TikTok, Shein, and Temu Are Reading Your Client Data—And You Agreed to Let Them
THE TECHNOLOGY BLIND SPOT
I carry two phones. One for work, one for everything else. The work phone is as close to sterile as I can make it: no social media, no games, no shopping apps, no TikTok. When I’m not using the cameras, I cover them on both sides. When colleagues ask why, I give them the uncomfortable truth: a skilled attacker who compromises your camera will not helpfully illuminate the activity light to alert you. The attacker will compromise both.
This is not paranoia. Security researchers proved in 2013 that MacBook cameras could be activated without triggering the LED indicator. In November 2024, a researcher demonstrated the same capability on modern ThinkPad laptops by reflashing webcam firmware to control the LED independently of camera operation. The technique, as cybersecurity firm Cybernews confirmed, means malware can activate the camera without a visible indicator.
Camera access is the visible threat. The invisible threat is far worse: the apps on your phone are already reading everything you type, everywhere you go, and everyone you know, including your clients.
TikTok: The Keystroke Monitor in Your Pocket
In May 2025, Ireland’s Data Protection Commission fined TikTok €530 million for transferring European user data to China without adequate safeguards. The investigation found that TikTok “failed to verify, guarantee and demonstrate that the personal data of EEA users, remotely accessed by staff in China, was afforded a level of protection essentially equivalent to that guaranteed within the EU.” More troubling: TikTok had told regulators it did not store European data on Chinese servers. In April 2025, TikTok admitted this was false, acknowledging it had “provided inaccurate information” to the inquiry.
That fine addressed data transfers, not data collection. TikTok’s own privacy policy explicitly states it may collect “keystroke patterns or rhythms.” Privacy researcher Felix Krause discovered in 2022 that TikTok’s in-app browser subscribes to every keystroke users make on third-party websites, including passwords and credit card numbers. When Apple’s iOS 14 update exposed clipboard access, TikTok accessed clipboard data every one to three keystrokes, even while running in the background. A researcher who reverse-engineered TikTok’s code documented collection of phone hardware identifiers, installed applications, and network data including local IP address and WiFi router MAC address, with GPS pinging at roughly 30-second intervals.
Consider the privilege implications. TikTok logs keystrokes while you draft a text to a client. It records your location at your office and the courthouse. It catalogs your contact list, including every client’s name and phone number. Has privilege been waived through voluntary disclosure to a third party?
Shein: The Shopping App That Reads Your Clipboard
In March 2023, Microsoft security researchers discovered that Shein’s Android app periodically accessed clipboard contents and transmitted them to remote servers. The app searched for specific patterns in clipboard data, including URLs and prices, suggesting competitive intelligence purposes. Sophos described the behavior as turning the shopping app into “a basic sort of marketing spyware tool.”
Shein’s data practices were already documented before the clipboard research. In 2018, hackers stole credit card information and personal data from approximately 39 million customers. The New York Attorney General fined Shein’s parent company $1.9 million, not solely for the breach but for misrepresentation: the company told customers it saw “no evidence” that credit card information was compromised while knowing credit card data had been stolen. In September 2025, France’s CNIL imposed an additional €150 million fine for cookie consent violations.
Now consider your own device. You copy a case number to paste into a document. You copy a client’s address. You copy privileged text to move between applications. If Shein runs in the background, those clipboard contents may transmit to servers in jurisdictions where attorney-client privilege carries no meaning.
Temu: “Information-Gathering Spyware Masquerading as E-Commerce”
Temu presents the most alarming case. In June 2024, Arkansas Attorney General Tim Griffin filed what he described as a “first-of-its-kind state lawsuit” against Temu’s parent companies, alleging the app “is purposefully designed to gain unrestricted access to a user’s phone operating system, including, but not limited to, a user’s camera, specific location, contacts, text messages, documents, and other applications.” The complaint continued: “Temu is designed to make this expansive access undetected, even by sophisticated users. Once installed, Temu can recompile itself and change properties, including overriding the data privacy settings users believe they have in place.”
Kentucky, Nebraska, and Arizona followed with similar lawsuits. The Center for Strategic and International Studies published an analysis titled “Looking Beyond TikTok, The Risks of Temu,” concluding that Temu’s data collection practices raise concerns that it is not simply an e-commerce platform. CSIS analyst Diane Rinaldo described Temu as “information-gathering spyware masquerading as an e-commerce site.” Grizzly Research, the market intelligence firm that first documented Temu’s practices, called it “the most dangerous app in wide circulation.”
The warnings preceded the app’s popularity. In March 2023, Google removed Temu’s sister app Pinduoduo from the Play Store after identifying malware. CNN’s investigation, which consulted six cybersecurity teams across Asia, Europe, and the United States, found that Pinduoduo had attempted to escalate privileges to access systems outside its scope. A Kaspersky Labs researcher confirmed the code “exploited known Android vulnerabilities to escalate privileges, download and execute additional malicious modules, some of which also gained access to users’ notifications and files.” After the breach became public, Pinduoduo disbanded the engineering team responsible and transferred most of them to Temu.
