Data privacy risks imposed by new e-commerce app Temu

A shopping app that didn’t exist four months ago might be changing the game of e-commerce, however, experts say it’s also raising concerns about data privacy risks for Canadians.

Garnering conflicting reactions from customers throughout Canada and the US, Temu has been making waves on social media platforms over the last two months. The one-stop-shopping service recently became one of North America’s most downloaded free apps on both the App Store and Google Play, thanks in part to its reputation of offering steep discounts on a vast assortment of products, along with opportunities for credit incentives through encouraging sign-up offers.

However, one cybersecurity expert warns that Temu, like any e-commerce app that doesn’t fall under Canadian data protection laws, could present a risk that more shoppers should evaluate.

“Within the last year or so there has been increasing concern about spying from foreign states,” Fred Nerenberg, a senior cybersecurity consultant at a Canadian security firm, told over the phone. “But when it comes to people’s data, you are forfeiting your personal information and your browsing habits and your interests to a company that may or may not have ties to foreign governments where data would be subject to ownership by those foreign states,” he said. explained.

Temu’s parent company, PDD Holdings, is publicly traded on the New York Stock Exchange. The company has subsidiaries primarily registered in China—meaning it could be subject to regulation by Chinese authorities. This is according to a report by the US-China Economics and Security Revision Commission (USCC), which warned that the company’s Chinese ownership raises concerns about cybersecurity, data privacy, and national security concerns.

But how could online shopping present such a digital threat?

“You’re essentially at the mercy of what those companies are doing with your data,” Nerenberg explained, referring to the wide net of data-collection of these e-commerce services cast. “I think what they choose to do with it is sort of up in the air. It’s under a different jurisdiction.”

Nerenberg said “quite a bit of information about your clientele” can be inferred based solely on browsing habits.

Apps like Temu, he said, can collect metadata that reveals how long customers have looked at certain products and how many times they visited certain pages. This can be used to build data profiles that allow companies to precisely target people with ads that feature products they will be more inclined to purchase.

Nerenberg says the threat could apply to all e-commerce services with international distribution.

According to Forbes, Target once figured out one of its teenaged customers was pregnant before her father did, based on her online browsing data.

“These companies could theoretically build those same profiles. So it’s no different than the companies here, but how is that information being used by foreign states?”

Temu is an off-shoot of Pinduoduo, a Chinese e-commerce giant. As reported by CNN, Pinduoduo was found to be capable of bypassing users’ mobile security software to monitor activities on other apps—including checking notifications and reading private messages. According to a CNN investigation involving cybersecurity researchers in Asia, Europe and the US, malware on the Pinduoduo app exploited security vulnerabilities in Android operating systems in order to gain access to data not normally accessible by apps.

Nerenberg cautions against pursuing flashy online discounts while ignoring privacy concerns.

“Just because you’re being offered a cheaper product doesn’t necessarily mean that you are getting the better end of the deal,” he said.

“Keep in mind where you are forfeiting your data to. How is that data going to be used, and if it’s against your risk profile, then why are you using it anyway? has reached out to Temu for comment and is still awaiting a response.