practices, the data security (and access) of the application itself, and the company’s connections with the Chinese Communist Party—raise significant concerns and should prompt greater scrutiny.

Introduction

The proliferation of applications (colloquially known as “apps”) was 4G’s great success story. The gig economy, driven by the rise of apps such as Uber, Instacart, and TaskRabbit, has empowered individuals to become their own bosses, choosing their working hours and taking charge of their destinies. However, the proliferation of apps also creates a new vector for malign activity. While it is not advisable to slow technical evolution to address security challenges, U.S. laws must stay current to adapt to the changing landscape.

On April 24, 2024, President Joe Biden signed a law that would force ByteDance, which is widely believed to be controlled by the Chinese Communist Party (CCP), to divest TikTok or be banned in the United States. The propagation of disinformation to the U.S. public over the past several years has raised concerns about how malign actors can sway public opinion for nefarious purposes.

The new law was aimed at TikTok but failed to address the broader problem that goes beyond any single app. Policymakers must be attuned to the overarching issue, not just a particular company. While TikTok may pose serious threats to the public, it is the influence and control exerted by the CCP across a burgeoning app economy that must be addressed. And for this reason, urgent and comprehensive policies need to be adopted to ensure the protection of U.S. citizens and those of U.S. allies.

The allure of “shop like a billionaire” and “fast fashion” delivered by Chinese e-commerce site Temu, which offers cheap prices with rapid delivery, masks significant underlying security risks and vulnerabilities. While Congress’s attention to TikTok is welcome and necessary, it is only the first among many Chinese-backed apps that require closer scrutiny and legislative and regulatory action. Temu, in effect, is an information-gathering spyware program masquerading as an e-commerce site.

Temu’s app is designed to attract customers and keep them shopping via the gamification and glamification of commerce, offering incentives for longer use and more frequent purchases. These goods are “sourced” from the factory via a network of 80,000 third-party suppliers, cutting out retailers and storefronts, giving customers otherwise unfeasibly low prices. However, these prices conceal dodgy sourcing, the use of forced labor in violation of existing U.S. laws, poor-quality goods, and innumerable scams.

The app is coded at its most basic level to become the digital version of a tick or other parasite—extremely difficult to remove. Customers’ phones and devices become the app’s host, and the information contained therein is Temu’s lifeblood. While data is the lifeblood of any e-commerce or internet platform, Temu’s exceptional access means it could monitor all the user’s activity but also change settings and make it nearly impossible to remove. Deletion of the app is not the end of Temu.

Were the app’s invasiveness the end of the story, it would be concerning enough, but given that Temu has existing relationships with arms of the CCP involved in data oversight, control, and propaganda and is obligated to cooperate—under China’s National Intelligence Law—with CCP authorities, it is worth far more scrutiny than it currently receives. Temu, with its access to user devices, is an exceptionally powerful vehicle for covert surveillance and, potentially, a tool for distributed denial-of-service attacks.

Indeed, the app and its parent company should be seen as a demonstrable front in strategic competition with China.

Fast Fashion’s Super Bowl

Americans watching the 2024 Super Bowl were exposed not only to a great game on the field but also a potentially significant threat to their data and privacy and the country’s national security. Temu, a Chinese e-commerce fast-fashion, cheap goods company, blitzed the most-watched media market, spending upwards of $21 million on ads over the course of the game. Offering $15 million in giveaways, Temu encouraged users to “shop like a billionaire.” The ad play clearly worked, with the app rocketing to the top of the download charts in the days following the Super Bowl, experiencing its fastest day-on-day growth.1

A Western offshoot of the China-focused Pinduoduo (which reportedly has 790 million monthly users in China), Temu shares the same parent company, PDD Holdings.2 Launched in the United States in the autumn of 2022 and expanding to European markets over the following year, Temu offers deeply discounted goods by cutting out the middleman and storefronts, shipping goods directly from the factories to customers. “Temu is less a store you buy things from, and more a broker that facilitates trade between Western consumers and Chinese factories,” writes privacy advocate Fergus O'Sullivan.3

Temu has rapidly gained market share and experienced explosive growth. To deal with this explosion of growth, China recently announced that a new air shipment corridor was to open between the Chinese city of Zhengzhou and the U.S. cities of Atlanta and Dallas. In May, Zhengzhou Xinzheng International Airport recorded an 18.6 percent year-on-year growth due to Temu’s rise.4

