'Ultra-Fast' Shopping App Steals' Customers Personal Data, Says Complaint

Plaintiff Eric Hu of Queens County, New York, registered with Temu in August and made purchases from the e-commerce company, said the complaint. While using the Temu app, Hu clicked on links to external, third-party websites where he completed his purchases and entered private data, including his credit card information, the complaint alleged. Temu “surreptitiously collected data” about Hu’s use of third-party websites without his knowledge or consent, it said.

The complaint describes Temu as an “ultra-fast” fashion company, whose technology and “highly efficient supply chains” allow it to meet customer demand for “cutting-edge fashions at ultra-low prices.” It cited a December Wall Street Journal article saying Temu is the “most downloaded app in the U.S.”

The Better Business Bureau, which has received over 900 consumer complaints about Temu, issued a warning that the app “collects all kinds of information, from your name, phone number, and address to your birthdate, social media photos, and social security number.” Among the complaints were reports of “unauthorized withdrawals from bank accounts and credit card purchases soon after the consumer began purchasing on Temu.” The app automatically collects data from a consumer’s phone, tablet, or laptop, including operating system, browsing history and location data, the complaint said.

China-based PDD Holdings owns Temu, as well as Pinduoduo, a shopping app that was pulled from Google’s app store “due to the presence of malware that exploited vulnerabilities in the Android operating system to spy on users and competitors,” according to a March Reuters report. Pinduoduo had a team of 100 engineers and product managers “dig for vulnerabilities” in Android phones, devise ways to exploit them “and turn that into profit, said the article.

Cybersecurity experts labeled the Pinduoduo app as “malware” because it can bypass a user’s cellphone security to monitor activity on other apps, check notifications, read private messages and change settings, said the complaint, citing an April CNN article.

Temu’s app has “’self-compiling software’ that circumvents its user’s phone’s malware detection ability and allows Temu to illegally steal user data,” the complaint said, citing a September article from The Week. Its use of “dynamic compilation” and “package compile” allows “unbounded use of exploitative methods,” the complaint said.

The Android version of the Temu app “intentionally fails” to list many permissions of its source code in its Android manifest file, and permissions requests for camera, record audio, write external storage, install packages and access fine location are not listed, “despite being the most intrusive,” the complaint said. The app can collect “any and all files from the user’s devices to send to their own servers, with little or no encryption,” it said.

“Temu allowed widespread and systematic theft of its customers’ personal identifying information,” and its actions didn’t “come close” to meeting the standards of commercially reasonable steps that should be taken to protect customers’ personal identifying information, it said.

Plaintiff’s claims include violations of the Electronic Communications Privacy Act, Computer Fraud and Abuse Act and New York General Business Law, plus trespass to personal property/chattels and unjust enrichment. Hu seeks an order requiring Temu to pay actual damages and punitive damages, pay for not less than three years of credit card monitoring services, pay statutory damages as provided by the New York Deceptive Acts and Practices Law and other applicable state consumer fraud laws, and pay attorneys’ fees and legal costs. Temu couldn't be reached for comment.