Three apps. Three documented patterns of collection that extend well beyond the apps’ stated functions. If any one of them runs on a device that accesses client data, every keystroke you type, every contact you call, every location you visit while the app is installed may move to servers outside your control. That is not a cybersecurity concern dressed in legal language. It is the factual predicate for a privilege waiver analysis.
Where the Data Goes: China’s National Intelligence Law
TikTok, Shein, and Temu share something beyond aggressive data collection: all three are subject to China’s 2017 National Intelligence Law. Article 7 requires that “any organization or citizen shall support, assist and cooperate with the state intelligence work.” In December 2020, the U.S. Department of Homeland Security issued a Data Security Business Advisory warning that under this legal framework, Chinese firms “are required to secretly share data with the PRC government or other entities upon request, even if that request is illegal under the jurisdiction in which these firms operate.”
Glenn Chafetz, former CIA Chief of Station and the Agency’s first Chief of Tradecraft and Operational Technology, stated in a 2024 analysis for The Cipher Brief: “The Chinese Communist Party announced in 2017 that it would compel its citizens and its companies to steal secrets from the rest of the world.” His conclusion: “The only prudent response to such a law is to treat all PRC citizens and companies as potential intelligence collectors.”
For attorneys, the privilege implications are not theoretical. The question is not whether TikTok or Temu collects your data. The question is whether that data legally flows to a foreign government’s intelligence services. Voluntary disclosure to any third party waives privilege under traditional doctrine. Disclosure to a state intelligence apparatus is not a gray area. The same telecommunications infrastructure that carries attorney-client phone calls and texts has already proven vulnerable: when Salt Typhoon hackers breached at least nine major carriers in 2024, they specifically targeted the lawful interception systems that law enforcement uses for court-authorized surveillance. That analysis is developed in [See “The FBI Says Stop Texting: Here’s the Privilege Problem Nobody’s Discussing,” Morris Legal Technology Blog, 2025.] The mobile app exposure runs parallel to the network exposure and compounds it.
When the Engineer Who Built the Surveillance Infrastructure Buys a $1,000 Anti-Surveillance Phone Case
In October 2018, John Chambers sat down to write a blog post for a startup he had recently backed. His subject was voice interfaces and smartphone security. His credentials for it were unusual: 25 years at Cisco Systems, including 20 as CEO, during which Cisco built the networking infrastructure underlying modern telecommunications and developed the lawful interception architecture that governments use to conduct court-authorized surveillance under the Communications Assistance for Law Enforcement Act.
When Salt Typhoon hackers breached major telecommunications carriers in 2024, they specifically targeted those CALEA systems, the exact infrastructure Chambers had spent his career building. His 2018 blog post had anticipated the threat with unusual precision: “Today, our most used devices can quickly turn from smartphone to spyware.” His conclusion was unequivocal: “Software solutions alone can’t protect the entire ecosystem of your smartphone, and therefore, won’t protect your private conversations.”
His response was not a whitepaper. It was a check. Chambers invested in Privoro and joined its board, backing hardware cases designed to physically block smartphone eavesdropping and tracking. The National Telecommunications Security Working Group, the primary technical and policy authority for surveillance countermeasures in the U.S. Intelligence Community, cleared the SafeCase for use in classified facilities. Security-sensitive federal agencies tested the product before that clearance. Chambers also holds a J.D. from West Virginia University. An attorney who spent 25 years building the target, watched it get compromised, and concluded that software defenses were insufficient chose hardware countermeasures. If that assessment merits his own money, it merits the attention of attorneys handling privileged communications.
The Air Gap Solution
In cybersecurity, an air gap refers to the physical or logical isolation of sensitive systems from untrusted networks. Nuclear facilities, classified government networks, and critical infrastructure use air gaps to prevent remote attacks. The principle is simple: a system with no connection to untrusted networks resists remote compromise.
For attorneys, perfect isolation is impractical. You need network connectivity to practice law. But the principle adapts. A near-sterile work phone contains only essential professional tools: email, calendar, document management, secure communication platforms, and practice management software. No social media. No games. No consumer shopping apps. No TikTok, Shein, or Temu, ever.
Your personal phone handles everything else. It never accesses client email. It never connects to firm systems. It never stores client contact information. The two devices share no accounts, no cloud storage, no data synchronization. If your personal phone is compromised, and given the apps most people install, treat that as a baseline assumption, the attacker gains nothing connected to client representation. The cost is a basic smartphone with cellular service. That cost is measurably less than one malpractice deductible.
The Ethics Framework
Model Rule 1.1, Comment 8 requires attorneys to “keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology.” When state attorneys general describe an app as malware, when Google removes a related app from the Play Store for malware, and when security researchers document keystroke logging and clipboard monitoring, technological competence under Rule 1.1 demands awareness. Model Rule 1.6(c) requires “reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.” Using devices loaded with documented data-harvesting applications to access client information tests any reasonable interpretation of “reasonable efforts.” