Looking Beyond TikTok – The Risks of Temu

The explosion of the app economy enabled by 4G technology created new opportunities for workers in the gig economy, new markets for e-commerce businesses, and unprecedented access to information for consumers. It also created new network vulnerabilities and new security risks; security risks—both criminal and increasingly nation-state—with which governance and oversight has not kept pace. 

Temu, Strategic Competition & the Chinese App Ecosystem

In 2024, the U.S. government passed legislation that would force ByteDance, the parent company of the wildly popular social media app TikTok, to divest its ownership due to its ties to the Chinese Communist Party (CCP). Legislators and security officials raised alarm that the app would allow the Chinese Communist Party access to user data and provide a vehicle for Party propaganda and censorship. 

TikTok is, however, just one of a growing eco-system of Chinese-owned, -backed, or -connected apps that pose national security threats. Temu, a fast-fashion e-commerce platform, represents another growing concern. While it lures customers with low prices, Temu’s app gains access to extensive user data—well beyond that needed for a good customer experience—and has ties with CCP authorities. This potentially makes Temu a serious threat to both privacy and national security.

Most Americans were first exposed to Temu during the company’s aggressive marketing blitz during this year’s Super Bowl. Thanks to its marketing blitz, Temu—a fast fashion and cheap goods, direct-to-consumer e-commerce platform—quickly became the most downloaded app for a time. Temu’s business model not only raises concerns about counterfeit and poor-quality goods, but also about privacy violations and forced labor practices, and potential cybersecurity vulnerabilities.

Circumvention of U.S. Law

Temu is a subsidiary of PDD Holdings, the parent company of China’s Pinduoduo. It has gained popularity by offering low-priced goods that bypass traditional retailers, shipping directly from Chinese factories. Temu’s rapid growth is due in part to its exploitation of loopholes in U.S. customs regulations, particularly the de minimis rule, which allows goods valued under $800 to enter the country with minimal scrutiny and without paying customs duties. The retailer Gap paid $700 million in duties on imports in 2022, while Temu paid none. This not only gives Temu an unfair competitive advantage but also allows counterfeit and illicit goods to enter the U.S. market.

Temu has also not demonstrated compliance with the Uyghur Forced Labor Prevention Act (UFLPA), raising concerns that some of its products may be linked to forced labor practices in China. The UFLPA is designed to prevent products made with exploited Uyghur labor from reaching U.S. consumers. Temu’s lack of transparency puts it at odds with these regulations.

Temu, Privacy, & Data Collection

What makes Temu of particular concern is its potential access to user data and linkages with the Chinese Communist Party. Despite a revised web of complex ownership structures, Temu could still be subject to China’s National Intelligence Law, which compels Chinese companies to assist with state intelligence activities. This gives the CCP potential access to sensitive information on millions of American users. Unlike Western companies, which operate under strict legal frameworks that protect consumer privacy, Chinese companies are obligated to cooperate with government surveillance efforts. 

Moreover, Temu, through its parent company, is directly linked to company—People’s Data—that is, effectively, an arm of the Chinese Communist Party and the Central Committee. According to the Australian Strategic Policy Institute—People’s Data is directly involved in the Party’s efforts to control both media and data. While it is unclear what data Temu or PDD Holdings shares with People’s Data, it is not unreasonable to raise concerns about the connection between the e-commerce platform and an arm of the Central Committee’s propaganda efforts. 

Grizzly Research, a market intelligence firm, described Temu as "the most dangerous app in wide circulation." The firm warned that Temu’s app has hidden functions designed for extensive data exfiltration and operates like advanced malware. Temu’s data collection practices go far beyond what is necessary for an e-commerce platform. The app requests extensive access to users’ devices, including sensitive information like location data, contact lists, and even microphone and camera access. In 2023, the parent company’s sister app, Pinduoduo, was removed from the Google Play store due to concerns about malware. Security experts have warned that Temu’s app could function as spyware, harvesting personal data and enabling the CCP to conduct surveillance or even cyberattacks. Taken together, these issues raise concerns that Temu is not just an e-commerce platform but a data collection tool with serious national security implications. 

While much attention has rightly focused on TikTok, Temu represents an equally dangerous threat worth increased government scrutiny. The app’s ability to collect large amounts of personal data, and potential deep access to user devices raises serious privacy and cyber security concerns. Given Temu’s ties to the CCP, this data could be exploited for, at best, targeted propaganda and surveillance, or at worst, cyberattacks.

The U.S. government must act to address these risks before Temu becomes as ubiquitous and problematic as TikTok. By leveraging existing regulatory frameworks, Congress and federal agencies can mitigate the risks posed by Temu and other foreign apps.

Policy Recommendations

  1. Federal Trade Commission (FTC) Investigation:
    The FTC should investigate Temu for deceptive practices, including privacy violations, false advertising, and forced labor links.
  2. Data Security Executive Order:
    President Biden’s executive order on data security should prioritize regulating foreign apps like Temu to prevent the exploitation of U.S. users' personal data.
  3. Information and Communications Technology and Services (ICTS) Program:
    The Department of Commerce’s ICTS office should assess the national security risks associated with Temu and take action to restrict its access to U.S. data.
  4. Targeted Legislation:
    Congress should pass legislation aimed at addressing foreign apps that pose national security threats, much like the recent legislation targeting TikTok

The U.S. government must act to address these risks before Temu becomes as ubiquitous and problematic as TikTok. By leveraging existing regulatory frameworks, Congress and federal agencies can mitigate the risks posed by Temu and other foreign apps.

Diane Rinaldo

Senior Associate