Produced by Tiger Sniff ESG Group
Author|Zhang Xiaoyu
Head Image|Visual China
This article is the 020th article in the #ESG Progress Watch#series
Keywords: data privacy and security
On March 21, Reuters reported that Google had temporarily removed the Pinduoduo app from the store due to malware problems.
Google spokesman Ed Fernandez said in a statement that the removal of the Pinduoduo app is a security precaution. The spokesperson also said that Google's software protection service, Google Play Protect, will prevent users from downloading the Pinduoduo app from the Google Play Store, and that users who have already downloaded the app will also receive a warning prompting them to uninstall it.
Fernandez added that "we will continue to investigate for security reasons," adding that Temu, a U.S. shopping app operated by Pinduoduo, was not affected and could still be downloaded.
According to the Wall Street Journal, a spokesman for Pinduoduo confirmed that the current version of Pinduoduo's application did not comply with Google's policies and had been temporarily removed, and also said that "we are communicating with Google to obtain more information."
So, is the removal of Pinduoduo an accident?
Alleged "malware"
According to CNN News, the malware in this incident refers to any software developed to steal data or damage computer systems and mobile devices.
On the evening of March 20, Pinduoduo released its fourth quarter and full year financial report for 2022, and the performance was less than expected and caused the stock price to fall, but some netizens analyzed: "Not only the performance problem, but also the reason why the APP was removed from the Google market, and the evidence that may steal user data privacy has been established."
Speaking of user data privacy, Pinduoduo's "chop a knife" mechanism and some functional settings in the APP do have precedents for stealing user data.
In early March, DarkNavy, a domestic independent data security research service organization, released the "2022 Most "Unpardonable" Vulnerabilities", pointing out that well-known Internet manufacturers attacked users' mobile phones by mining deserialization vulnerabilities in the OEM code of Android manufacturers. Although the name of the APP was not directly announced, from the subsequent revelations, the characteristics of "controlling the mobile phone system through the APP", "unable to uninstall", "concealed installation", "attacking competitors' APP", "stealing user privacy data" and so on are roughly consistent with the complaints of Pinduoduo users in the social platform.
Pinduoduo's MSCI ESG rating has also declined year by year, and in 2022, its ESG rating was downgraded to B, and it is also lagging behind on the topic of "data privacy and security".
Pinduoduo MSCI ESG rating changes, image source: MSCI
Data privacy and security of Internet companies is one of the most important factors that investors need to consider when making investment decisions, and it is also one of the big gaps between different companies in ESG rating results. Enterprises such as Pinduoduo, because they hold a large amount of real data, are not only concerned and tortured by business ethics in terms of data security issues, but also subject to stricter supervision by various governments.
Previously, the U.S. government proposed more measures to strengthen cyber defenses against the increasing problem of hacking and digital crime. On March 2, the White House announced a new National Cybersecurity Strategy to guide future policies to strengthen regulation of existing cybersecurity practices across industries and improve collaboration between government and the private sector.
For Pinduoduo, not only does it need to actively respond to changes in data security to obtain long-term compliance and healthy development, but also expand the scope, Temu, which is still in the initial expansion stage, is also facing the same test.
Affecting Temu's survival?
Compliance policies vary from country to country and locality, and to be global, Temu also needs to operate locally and handle compliance.
On Temu's website, "payment security, data security, intellectual property protection" is prominently displayed.
Payment security and security protection are placed on the homepage of the Temu website, image source: Temu
Specifically, according to multiple foreign media reports, Temu may collect user information including shipping details, phone numbers and addresses, but essentially this information is only used to improve platform development and user services, and this data will be stored in a secure online ledger located at its US headquarters.
The user information collected by Termu complies with compliance standards and also complies with the APP's industry standards, and strict adherence to data privacy protection is described in detail in its privacy and cookie policies. Temu will also encrypt user data for security purposes, and online shopping apps will restrict access to users' personal information to only a limited number of authorized personnel who can access user data related to their jobs, duties and responsibilities.
But because the app was developed by a Chinese company, its popularity in the United States has raised growing concerns about their own privacy and security. Temu, in overseas markets, still faces questions such as "how their operators handle user data" and "whether this information will be handed over to the Chinese government."
Schmidt, who specializes in security and privacy at Vanderbilt University, said Temu's data and privacy practices are not prominent, and the company likely collects a lot of personal data about users and then uses it to sell ads.
For example, many young people are sharing and recommending Temu apps or product links to their friends on their social media to get more points or discounts, but it is unclear how the links are secure or whether information will be collected. Another person in Temu's comment section reflected, "This app sold my personal data to scammers, and I received several calls from China who claimed to be police officers, which is terrible."
In response to this phenomenon, Professor Vyas of the University of Southern California also hopes that consumers can stay awake in the face of low prices. He mentioned that "living in the digital age, consumers need to pay more attention to protecting their data and privacy."
More notably, in March, the RESTRICT (Limiting the Emergence of Security Threats in the Field of Information and Communication Technology) bill, introduced by 12 U.S. senators, mentions requiring the U.S. Secretary of Commerce to investigate apps and other products from countries such as China. In addition to Tik Tok, Temu is also on the list of key reviews. Former Google CEO Eric The Special Competition Research Project, a new think tank founded by Schmidt, made it more clear in a Feb. 15 article that Shein, Temu, and CapCut (along with WeChat) as apps "may pose challenges similar to TikTok."
For Temu's further compliance, Pinduoduo is also taking action, according to Lei Feng.com, Pinduoduo's organizational structure is being adjusted, except for the B-end team related to goods and merchants in Guangzhou, the rest of the teams are doing IM segmentation; This also includes some of Temu's team. More exaggeratedly, the Shanghai teams had to isolate their data from Pinduoduo within a few days.
To put it simply, Pinduoduo is splitting up with Temu to prevent overseas policies and other factors from affecting the normal operation of Temu's business. In this regard, some analysts pointed out that due to data privacy and security uncertainty, Pinduoduo may speed up the separation with Temu. After the split, if Termu continues Pinduoduo's domestic product expansion method, I am afraid it will not be easy.
On the evening of March 21, CaiLian News reported that Pinduoduo had refuted the "malware" news, and in response to reports that "Google has removed Pinduoduo because of malware problems", Pinduoduo said in an email statement that Google's statement was not conclusive, but it still did not elaborate.
However, as far as the current situation is concerned, whether at home or overseas, Pinduoduo has to pay more attention to protecting the security of user data.