0x815

Massive Attack has canceled a show in Georgia scheduled for July 28, saying the decision was made “in protest of the Georgian government’s attack on basic human rights.” The British band says that playing at the state-owned Black Sea Arena stage “could be seen as an endorsement of their violent crackdowns against peaceful protests and civil society.”

Hours before the band’s statement, the Black Sea Arena announced the cancellation of the show, but the management generally cited “unforeseen circumstances” as the reason.

However, against the backdrop of the current political crisis and the campaign of repression in recent months amid the infamous foreign agents law, the band says: “Beatings, arrests, threats, and violence against peaceful activists, and opponents, along with laws smearing civil society and denying LGBTI rights, go against everything we stand for.”

The band expresses solidarity with the peaceful protesters in Georgia, stressing “their struggle needs to be under the international spotlight.” “We will return and perform with you in freedom,” the statement concludes.

In late April, the Shame Movement, a local CSO, wrote to Massive Attack, expressing its excitement for the band’s upcoming show in Georgia, but urging them to acknowledge the “serious and alarming political context” in which their event would take place. In its letter, the Shame movement cited the Georgian government’s massive attack on civil society, independent media, socially vulnerable groups, the LGBTQIA+ community, women, ethnic, religious and other minorities, and informed the band of the domestic political situation, including various anti-democratic laws pushed by the GD government and repression against citizens.

“Your upcoming performance at the Black Sea Arena – a venue constructed by Ivanishvili and now funded by the state – risks being manipulated as part of the Georgian Dream’s pre-election tactics to divert public attention from pressing issues and obscure these critical concerns during the electoral period,” the Shame movement’s letter to Massive Attack read, adding: “Knowing that Massive Attack champions justice, freedom of expression, civil activism, and LGBTQ+ rights, we ask you to familiarise yourselves with the alarming political climate in Georgia.”

Today, when Massive Attack’s decision was made public and quickly went viral, some GD MPs blamed the Shame movement for misleading the band, resulting in their decision to cancel the show.

“[The shame movement] bullied and depressed these people [Massive Attack] so much that they forgot everything… that an art is an art…” said GD MP Irakli Kadagishvili.

“While the Georgian government created an opportunity for the concert of Massive Attack, Salome Zurabishvili and her followers took it away from you,” said Deputy Speaker of Parliament, GD MP Nino Tsilosani.

Massive Attack has canceled a show in Georgia scheduled for July 28, saying the decision was made “in protest of the Georgian government’s attack on basic human rights.” The British band says that playing at the state-owned Black Sea Arena stage “could be seen as an endorsement of their violent crackdowns against peaceful protests and civil society.”

Hours before the band’s statement, the Black Sea Arena announced the cancellation of the show, but the management generally cited “unforeseen circumstances” as the reason.

However, against the backdrop of the current political crisis and the campaign of repression in recent months amid the infamous foreign agents law, the band says: “Beatings, arrests, threats, and violence against peaceful activists, and opponents, along with laws smearing civil society and denying LGBTI rights, go against everything we stand for.”

The band expresses solidarity with the peaceful protesters in Georgia, stressing “their struggle needs to be under the international spotlight.” “We will return and perform with you in freedom,” the statement concludes.

In late April, the Shame Movement, a local CSO, wrote to Massive Attack, expressing its excitement for the band’s upcoming show in Georgia, but urging them to acknowledge the “serious and alarming political context” in which their event would take place. In its letter, the Shame movement cited the Georgian government’s massive attack on civil society, independent media, socially vulnerable groups, the LGBTQIA+ community, women, ethnic, religious and other minorities, and informed the band of the domestic political situation, including various anti-democratic laws pushed by the GD government and repression against citizens.

“Your upcoming performance at the Black Sea Arena – a venue constructed by Ivanishvili and now funded by the state – risks being manipulated as part of the Georgian Dream’s pre-election tactics to divert public attention from pressing issues and obscure these critical concerns during the electoral period,” the Shame movement’s letter to Massive Attack read, adding: “Knowing that Massive Attack champions justice, freedom of expression, civil activism, and LGBTQ+ rights, we ask you to familiarise yourselves with the alarming political climate in Georgia.”

Today, when Massive Attack’s decision was made public and quickly went viral, some GD MPs blamed the Shame movement for misleading the band, resulting in their decision to cancel the show.

“[The shame movement] bullied and depressed these people [Massive Attack] so much that they forgot everything… that an art is an art…” said GD MP Irakli Kadagishvili.

