Montreal lawsuit alleges the Temu app taking users' biometric information: Q&A
A Montreal lawyer wants to file a class action lawsuit against the Chinese-owned discount shopping app Temu, alleging that customers' data was stolen.
CTV News anchor Maya Johnson spoke with lawyer Andrea Grass about the lawsuit and what Quebecers should know about Temu.
Watch the full interview above. Some questions and answers have been edited for grammar.
Temu contacted CTV News in response to the interview and "categorically deny the allegations in the lawsuit and intent to vigorously defend ourselves against them."
"The complaint is essentially taken from a short-seller report by Grizzly Research, which has stated clearly that its reports are not based on statements of fact," said senior consultant Maude Samson.
Temu's complete statement is posted at the bottom of the interview.
Maya Johnson
Let's get into what this company is all about. It was founded in Boston in 2022, [and it's] Chinese-owned. How much more do we know about who is behind it?
Andrea Grass
So we sued three defendants. There's WhaleCo, which is in Boston, and is also in British Columbia. And then there's the real one behind it all called PDD Holdings Inc., and that's the Chinese company. WhaleCo is a subsidiary of PDD, which was in China, and now is in Ireland.
Maya Johnson
So we can already see it's starting to get complex here. You're based here in Quebec. Why are you seeking a class action lawsuit on behalf of Quebecers?
Andrea Grass
People around the world had their data stolen, including people in Quebec, so we filed the class action on behalf of Quebec residents, but anybody who downloaded the Temu app, or had electronic communications with Temu users, or had their data stored on devices used by Temu users. And so we filed this class action in Quebec on behalf of Quebec residents, to protect these consumers.
Maya Johnson
So there are two ways that you can purchase through Temu. You can use the app, as you mentioned, or you can just go directly to their website, and you're arguing that this company is taking people's private data. What kinds of things are we talking about here? What does the company have access to that is raising so many concerns?
Andrea Grass
The problem with Temu, and I think a lot of companies do take your data, certain data, maybe your email address might not be as offensive. But Temo is taking your biometric information. So what we're talking about is facial characteristics and your fingerprints, and voiceprints, and your geospatial exact location. And none of this is even remotely relevant to trying to purchase anything online. If you're trying to buy a doll, or plates, or clothing, they don't need your facial characteristics for that. And so they're taking this information, and we don't know what they're doing with it.
Maya Johnson
So that's a concern that we don't know what they're using this information for, and they're just able to get into your phone through your app and take that?
Andrea Grass
So it was bypassing your phone's regular security settings and taking things that your phone would normally not allow it to take. I think we're more familiar with these terms today, but malware and spyware on your phone.
Maya Johnson
That's unbelievable. I think that's probably pretty scary for people who are watching right now, and, oftentimes, when we go online, when we're just navigating through different websites, we click on things like agree without thinking. I'm wondering if this could be a similar situation where people are consenting to things that they might not even be aware of.
Andrea Grass
So with the Temu app, they definitely did ask for permission for certain items. I never downloaded the Temu app myself to see exactly what it does ask for, but I can say that it's not asking for your biometrics. It would be asking you for regular things, maybe your wireless network. I usually would have downloaded the Temu app, but I didn't want to download the Temu app because of the allegations against what Temu was doing when you download the app. We can say that they are asking for certain permissions, but not all permissions, and they're secretly collecting your information, and they're likely misappropriating it. They're asking you some and not others and our case is more about what they haven't asked for.
The following is Temu's full statement:
At Temu, safeguarding privacy and maintaining transparency in our data practices are core values. We collect information with a clear and singular purpose: to provide and continually enhance our products and services for our users. Our practices are in line with industry practices and clearly disclosed in our Privacy Policy.
When disclosing data collection practices, we adhere to the principle of maximum disclosure. If there's a possibility that data will be collected in any given scenario, we disclose it. This is in line with the requirements for developers set by application marketplaces like Apple's App Store and Google Play Store. However, when it comes to the actual collection and use of data, we follow the principle of minimality, meaning we only collect and use data necessary for specific, justified scenarios.
Even though the Grizzly Research report was completely groundless, we recognize the need to communicate our data practices and security protocols to users in an open and transparent manner, and have taken steps to improve the communication.
Temu has added a permissions section in the Temu app and website to clearly elaborate on what permissions they require to ensure data minimization and transparency.
In November 2023, Temu partnered with San Francisco-based cybersecurity agency HackerOne to offer a bug bounty program. Temu joins the likes of Amazon, Google, Tesla and Facebook in using HackerOne’s platform to connect and reward ethical hackers for successfully discovering and reporting security vulnerabilities. We have also rolled out two-factor authentication (2FA) in November as an additional layer of security protection.
In February 2024, Temu received the Mobile Application Security Assessment (MASA) certification from Berlin-founded DEKRA, the world's largest independent provider of testing, inspection, and certification services. DEKRA is one of six labs authorized by Google to conduct the MASA test, which involves testing an app for vulnerabilities, assessing data protection mechanisms, and ensuring compliance with best practices in mobile application security.
Temu considers privacy and security to be core functions of our platform. Earning and keeping the trust of our users is our top priority, so we hold ourselves to the highest privacy and security standards. We are committed to collaborating with various stakeholders to identify and address vulnerabilities, increasing the transparency of security testing, and ensuring the safety of our businesses and customers. Users can rest assured that shopping on Temu is safe.
CTVNews.ca Top Stories
W5 Investigates A 'ticking time bomb': Inside Syria's toughest prison holding accused high-ranking ISIS members
In the last of a three-part investigation, W5's Avery Haines was given rare access to a Syrian prison, where thousands of accused high-ranking ISIS members are being held.
As Australia bans social media for children, Quebec is paying close attention
As Australia moves to ban social media for children under 16, Quebec is debating whether to follow suit.
Irregular sleep patterns may raise risk of heart attack and stroke, study suggests
Sleeping and waking up at different times is associated with an increased risk of heart attack and stroke, even for people who get the recommended amount of sleep, according to new research.
California man who went missing for 25 years found after sister sees his picture in the news
It’s a Thanksgiving miracle for one California family after a man who went missing in 1999 was found 25 years later when his sister saw a photo of him in an online article, authorities said.
Trudeau Liberals' two-month GST holiday bill passes the House, off to the Senate
The federal government's five-page piece of legislation to enact Prime Minister Justin Trudeau's promised two-month tax break on a range of consumer goods over the holidays passed in the House of Commons late Thursday.
Nick Cannon says he's seeking help for narcissistic personality disorder
Nick Cannon has spoken out about his recent diagnosis of narcissistic personality disorder, saying 'I need help.'
Notre Dame Cathedral: Sneak peek ahead of the reopening
After more than five years of frenetic reconstruction work, Notre Dame Cathedral showed its new self to the world Friday, with rebuilt soaring ceilings and creamy good-as-new stonework erasing somber memories of its devastating fire in 2019.
Canada Post temporarily laying off striking workers, union says
The union representing Canada Post workers says the Crown corporation has been laying off striking employees as the labour action by more than 55,000 workers approaches the two-week mark.
Can't resist Black Friday weekend deals? How to shop while staying within your budget
A budgeting expert says there are a number of ways shoppers can avoid getting enveloped by the sales frenzy and resist spending beyond their means.