Montreal lawsuit alleges the Temu app taking users' biometric information: Q&A

A Montreal lawyer wants to file a class action lawsuit against the Chinese-owned discount shopping app Temu, alleging that customers' data was stolen.

CTV News anchor Maya Johnson spoke with lawyer Andrea Grass about the lawsuit and what Quebecers should know about Temu.

Watch the full interview above. Some questions and answers have been edited for grammar.

Temu contacted CTV News in response to the interview and "categorically deny the allegations in the lawsuit and intent to vigorously defend ourselves against them."

"The complaint is essentially taken from a short-seller report by Grizzly Research, which has stated clearly that its reports are not based on statements of fact," said senior consultant Maude Samson.

Temu's complete statement is posted at the bottom of the interview.

Maya Johnson

Let's get into what this company is all about. It was founded in Boston in 2022, [and it's] Chinese-owned. How much more do we know about who is behind it?

Andrea Grass

So we sued three defendants. There's WhaleCo, which is in Boston, and is also in British Columbia. And then there's the real one behind it all called PDD Holdings Inc., and that's the Chinese company. WhaleCo is a subsidiary of PDD, which was in China, and now is in Ireland.

Maya Johnson

So we can already see it's starting to get complex here. You're based here in Quebec. Why are you seeking a class action lawsuit on behalf of Quebecers?

Andrea Grass

People around the world had their data stolen, including people in Quebec, so we filed the class action on behalf of Quebec residents, but anybody who downloaded the Temu app, or had electronic communications with Temu users, or had their data stored on devices used by Temu users. And so we filed this class action in Quebec on behalf of Quebec residents, to protect these consumers.

Maya Johnson

So there are two ways that you can purchase through Temu. You can use the app, as you mentioned, or you can just go directly to their website, and you're arguing that this company is taking people's private data. What kinds of things are we talking about here? What does the company have access to that is raising so many concerns?

Andrea Grass

The problem with Temu, and I think a lot of companies do take your data, certain data, maybe your email address might not be as offensive. But Temo is taking your biometric information. So what we're talking about is facial characteristics and your fingerprints, and voiceprints, and your geospatial exact location. And none of this is even remotely relevant to trying to purchase anything online. If you're trying to buy a doll, or plates, or clothing, they don't need your facial characteristics for that. And so they're taking this information, and we don't know what they're doing with it.

Maya Johnson

So that's a concern that we don't know what they're using this information for, and they're just able to get into your phone through your app and take that?

Andrea Grass

So it was bypassing your phone's regular security settings and taking things that your phone would normally not allow it to take. I think we're more familiar with these terms today, but malware and spyware on your phone.

Maya Johnson

That's unbelievable. I think that's probably pretty scary for people who are watching right now, and, oftentimes, when we go online, when we're just navigating through different websites, we click on things like agree without thinking. I'm wondering if this could be a similar situation where people are consenting to things that they might not even be aware of.

Andrea Grass

So with the Temu app, they definitely did ask for permission for certain items. I never downloaded the Temu app myself to see exactly what it does ask for, but I can say that it's not asking for your biometrics. It would be asking you for regular things, maybe your wireless network. I usually would have downloaded the Temu app, but I didn't want to download the Temu app because of the allegations against what Temu was doing when you download the app. We can say that they are asking for certain permissions, but not all permissions, and they're secretly collecting your information, and they're likely misappropriating it. They're asking you some and not others and our case is more about what they haven't asked for. 

The following is Temu's full statement:

At Temu, safeguarding privacy and maintaining transparency in our data practices are core values. We collect information with a clear and singular purpose: to provide and continually enhance our products and services for our users. Our practices are in line with industry practices and clearly disclosed in our Privacy Policy.

When disclosing data collection practices, we adhere to the principle of maximum disclosure. If there's a possibility that data will be collected in any given scenario, we disclose it. This is in line with the requirements for developers set by application marketplaces like Apple's App Store and Google Play Store. However, when it comes to the actual collection and use of data, we follow the principle of minimality, meaning we only collect and use data necessary for specific, justified scenarios.

Even though the Grizzly Research report was completely groundless, we recognize the need to communicate our data practices and security protocols to users in an open and transparent manner, and have taken steps to improve the communication.

Temu has added a permissions section in the Temu app and website to clearly elaborate on what permissions they require to ensure data minimization and transparency.

In November 2023, Temu partnered with San Francisco-based cybersecurity agency HackerOne to offer a bug bounty program. Temu joins the likes of Amazon, Google, Tesla and Facebook in using HackerOne’s platform to connect and reward ethical hackers for successfully discovering and reporting security vulnerabilities. We have also rolled out two-factor authentication (2FA) in November as an additional layer of security protection.

In February 2024, Temu received the Mobile Application Security Assessment (MASA) certification from Berlin-founded DEKRA, the world's largest independent provider of testing, inspection, and certification services. DEKRA is one of six labs authorized by Google to conduct the MASA test, which involves testing an app for vulnerabilities, assessing data protection mechanisms, and ensuring compliance with best practices in mobile application security.

Temu considers privacy and security to be core functions of our platform. Earning and keeping the trust of our users is our top priority, so we hold ourselves to the highest privacy and security standards. We are committed to collaborating with various stakeholders to identify and address vulnerabilities, increasing the transparency of security testing, and ensuring the safety of our businesses and customers. Users can rest assured that shopping on Temu is safe.