“While the Georgian government created an opportunity for the concert of Massive Attack, Salome Zurabishvili and her followers took it away from you,” said Deputy Speaker of Parliament, GD MP Nino Tsilosani.

Massive Attack has canceled a show in Georgia scheduled for July 28, saying the decision was made “in protest of the Georgian government’s attack on basic human rights.” The British band says that playing at the state-owned Black Sea Arena stage “could be seen as an endorsement of their violent crackdowns against peaceful protests and civil society.”

Hours before the band’s statement, the Black Sea Arena announced the cancellation of the show, but the management generally cited “unforeseen circumstances” as the reason.

However, against the backdrop of the current political crisis and the campaign of repression in recent months amid the infamous foreign agents law, the band says: “Beatings, arrests, threats, and violence against peaceful activists, and opponents, along with laws smearing civil society and denying LGBTI rights, go against everything we stand for.”

The band expresses solidarity with the peaceful protesters in Georgia, stressing “their struggle needs to be under the international spotlight.” “We will return and perform with you in freedom,” the statement concludes.

In late April, the Shame Movement, a local CSO, wrote to Massive Attack, expressing its excitement for the band’s upcoming show in Georgia, but urging them to acknowledge the “serious and alarming political context” in which their event would take place. In its letter, the Shame movement cited the Georgian government’s massive attack on civil society, independent media, socially vulnerable groups, the LGBTQIA+ community, women, ethnic, religious and other minorities, and informed the band of the domestic political situation, including various anti-democratic laws pushed by the GD government and repression against citizens.

“Your upcoming performance at the Black Sea Arena – a venue constructed by Ivanishvili and now funded by the state – risks being manipulated as part of the Georgian Dream’s pre-election tactics to divert public attention from pressing issues and obscure these critical concerns during the electoral period,” the Shame movement’s letter to Massive Attack read, adding: “Knowing that Massive Attack champions justice, freedom of expression, civil activism, and LGBTQ+ rights, we ask you to familiarise yourselves with the alarming political climate in Georgia.”

Today, when Massive Attack’s decision was made public and quickly went viral, some GD MPs blamed the Shame movement for misleading the band, resulting in their decision to cancel the show.

“[The shame movement] bullied and depressed these people [Massive Attack] so much that they forgot everything… that an art is an art…” said GD MP Irakli Kadagishvili.

“While the Georgian government created an opportunity for the concert of Massive Attack, Salome Zurabishvili and her followers took it away from you,” said Deputy Speaker of Parliament, GD MP Nino Tsilosani.

- Hackers working for the Chinese government gained access to more than 20,000 VPN appliances sold by Fortinet using a critical vulnerability that the company failed to disclose for two weeks after fixing it, Netherlands government officials said.

- The Netherlands officials first reported in February that Chinese state hackers had exploited CVE-2022-42475 to install an advanced and stealthy backdoor tracked as CoatHanger on Fortigate appliances inside the Dutch Ministry of Defense.

- Chinese state hackers have used the critical vulnerability to infect more than 20,000 FortiGate VPN appliances sold by Fortinet. Targets include dozens of Western government agencies, international organizations, and companies within the defense industry.--

The vulnerability, tracked as CVE-2022-42475, is a heap-based buffer overflow that allows hackers to remotely execute malicious code. It carries a severity rating of 9.8 out of 10. A maker of network security software, Fortinet silently fixed the vulnerability on November 28, 2022, but failed to mention the threat until December 12 of that year, when the company said it became aware of an “instance where this vulnerability was exploited in the wild.” On January 11, 2023—more than six weeks after the vulnerability was fixed—Fortinet warned a threat actor was exploiting it to infect government and government-related organizations with advanced custom-made malware.

Enter CoatHanger

The Netherlands officials first reported in February that Chinese state hackers had exploited CVE-2022-42475 to install an advanced and stealthy backdoor tracked as CoatHanger on Fortigate appliances inside the Dutch Ministry of Defense. Once installed, the never-before-seen malware, specifically designed for the underlying FortiOS operating system, was able to permanently reside on devices even when rebooted or receiving a firmware update. CoatHanger could also escape traditional detection measures, the officials warned. The damage resulting from the breach was limited, however, because infections were contained inside a segment reserved for non-classified uses.

On Monday, officials with the Military Intelligence and Security Service (MIVD) and the General Intelligence and Security Service in the Netherlands said that to date, Chinese state hackers have used the critical vulnerability to infect more than 20,000 FortiGate VPN appliances sold by Fortinet. Targets include dozens of Western government agencies, international organizations, and companies within the defense industry.