The media blitz and rapid growth conceal deep underlying concerns about Temu. The Chinese e-commerce juggernaut leverages direct-from-the-factory sales, enabling it to offer cut-rate prices. By design, Temu exploits U.S. customs and import regulations loopholes to ensure that its goods enter the United States with minimal scrutiny. Moreover, Temu has no mechanism to ensure compliance with the Uyghur Forced Labor Prevention Act (UFLPA).5

Yet, circumventing U.S. import regulations is merely the tip of the risk iceberg. Temu and its sister app, Pinduoduo, are malware and data collection platforms acting as e-commerce applications. Pinduoduo’s risks were so significant that Google suspended the application from its Play Store in 2023 after finding malware in versions of the app.6 Temu, a derivative of Pinduoduo, requests and gains access to users’ devices well above and beyond anything necessary for its function and, by design, is extremely difficult to delete or remove. That Temu and other Chinese-owned firms are subject to the National Intelligence Law of China, the CCP could well have an unprecedented vector for surveillance and collection at best and a vehicle for cyber warfare at worst.

More concerning is the fact that Temu, through its parent company, does business with a company directly tied to the CCP and the Central Committee. This company, People’s Data, is—according to the Australian Strategic Policy Institute—directly involved in the party’s efforts to control both media and data.7 While it is unclear what data Temu or PDD Holdings shares with People’s Data, it is not a stretch to suggest that there is a connection from the e-commerce platform through to the Central Committee’s propaganda efforts.

The sheer volume of data collection, its function as a potential vector for the introduction of malware, and its links to the CCP make Temu a clear and present danger on the order of TikTok to both citizens’ privacy and the country’s national security. Like TikTok, Temu represents another front in strategic competition with China and should be taken just as seriously.

Strategic Competition and the Chinese App Ecosystem

Congressional and public awareness of the risks posed by Chinese apps gained widespread traction through the social media app TikTok. Launched in 2016 by the Chinese tech company ByteDance, TikTok experienced explosive growth, reaching 1 billion active monthly users in 2021 and earning over $4 billion in ad revenue.8 The company boasted in March 2023 that it had over 150 million users in the United States.9 Concerns about TikTok centered on three buckets: potential CCP influence via the platform, data collection, and the injection of malicious code into users’ devices.10

These fears have driven congressional and state-level action designed to prevent government employees from downloading the app onto government-issued phones and, eventually, to see TikTok sever its connections to the CCP or shut down entirely. On April 24, 2024, President Joe Biden signed into law what was known informally as the “TikTok bill” that would force the sale of the popular app or its shutdown in the United States.11 While TikTok has pledged to fight the legislation, and some within Congress have questioned its legitimacy, the action, nonetheless, illustrates the growing fears about Chinese-connected internet apps.12

The rapid proliferation of Chinese social media apps such as TikTok and e-commerce retailers such as Temu has led to widespread market capture and extensive penetration into both the social and commercial ecosystems. Unlike their Western counterparts, these platforms offer a novel vector not for business growth and expansion but for the CCP’s strategic competition with the United States.

It would be easy to dismiss such concerns as paranoia, but in practice, these apps receive very little scrutiny by regulators or customers, often contain code requiring extensive permissions to users’ devices, circumvent U.S. and European laws, and provide the CCP direct access to the information of hundreds of millions of users. Users’ shopping habits are decidedly less important than the contents of their phones and the data contained therein. When added to other datasets developed or stolen by government entities, the CCP can build a robust picture of individual and group habits—something exceedingly valuable for information operations and beyond.

In practice, the risks posed by Temu fall into similar buckets to those of TikTok and others: the circumvention of U.S. laws, data collection, and the links, formal or otherwise, to the CCP.

Circumvention of U.S. Laws

Temu experienced explosive growth due to its low prices, rapid shipping (direct from the factory), and aggressive marketing. The allure of cheap prices (and certainly cheap goods) is too good to pass up for many Americans. Yet, that accessibility is built on the backs of forced labor and the circumvention of U.S. regulatory and legal frameworks.

Temu’s business model creates opportunities for the insertion of counterfeit goods. “Temu’s lack of affiliation with established brands has brought concerns of product quality as well as accusations of copyright infringement,” according to a 2023 U.S.-China Economic and Security Review Commission paper.13 Temu’s sister platform, Pinduoduo, was listed in the U.S. Trade Representative’s 2021 Review of Notorious Markets for Counterfeiting and Piracy, though Temu was not cited.14

A congressional Select Committee on the Chinese Communist Party report found Temu had avoided “responsibility for compliance with the UFLPA and other prohibitions on forced labor while relying on tens of thousands of Chinese suppliers to ship goods direct to U.S. consumers.”15 Specifically, Temu “conducts no audits and reports no compliance system to affirmatively examine and ensure compliance with the UFLPA.” The company “admitted that it ‘does not expressly prohibit third-party sellers from selling products based on their origin in the Xinjiang Autonomous Region.’”16

The UFLPA is designed to prevent the importation of goods derived from Uyghur labor, labor that is exploited by the CCP as part of its campaign of genocide against the ethnic minority. This campaign includes “imprisonment, torture, rape, forced sterilization, and the widespread exploitation of the Uyghur people in forced labor,” according to the select committee report.17 The circumvention of that law allows the proliferation of goods and products derived from forced labor, further perpetuating the genocide of the Uyghur people.

Temu also exploits the de minimis rule, or Section 321 of the Tariff Act of 1930. This allows importers to avoid customs duties on packages that are less than $800 in value. The retailer Gap, by comparison, paid $700 million in duties on imports in 2022. This both artificially distorts the market, giving Temu a competitive advantage, and deprives the government of duty to the federal coffers.

Moreover, given that the threshold is $800, imports under that floor receive markedly less, if any, scrutiny from U.S. Customs and Border Protection (CBP) authorities. The high volume of small packages with little to no actionable information means there is a greater likelihood of illicit goods entering the country. In 2022, “‘CBP cleared over 685 million de minimis shipments with insufficient data to properly determine risk,’” the select committee report noted, citing the CBP. In March 2024, Rep. Mike Gallagher (R-WI), chairman of the Select Committee on the Chinese Communist Party, said: “No less than 94% of all import transactions now enter the U.S. through De Minimis rules.”18

Temu, Privacy, and Data Collection

It is unsurprising that apps mine user data to improve sales. However, according to the U.S.-China Economic and Security Review Commission, Chinese apps have taken the practice to an extreme level. The concerns about data security and privacy are twofold. First, how well does Temu secure its users’ information, such as credit card information and purchases? Second, how much data is the company acquiring beyond anything necessary for e-commerce activity?

Indeed, Temu can appear as much a data-collection platform and tool for privacy violations as it is a means of buying cheap goods online. The Temu app is designed to keep users engaged through interactivity that “offers users the opportunity to earn credits for money off future purchases, either through spin-the-wheel games or by encouraging others to join the site.”19

In 2022, over 80 percent of Temu’s revenues came not from sales to customers but from selling advertising services to its network of third-party retailers.20 This model requires the capture and processing of large amounts of data and leads some to speculate whether Temu is a profitable business enterprise. Juozas Kaziukenas, founder of e-commerce research company Marketplace Pulse, told the Los Angeles Times, “There’s absolutely no way Temu runs a profitable retail business. They are effectively buying market share and hoping in the years to come that market share will stick.”21

Grizzly Research, a market intelligence firm, warned that it believes Temu “is the Most Dangerous App in Wide Circulation.”22 The firm stated that the app “software has the full array of characteristics of the most aggressive forms of malware /spyware.” The firm found that “The app has hidden functions that allow for extensive data exfiltration unbeknown to users, potentially giving bad actors full access to almost all data on customers’ mobile devices.” This was by design: “It is evident that great efforts were taken to intentionally hide the malicious intent and intrusiveness of the software.”23

The research firm believes that Temu’s app is a technological successor to Pinduoduo, another PDD company focused on Chinese consumers. As noted earlier, in March 2023, Google suspended the Pinduoduo app from its Play Store due to security concerns after versions of the app outside of the Google ecosystem were identified with malware.24 Kevin Reed, the chief information officer of the cybersecurity firm Acronis, warned that Pinduoduo was “much more aggressive in collecting users’ information and obviously transfer it back to the company.”25

Temu is already the target of class-action lawsuits that allege it is violating its customers’ privacy. Filed in November 2023, one lawsuit representing seven plaintiffs’ claims that the “app is purposefully and intentionally loaded with tools to execute virulent and dangerous malware and spyware activities on user devices,” adding that “Temu misled people about how it uses their data.”26 Another, filed in September 2023, states that “[Temu] grossly failed to comply with security standards and allowed its customers’ financial information to be compromised, all in an effort to save money by cutting corners on security measures that could have prevented or mitigated the Breach.”27

The invasiveness of the Temu app is surveillance capitalism in the extreme. With its deep access, it can log user activity beyond that which takes place in the app, monitor emails and messages, activate the microphone and camera, and log user movements through GPS data and Wi-Fi-connectivity. These data points are the dream of intelligence services the world over. Users are willingly downloading the app to their phones, negating the need for China’s Ministry of State Security to hack or phish targets.

