Chinese Marketplace Temu Faces Class Action Lawsuit for Spyware and Malicious Business Practices.

Introduction

Temu is an e-commerce site that has taken the world by storm. Only 12 months after its launch, the site has become one of the largest digital marketplaces, behind Amazon and its biggest competitor: Shein. Temu’s parent company, PDD Holdings, is one China’s most lucrative commerce groups, with an estimated enterprise value of $157 billion.

 

Collectively, Temu and Shein are responsible for approximately 30% of daily imports to the US. Their business models are essentially identical; they both offer a wide range of products at incredibly low prices to entice buyers.

 

Loss-leading marketplaces rely on impulse purchases to remain operational. Their profits are not generated from the sale of products – it is estimated that Temu loses roughly $30 on each order. Instead, companies operating under this model gain much of their revenue by selling user information, such as shopping habits, to advertisers.

 

However, Temu has recently come under scrutiny for its immoral and malicious business practices. In addition to an ongoing investigation by the US government for reliance on slave labour, Temu has recently faced allegations of failing to adequately protect the personal data of its users. This article provides an insight into this legal action.  

 

The Lawsuit Against Temu

The lawsuit has been brought against Whaleco Inc. (TEMU) by an individual named Eric Hu on behalf of himself and other individuals. It is submitted that the website fails to secure user’s personal data. This includes sensitive data such as the user’s name, address, email address, financial information, phone number and biometric data (such as face ID).

 

The theft of such information was made possible due to Whaleco’s disregard and continuous defiance of industry safety standards. In an effort to save money, Whaleco decided against implementing commonplace security measures, meaning personal information was left compromised. In addition, it is suggested that the Temu application contains spyware and actively compiles user data.

 

Grizzly Research analysed Temu’s software. Their findings are referred to throughout this case. Their report includes an analysis of several online marketplaces – including Temu, Shein and Amazon – and various functions found within their respective code which violate user privacy. Some of these functions, such as access to the device’s camera, are industry standards and are often necessary for the optimum functionality of an application. For example, this includes the user being required to take a screenshot of their order confirmation when requesting a refund.

 

However, the more concerning part of Grizzly Research’s report is Temu’s use of all the functions deemed to be invasive and inappropriate. No other marketplace included within the research utilises all these functions. Moreover, some functions are exclusively utilised by Temu. An example of such is the function ‘getRuntime.exec()’. This technical command essentially may allow the production of a new program within the application itself once launched on a device. This secondary program could, in theory, operate as a form of spyware.

 

It must be noted that Grizzly Research’s report does appear prejudicial against the Temu application. Whilst there is no evidence provided to demonstrate that these intrusive functions are actually operating on the Temu application, their presence may still be called into question.

 

A History of Malware

This is not the first instance of a PDD Holdings e-commerce platform being exposed for unethical practices. Its other online marketplace, Pinduoduo, was removed from the Google app store in March 2023 as the application contained malware which exploited a vulnerability in the Android Operating System (OS). This vulnerability allowed the Pinduoduo app to perform functions with elevated privileges – meaning the application was capable of running commands that were beyond what was permitted on the OS. Thus, the company was able to spy on its users and ascertain their shopping habits. Moreover, it was also possible for private messages to be read and user settings to be changed by the exploitation of this vulnerability.

 

Conclusion

Whilst the allegations presented in the lawsuit remain unproven, the evidence provided by Grizzly Research can be seen as compelling, especially when considering the history of Temu’s parent app – Pinduoduo.

 

This article is intended to be impartial and does not serve to provide an opinion on the lawsuit.

 

By Alexander McLean

Editors-In-Chief The Corporate Law Journaltemu, marketplace, online, digital, internet, detail, security, lawsuit, actionComment