"Since then, the MIVD has conducted further investigation and has shown that the Chinese cyber espionage campaign appears to be much more extensive than previously known,” Netherlands officials with the National Cyber Security Center wrote. “The NCSC therefore calls for extra attention to this campaign and the abuse of vulnerabilities in edge devices.”

Monday’s report said that exploitation of the vulnerability started two months before Fortinet first disclosed it and that 14,000 servers were backdoored during this zero-day period. The officials warned that the Chinese threat group likely still has access to many victims because CoatHanger is so hard to detect and remove.

Netherlands government officials wrote in Monday’s report:

Since the publication in February, the MIVD has continued to investigate the broader Chinese cyber espionage campaign. This revealed that the state actor gained access to at least 20,000 FortiGate systems worldwide within a few months in both 2022 and 2023 through the vulnerability with the identifier CVE-2022-42475 . Furthermore, research shows that the state actor behind this campaign was already aware of this vulnerability in FortiGate systems at least two months before Fortinet announced the vulnerability. During this so-called 'zero-day' period, the actor alone infected 14,000 devices. Targets include dozens of (Western) governments, international organizations and a large number of companies within the defense industry.

The state actor installed malware at relevant targets at a later date. This gave the state actor permanent access to the systems. Even if a victim installs security updates from FortiGate, the state actor continues to have this access.

It is not known how many victims actually have malware installed. The Dutch intelligence services and the NCSC consider it likely that the state actor could potentially expand its access to hundreds of victims worldwide and carry out additional actions such as stealing data.

Even with the technical report on the COATHANGER malware, infections from the actor are difficult to identify and remove. The NCSC and the Dutch intelligence services therefore state that it is likely that the state actor still has access to systems of a significant number of victims.

Fortinet’s failure to timely disclose is particularly acute given the severity of the vulnerability. Disclosures are crucial because they help users prioritize the installation of patches. When a new version fixes minor bugs, many organizations often wait to install it. When it fixes a vulnerability with a 9.8 severity rating, they’re much more likely to expedite the update process. Given the vulnerability was being exploited even before Fortinet fixed it, the disclosure likely wouldn't have prevented all of the infections, but it stands to reason it could have stopped some.

Fortinet officials have never explained why they didn’t disclose the critical vulnerability when it was fixed. They have also declined to disclose what the company policy is for the disclosure of security vulnerabilities. Company representatives didn’t immediately respond to an email seeking comment for this post.

- Hackers working for the Chinese government gained access to more than 20,000 VPN appliances sold by Fortinet using a critical vulnerability that the company failed to disclose for two weeks after fixing it, Netherlands government officials said.

- The Netherlands officials first reported in February that Chinese state hackers had exploited CVE-2022-42475 to install an advanced and stealthy backdoor tracked as CoatHanger on Fortigate appliances inside the Dutch Ministry of Defense.

- Chinese state hackers have used the critical vulnerability to infect more than 20,000 FortiGate VPN appliances sold by Fortinet. Targets include dozens of Western government agencies, international organizations, and companies within the defense industry.--

The vulnerability, tracked as CVE-2022-42475, is a heap-based buffer overflow that allows hackers to remotely execute malicious code. It carries a severity rating of 9.8 out of 10. A maker of network security software, Fortinet silently fixed the vulnerability on November 28, 2022, but failed to mention the threat until December 12 of that year, when the company said it became aware of an “instance where this vulnerability was exploited in the wild.” On January 11, 2023—more than six weeks after the vulnerability was fixed—Fortinet warned a threat actor was exploiting it to infect government and government-related organizations with advanced custom-made malware.

Enter CoatHanger

The Netherlands officials first reported in February that Chinese state hackers had exploited CVE-2022-42475 to install an advanced and stealthy backdoor tracked as CoatHanger on Fortigate appliances inside the Dutch Ministry of Defense. Once installed, the never-before-seen malware, specifically designed for the underlying FortiOS operating system, was able to permanently reside on devices even when rebooted or receiving a firmware update. CoatHanger could also escape traditional detection measures, the officials warned. The damage resulting from the breach was limited, however, because infections were contained inside a segment reserved for non-classified uses.

On Monday, officials with the Military Intelligence and Security Service (MIVD) and the General Intelligence and Security Service in the Netherlands said that to date, Chinese state hackers have used the critical vulnerability to infect more than 20,000 FortiGate VPN appliances sold by Fortinet. Targets include dozens of Western government agencies, international organizations, and companies within the defense industry.

"Since then, the MIVD has conducted further investigation and has shown that the Chinese cyber espionage campaign appears to be much more extensive than previously known,” Netherlands officials with the National Cyber Security Center wrote. “The NCSC therefore calls for extra attention to this campaign and the abuse of vulnerabilities in edge devices.”

Monday’s report said that exploitation of the vulnerability started two months before Fortinet first disclosed it and that 14,000 servers were backdoored during this zero-day period. The officials warned that the Chinese threat group likely still has access to many victims because CoatHanger is so hard to detect and remove.

Netherlands government officials wrote in Monday’s report:

Since the publication in February, the MIVD has continued to investigate the broader Chinese cyber espionage campaign. This revealed that the state actor gained access to at least 20,000 FortiGate systems worldwide within a few months in both 2022 and 2023 through the vulnerability with the identifier CVE-2022-42475 . Furthermore, research shows that the state actor behind this campaign was already aware of this vulnerability in FortiGate systems at least two months before Fortinet announced the vulnerability. During this so-called 'zero-day' period, the actor alone infected 14,000 devices. Targets include dozens of (Western) governments, international organizations and a large number of companies within the defense industry.

The state actor installed malware at relevant targets at a later date. This gave the state actor permanent access to the systems. Even if a victim installs security updates from FortiGate, the state actor continues to have this access.

It is not known how many victims actually have malware installed. The Dutch intelligence services and the NCSC consider it likely that the state actor could potentially expand its access to hundreds of victims worldwide and carry out additional actions such as stealing data.

Even with the technical report on the COATHANGER malware, infections from the actor are difficult to identify and remove. The NCSC and the Dutch intelligence services therefore state that it is likely that the state actor still has access to systems of a significant number of victims.

Fortinet’s failure to timely disclose is particularly acute given the severity of the vulnerability. Disclosures are crucial because they help users prioritize the installation of patches. When a new version fixes minor bugs, many organizations often wait to install it. When it fixes a vulnerability with a 9.8 severity rating, they’re much more likely to expedite the update process. Given the vulnerability was being exploited even before Fortinet fixed it, the disclosure likely wouldn't have prevented all of the infections, but it stands to reason it could have stopped some.

Fortinet officials have never explained why they didn’t disclose the critical vulnerability when it was fixed. They have also declined to disclose what the company policy is for the disclosure of security vulnerabilities. Company representatives didn’t immediately respond to an email seeking comment for this post.

- Hackers working for the Chinese government gained access to more than 20,000 VPN appliances sold by Fortinet using a critical vulnerability that the company failed to disclose for two weeks after fixing it, Netherlands government officials said.

- The Netherlands officials first reported in February that Chinese state hackers had exploited CVE-2022-42475 to install an advanced and stealthy backdoor tracked as CoatHanger on Fortigate appliances inside the Dutch Ministry of Defense.

- Chinese state hackers have used the critical vulnerability to infect more than 20,000 FortiGate VPN appliances sold by Fortinet. Targets include dozens of Western government agencies, international organizations, and companies within the defense industry.--

The vulnerability, tracked as CVE-2022-42475, is a heap-based buffer overflow that allows hackers to remotely execute malicious code. It carries a severity rating of 9.8 out of 10. A maker of network security software, Fortinet silently fixed the vulnerability on November 28, 2022, but failed to mention the threat until December 12 of that year, when the company said it became aware of an “instance where this vulnerability was exploited in the wild.” On January 11, 2023—more than six weeks after the vulnerability was fixed—Fortinet warned a threat actor was exploiting it to infect government and government-related organizations with advanced custom-made malware.

Enter CoatHanger

The Netherlands officials first reported in February that Chinese state hackers had exploited CVE-2022-42475 to install an advanced and stealthy backdoor tracked as CoatHanger on Fortigate appliances inside the Dutch Ministry of Defense. Once installed, the never-before-seen malware, specifically designed for the underlying FortiOS operating system, was able to permanently reside on devices even when rebooted or receiving a firmware update. CoatHanger could also escape traditional detection measures, the officials warned. The damage resulting from the breach was limited, however, because infections were contained inside a segment reserved for non-classified uses.

On Monday, officials with the Military Intelligence and Security Service (MIVD) and the General Intelligence and Security Service in the Netherlands said that to date, Chinese state hackers have used the critical vulnerability to infect more than 20,000 FortiGate VPN appliances sold by Fortinet. Targets include dozens of Western government agencies, international organizations, and companies within the defense industry.