Temu and the Chinese Communist Party

Like TikTok, Temu’s access to users’ devices and the data therein is deeply problematic. Of course, many popular apps require deeper access to these devices than may otherwise seem necessary, but these companies act within the confines of existing legal frameworks that provide recourse for abuse and have inbuilt legal separations from government intrusion. This is naturally not the case with Temu and other Chinese-owned apps.

Like TikTok, Temu’s access to users’ devices and the data contained therein is deeply problematic. Of course, many popular apps require deeper access to these devices than may otherwise seem necessary, but these companies act within the confines of existing legal frameworks that provide recourse for abuse and have in-built legal separations from government intrusion. Like TikTok, Temu’s corporate ownership and legacy linkages to the People’s Republic of China create concerns about CCP influence over the company and the ability of Beijing to compel PDD Holdings to comply extraterritorially with PRC law.

Temu is owned by PDD Holdings, which began operations as the China-based Pinduoduo before a rebranding in 2023. Temu was formally established in Boston, Massachusetts, in September 2022 and is part of PDD Holdings.28 PDD Holdings is incorporated in the Cayman Islands, but its corporate headquarters—initially based in Shanghai, China—relocated to Dublin, Ireland, in 2023.29 In the company’s corporate filings, it notes that “the operations of the businesses that we own and operate in China are subject to PRC laws and regulations.”30

According to research from the Australian Strategic Policy Institute, PDD Holdings, Temu’s parent company, is linked to the state-owned, and therefore Central Committee–controlled, People’s Data Management.31 While what data PDD Holdings and Temu shares with People’s Data is unclear, what is clear is the role that the company plays in the CCP’s efforts to control both data and media. “A wholly owned subsidiary of Beijing People’s Online Network Co. Ltd,” People’s Data is “the business front of the People’s Daily Public Opinion Data Centre.”32 The company “appears to focus on data sharing between government, enterprises and institutions and ensuring that they function effectively.”

As ASPI research indicates:

". . . it’s reasonable to assume that PDD Holdings’ data-sharing arrangement with People’s Data could also include sharing data generated through Temu. Temu’s privacy policy states that personal information may be shared with its ‘corporate parent, subsidiaries and affiliates’, as well as with ‘law enforcement, government authorities, and private parties, as we believe in good faith to be necessary or appropriate for the compliance and protection purposes.33"

It is not a stretch to suggest that Beijing could exert influence on PDD Holdings and Temu through the extensive presence PDD Holdings retains in China. These concerns are similar to those surrounding TikTok that were a key driver of calls for legislation for the sale of TikTok’s American operations or the cessation of operations in the United States entirely. In two worst-case scenarios, the CCP could compel Temu via PDD Holdings to provide user data and information, in concert with other hacked data sets—such as the 2015 Office of Personnel Management breach—to develop targeting matrices for human intelligence or influence operations.

While ostensibly prohibited from investing in overseas companies, PDD Holdings’ owners, like other Chinese entities, use opaque legal and ownership structures (noted above) to obfuscate the true ownership structure and circumvent Chinese investment laws. These owners are, nonetheless, obligated to comply with China’s National Intelligence Law. This law legally obligates Chinese citizens and companies to cooperate with the authorities if requested.

Article 7 of the law notes:

"All organizations and citizens shall support, assist, and cooperate with national intelligence efforts in accordance with law, and shall protect national intelligence work secrets they are aware of.34"

Article 14 adds:

"National intelligence work institutions lawfully carrying out intelligence efforts may request that relevant organs, organizations, and citizens provide necessary support, assistance, and cooperation.35"

While there is as yet no evidence that Temu has provided the data it collects to the CCP, legal obligations could compel the company to provide it on request. As an individual dataset, the shopping habits of Americans are unlikely to be of interest to the Ministry of State Security or other entities. Combined with other datasets and using artificial intelligence (AI) to discern patterns of behavior, Temu’s data would be of value. Equally, the data that Temu can acquire from users’ devices would undoubtedly be of interest both in aggregate and against individual targets.

Perhaps more alarming is that the access Temu is believed to obtain on installation is that a user’s device could potentially—in a worst-case scenario—become a node in a widespread distributed denial-of-service (DDOS) attack. The risks of these large botnets are already well known and have demonstrated their efficacy in the real world. What has not yet happened is the networking of individual phones to achieve the same effect. With nearly 83 million active users in the United States, that’s potentially 83 million phones—a staggeringly large potential botnet.36 Beyond the risks of DDOS attacks, the CCP could simply brick all the phones containing Temu or other Chinese software.