"Since then, the MIVD has conducted further investigation and has shown that the Chinese cyber espionage campaign appears to be much more extensive than previously known,” Netherlands officials with the National Cyber Security Center wrote. “The NCSC therefore calls for extra attention to this campaign and the abuse of vulnerabilities in edge devices.”

Monday’s report said that exploitation of the vulnerability started two months before Fortinet first disclosed it and that 14,000 servers were backdoored during this zero-day period. The officials warned that the Chinese threat group likely still has access to many victims because CoatHanger is so hard to detect and remove.

Netherlands government officials wrote in Monday’s report:

Since the publication in February, the MIVD has continued to investigate the broader Chinese cyber espionage campaign. This revealed that the state actor gained access to at least 20,000 FortiGate systems worldwide within a few months in both 2022 and 2023 through the vulnerability with the identifier CVE-2022-42475 . Furthermore, research shows that the state actor behind this campaign was already aware of this vulnerability in FortiGate systems at least two months before Fortinet announced the vulnerability. During this so-called 'zero-day' period, the actor alone infected 14,000 devices. Targets include dozens of (Western) governments, international organizations and a large number of companies within the defense industry.

The state actor installed malware at relevant targets at a later date. This gave the state actor permanent access to the systems. Even if a victim installs security updates from FortiGate, the state actor continues to have this access.

It is not known how many victims actually have malware installed. The Dutch intelligence services and the NCSC consider it likely that the state actor could potentially expand its access to hundreds of victims worldwide and carry out additional actions such as stealing data.

Even with the technical report on the COATHANGER malware, infections from the actor are difficult to identify and remove. The NCSC and the Dutch intelligence services therefore state that it is likely that the state actor still has access to systems of a significant number of victims.

Fortinet’s failure to timely disclose is particularly acute given the severity of the vulnerability. Disclosures are crucial because they help users prioritize the installation of patches. When a new version fixes minor bugs, many organizations often wait to install it. When it fixes a vulnerability with a 9.8 severity rating, they’re much more likely to expedite the update process. Given the vulnerability was being exploited even before Fortinet fixed it, the disclosure likely wouldn't have prevented all of the infections, but it stands to reason it could have stopped some.

Fortinet officials have never explained why they didn’t disclose the critical vulnerability when it was fixed. They have also declined to disclose what the company policy is for the disclosure of security vulnerabilities. Company representatives didn’t immediately respond to an email seeking comment for this post.

Archived link

Archived link

Russia’s Supreme Court has banned the vaguely defined “Anti-Russian Separatist Movement” as an “extremist” organization, the independent news website Mediazona reported Friday.

Rights groups say they have not been able to find a formal organization called the “Anti-Russian Separatist Movement,” leading to speculation that the authorities could use the designation as a pretext for wider criminal prosecutions of anti-war, anti-colonial or Indigenous rights activists.

Russia’s Justice Ministry, which initiated the “extremism” claim in April, defined the “anti-Russian separatist” group as an “international public movement to destroy the multinational unity and territorial integrity of Russia.”

Mediazona said its correspondent asked a ministry official ahead of the hearing to rule on the designation whether they “have any guesses” about what constitutes an “anti-Russian separatist movement.”

“We don’t just guess, we know,” the Justice Ministry official was quoted as saying without commenting further.

Russia’s Supreme Court designated both the “Anti-Russian Separatist Movement” and its “structural divisions” after convening a closed-door hearing Friday, Mediazona said. The designation means anyone convicted of association with the vaguely defined organization could be imprisoned for up to six years.

The court previously banned the similarly nonexistent “Ya/My Furgal movement” in support of a jailed ex-governor, as well as the “international LGBT public movement,” which has prompted a sweeping crackdown on public displays of LGBTQ+ identities and lifestyles.

Temu, a popular marketplace where consumers can buy direct from factories overseas at cheap prices, is drawing concerns from lawyers and privacy experts in North America who allege the shopping app can be “invasive” for unwitting users.

Temu is currently the subject of two proposed class-action lawsuits filed last year in district courts in New York and Illinois, which have not been certified. A third class action was filed in Quebec in March.

Many Canadians might first have been exposed to Temu during the Super Bowl this year or last, where the company took out multiple ads encouraging viewers to “shop like a billionaire.”

The app and online storefront sell cheap clothing, electronics, furniture and more from overseas manufacturers based largely in China. Temu’s website says the company was founded in Boston in 2022, but it’s a subsidiary of Shanghai-based PDD Holdings, a multinational commerce group established in 2015 in China.