Conclusion

The attention that TikTok is receiving for its potential risks to U.S. privacy and national security is clearly warranted. If a threat is defined as capability plus intent, TikTok and its relationship with the CCP clearly meet that standard. The social media app has the capability to influence what U.S. users see, it collects unprecedented amounts of data, and it serves as a vessel for CCP narratives (or the restriction thereof).

At first glance, how could an e-commerce platform pose a similar threat? Rather easily, as it turns out.

Temu is collecting massive amounts of data from users who willingly download the app in pursuit of cut-rate prices. They are allowing Temu unparalleled access to not just their purchase history but also vastly more personal information and data—data Temu uses to refine its algorithms and push its products. These products are often in violation of existing U.S. law to prevent the Uyghur genocide and take advantage of loopholes to avoid paying duties. More ominously, the data Temu collects is unevenly secured and could be requisitioned by the CCP for intelligence and security purposes.

Policy Recommendations

The federal government and Congress must act on Temu to preserve U.S. persons’ data. While the federal government has many tools, it has hesitated to move due to complicated precedent-setting procedures. Several options should be examined:

  1. Federal Trade Commission 

    The Federal Trade Commission (FTC) is responsible for protecting consumers while ensuring a fair marketplace. China’s homegrown strategic support has catalyzed the development and global expansion of its digital platforms. This has created an imbalance of economic influence while collecting significant portions of personal data of unsuspecting users. 

    The FTC should investigate Temu’s deceptive practices, including false advertising, scams, and privacy violations. The FTC can also take legal action against companies that violate consumer protection laws. 
     
  2. Actioning the Data Security Executive Order in the Next Administration 

    The executive order issued by Biden significantly expands measures to secure Americans’ sensitive personal data from foreign adversaries.37 The order extends the scope of the national emergency declared in previous executive orders. It emphasizes the growing threat posed by countries of concern that seek to access bulk sensitive personal data and U.S. government-related data. This access enables these countries to engage in malicious activities, including espionage, influence operations, and cyberattacks, leveraging advanced technologies such as AI to exploit the data for strategic advantages. 

    To mitigate these risks, the executive order outlines policies to restrict the access of countries of concern to sensitive data. It emphasizes securing data flows while maintaining vital economic and trade relationships. In coordination with the secretary of homeland security, the order mandates the attorney general to issue regulations prohibiting or restricting transactions that could allow countries of concern to access bulk sensitive personal data. These regulations will identify prohibited and restricted transactions and establish security requirements to mitigate risks. 

    The order also highlights the threats posed by indirect access through entities controlled by countries of concern. It recognizes that countries with inadequate legal safeguards may compel entities to provide access to sensitive data. The order directs relevant agencies to propose rules and regulations to address these risks, ensuring that any access to data by countries of concern is effectively mitigated. 

    The next administration would do well to continue this executive order and, more importantly, action its relevant policies across the federal government. As the Department of Justice promulgates regulations, data-scraping applications such as Temu should be a main driver for how these regulations are written. 
     
  3. Supporting and Executing the Information and Communications Technology and Services Program 

    The mission of the Information and Communications Technology and Services (ICTS) program office at the Department of Commerce is to assess and manage risks associated with ICTS transactions that involve foreign adversaries, ensuring that sensitive data and communications infrastructure are protected from espionage, cyber threats, and other malicious activities. 

    Here, too, the next administration would do well to continue the policies of its predecessor and further act upon the legal and programmatic framework already in place. By issuing regulations and overseeing compliance, the ICTS office can prevent foreign apps such as Temu, which pose national security risks, from accessing critical data and infrastructure. This oversight helps maintain the integrity and security of the U.S. information and communications technology landscape while supporting the safe and secure operation of essential services and apps within the country. 
     
  4. Targeted Legislation 

    In 2024, Congress introduced, and Biden signed into law, a precedent-setting legislation, the Protecting Americans from Foreign Adversary Controlled Applications Act, which specifically targeted the forced divesture of TikTok.38 Unfortunately, this legislation does not protect against other nefarious apps, as it focuses solely on TikTok. Rather than adopt an app-by-app approach, the next Congress should look to expand this legislation to target any applications that are CCP owned, operated, or affiliated and which are determined to represent a clear danger to American data security. 
     

Diane Rinaldo is a senior associate (non-resident) with the Strategic Technologies Program at the Center for Strategic and International Studies in Washington, D.C.

This report is made possible by general support to CSIS. No direct sponsorship contributed to this report.

Please Consult PDF for references.

Image
Diane Rinaldo
Senior Associate (Non-resident), Strategic Technologies Program