PDD Holdings on Wednesday became the largest e-commerce player in China by market valuation, topping rival giant Alibaba, according to a CNBC report citing LSEG data.

The allegations about Temu’s deep reach into user data come as governments in both Canada and the United States grapple with privacy concerns around apps like TikTok, another Chinese-owned platform.

Temu has also earned comparisons to China’s ultra-fast-fashion giant Shein among industry observers for its factory-to-consumer business model.

As of May 31, Temu is the top free app on the Apple App Store and Google Play Store in Canada.

Class-action lawsuits filed in U.S., Quebec

Temu is currently the subject of two proposed class-action lawsuits filed last year in district courts in New York and Illinois.

A third class action was filed in Quebec in March, but is not yet certified and is reserved to residents of the province.

All suits filed cite various privacy complaints among users of the Temu app.

Jeff Orenstein, lawyer at the Consumer Law Group that filed the Quebec suit, says the permissions the Temu app asks for when you download it do not adequately detail how “invasive” the program can be.

The Consumer Law Group’s class-action complaint alleges that Temu’s app can access data via your phone’s camera, photos, messages, contacts and other apps.

“Some of the things that were picked up that the app is looking at are things that really have nothing to do with the functionality of the app,” he tells Global News.

Consumer Law Group alleges that these privacy violations are intentional on Temu’s part. The firm is seeking damages for violating individuals’ charter-protected rights to privacy and an injunction to prevent the app from taking the data in Quebec.

In response to these claims, a Temu spokesperson told Global News the app collects “the minimum information necessary” to deliver its services.

“We categorically deny the allegations in these lawsuits and intend to vigorously defend ourselves against them,” an emailed statement read.

Temu denies overreach

The spokesperson pointed Global News to the “permissions” section of the Temu website, which claims that access to contacts, calendars, microphones and Bluetooth are not requested via the app.

Temu says the camera may be used on iOS devices when using pictures to leave reviews or search via image for a product. Temu does not request full permissions to a smartphone’s photos app, the website says, but can use a device’s “built-in image picker” – an interface that allows users to choose from pictures on their device in-app – without giving complete access to the photo archive.

Temu also does not ask for location access in “most countries,” including Canada, according to the disclaimer. The listed exception is the Middle East, where Temu says location data helps users fill in shipping addresses.

Orenstein says much of the Consumer Law Group suit is based on a September 2023 report from Grizzly Research, a U.S.-based firm that identifies short-selling opportunities on equity markets.

Grizzly lambasted Temu as “the most dangerous app in wide circulation” in a report on its parent company, PDD Holdings.

Security issues in the Temu app amount to “spyware,” the report published last September argues. It claimed that the reach of the app goes far beyond what’s listed upfront in the company’s privacy policy, with the potential to access more of a phone’s file system than a user intended.

The Grizzly report is based on publicly available information and the firm says it engaged a team of unnamed cyber experts to back up its warnings. Grizzly said it stands by its research but also includes a disclaimer that the report is opinion only and should not be treated as a “statement of fact.”

In an email to Global News, Temu also denied allegations that its application amounts to spyware and dismissed the Grizzly report as unfactual. A spokesperson pointed to the app’s listings on Google’s Play Store and Apple’s App Store, which they said “rigorously screen apps for malware and spyware.”

Grizzly compares the app to TikTok, which has come under threat of ban in the U.S. unless its Chinese owners ByteDance Ltd. sell to an American firm, and is the subject of a national security review in Canada.

ByteDance has sued to prevent the U.S. ruling from coming into effect on Jan. 19, 2025, and has denied claims that TikTok poses a security risk.

The head of Canada’s national spy agency recently said TikTok is a “real threat” to users’ data security because of the app’s Chinese ties, a warning Prime Minister Justin Trudeau said Canadians ought to heed. TikTok has previously denied it provides data to the Chinese government in a statement to Global News.

But Temu is “demonstrably more dangerous than TikTok,” the Grizzly report argues, and should be removed from app stores as a result.

Global News reached out to both Apple and Google to ask whether Temu’s privacy policies satisfy their respective app stores and whether the platforms have taken action to address data security complaints. Neither company has responded with comment.

Why is this such a big deal?

Rob D’Ovidio, associate professor at Drexel University in Philadelphia, is one of the privacy experts sounding the alarm about Temu’s reach.

He says the risk from Temu is not necessarily in having access to a user’s most sensitive data, but to smaller tidbits that build up over time to build a profile of a shopper.

“You’ve got to start saying, buyer beware. You should look to an alternative marketplace,” he tells Global News.

Small pieces of information like purchases or a photo here and there might seem “innocent” to users, D’Ovidio says, “but when you combine multiple data elements, they start uncovering patterns of health, they start uncovering patterns of taste and likes and habits.”

"And that’s really where the concern here is. It’s not just a one-snapshot look at you. It’s a look over time,” he says.

The kinds of information collected via the Temu app is not unique to that marketplace, D’Ovidio says.

Temu, a popular marketplace where consumers can buy direct from factories overseas at cheap prices, is drawing concerns from lawyers and privacy experts in North America who allege the shopping app can be “invasive” for unwitting users.

Temu is currently the subject of two proposed class-action lawsuits filed last year in district courts in New York and Illinois, which have not been certified. A third class action was filed in Quebec in March.

Many Canadians might first have been exposed to Temu during the Super Bowl this year or last, where the company took out multiple ads encouraging viewers to “shop like a billionaire.”

The app and online storefront sell cheap clothing, electronics, furniture and more from overseas manufacturers based largely in China. Temu’s website says the company was founded in Boston in 2022, but it’s a subsidiary of Shanghai-based PDD Holdings, a multinational commerce group established in 2015 in China.

PDD Holdings on Wednesday became the largest e-commerce player in China by market valuation, topping rival giant Alibaba, according to a CNBC report citing LSEG data.

The allegations about Temu’s deep reach into user data come as governments in both Canada and the United States grapple with privacy concerns around apps like TikTok, another Chinese-owned platform.

Temu has also earned comparisons to China’s ultra-fast-fashion giant Shein among industry observers for its factory-to-consumer business model.

As of May 31, Temu is the top free app on the Apple App Store and Google Play Store in Canada.

Class-action lawsuits filed in U.S., Quebec

Temu is currently the subject of two proposed class-action lawsuits filed last year in district courts in New York and Illinois.

A third class action was filed in Quebec in March, but is not yet certified and is reserved to residents of the province.

All suits filed cite various privacy complaints among users of the Temu app.

Jeff Orenstein, lawyer at the Consumer Law Group that filed the Quebec suit, says the permissions the Temu app asks for when you download it do not adequately detail how “invasive” the program can be.

The Consumer Law Group’s class-action complaint alleges that Temu’s app can access data via your phone’s camera, photos, messages, contacts and other apps.

“Some of the things that were picked up that the app is looking at are things that really have nothing to do with the functionality of the app,” he tells Global News.

Consumer Law Group alleges that these privacy violations are intentional on Temu’s part. The firm is seeking damages for violating individuals’ charter-protected rights to privacy and an injunction to prevent the app from taking the data in Quebec.

In response to these claims, a Temu spokesperson told Global News the app collects “the minimum information necessary” to deliver its services.

“We categorically deny the allegations in these lawsuits and intend to vigorously defend ourselves against them,” an emailed statement read.

Temu denies overreach

The spokesperson pointed Global News to the “permissions” section of the Temu website, which claims that access to contacts, calendars, microphones and Bluetooth are not requested via the app.

Temu says the camera may be used on iOS devices when using pictures to leave reviews or search via image for a product. Temu does not request full permissions to a smartphone’s photos app, the website says, but can use a device’s “built-in image picker” – an interface that allows users to choose from pictures on their device in-app – without giving complete access to the photo archive.

Temu also does not ask for location access in “most countries,” including Canada, according to the disclaimer. The listed exception is the Middle East, where Temu says location data helps users fill in shipping addresses.

Orenstein says much of the Consumer Law Group suit is based on a September 2023 report from Grizzly Research, a U.S.-based firm that identifies short-selling opportunities on equity markets.

Grizzly lambasted Temu as “the most dangerous app in wide circulation” in a report on its parent company, PDD Holdings.

Security issues in the Temu app amount to “spyware,” the report published last September argues. It claimed that the reach of the app goes far beyond what’s listed upfront in the company’s privacy policy, with the potential to access more of a phone’s file system than a user intended.

The Grizzly report is based on publicly available information and the firm says it engaged a team of unnamed cyber experts to back up its warnings. Grizzly said it stands by its research but also includes a disclaimer that the report is opinion only and should not be treated as a “statement of fact.”

In an email to Global News, Temu also denied allegations that its application amounts to spyware and dismissed the Grizzly report as unfactual. A spokesperson pointed to the app’s listings on Google’s Play Store and Apple’s App Store, which they said “rigorously screen apps for malware and spyware.”

Grizzly compares the app to TikTok, which has come under threat of ban in the U.S. unless its Chinese owners ByteDance Ltd. sell to an American firm, and is the subject of a national security review in Canada.

ByteDance has sued to prevent the U.S. ruling from coming into effect on Jan. 19, 2025, and has denied claims that TikTok poses a security risk.

The head of Canada’s national spy agency recently said TikTok is a “real threat” to users’ data security because of the app’s Chinese ties, a warning Prime Minister Justin Trudeau said Canadians ought to heed. TikTok has previously denied it provides data to the Chinese government in a statement to Global News.

But Temu is “demonstrably more dangerous than TikTok,” the Grizzly report argues, and should be removed from app stores as a result.

Global News reached out to both Apple and Google to ask whether Temu’s privacy policies satisfy their respective app stores and whether the platforms have taken action to address data security complaints. Neither company has responded with comment.

Why is this such a big deal?

Rob D’Ovidio, associate professor at Drexel University in Philadelphia, is one of the privacy experts sounding the alarm about Temu’s reach.

He says the risk from Temu is not necessarily in having access to a user’s most sensitive data, but to smaller tidbits that build up over time to build a profile of a shopper.

“You’ve got to start saying, buyer beware. You should look to an alternative marketplace,” he tells Global News.

Small pieces of information like purchases or a photo here and there might seem “innocent” to users, D’Ovidio says, “but when you combine multiple data elements, they start uncovering patterns of health, they start uncovering patterns of taste and likes and habits.”

"And that’s really where the concern here is. It’s not just a one-snapshot look at you. It’s a look over time,” he says.

The kinds of information collected via the Temu app is not unique to that marketplace, D’Ovidio says.

[Edit typo.]

According to a report by the Financial Times (paywalled link), members of the Bucharest Nine (B9) group are considering excluding Hungary from their talks in the future.

The B9 group was founded in 2015 by all NATO and EU member states that were part of the Soviet bloc prior to 1991, namely Bulgaria, the Czech Republic, Estonia, Latvia, Lithuania, Poland, Romania, Slovakia, and Hungary.

Although the organization does not have a formal institutional structure, it functions as an important forum where members' government officials coordinate their security policy ideas. This has becone increasingly important after Russia's full-scale invasion of Ukraine.

In recent B9 meetings, Hungary has consistently vetoed decisions about supporting Ukraine and speeding up the process of its potential accession to NATO. In addition, the Orbán government has regularly been blocking and obstructing support for Ukraine's war effort in the EU as well. At the B9 meeting in Riga, which started on Tuesday, the Hungarian side again vetoed a draft resolution, which incidentally has the support of the other eight member states.

A source told the FT that discussions within the group have been “tough,” and noted concerns over the feasibility of future meetings if Hungary continues to lack cooperative behaviour. A diplomat speaking to the Financial Times was quoted as saying that “We are likely meeting in this formation for the last time.”

However, no decision has been made public. The Lithuanian president's office told the paper that "it's important to keep Hungary in, for the unity of NATO and the EU".

According to a report by the Financial Times (paywalled link), members of the Bucharest Nine (B9) group are considering excluding Hungary from their talks in the future.

The B9 group was founded in 2015 by all NATO and EU member states that were part of the Soviet bloc prior to 1991, namely Bulgaria, the Czech Republic, Estonia, Latvia, Lithuania, Poland, Romania, Slovakia, and Hungary.

Although the organization does not have a formal institutional structure, it functions as an important forum where members' government officials coordinate their security policy ideas. This has becone increasingly important after Russia's full-scale invasion of Ukraine.

In recent B9 meetings, Hungary has consistently vetoed decisions about supporting Ukraine and speeding up the process of its potential accession to NATO. In addition, the Orbán government has regularly been blocking and obstructing support for Ukraine's war effort in the EU as well. At the B9 meeting in Riga, which started on Tuesday, the Hungarian side again vetoed a draft resolution, which incidentally has the support of the other eight member states.

A source told the FT that discussions within the group have been “tough,” and noted concerns over the feasibility of future meetings if Hungary continues to lack cooperative behaviour. A diplomat speaking to the Financial Times was quoted as saying that “We are likely meeting in this formation for the last time.”

However, no decision has been made public. The Lithuanian president's office told the paper that "it's important to keep Hungary in, for the unity of NATO and the EU".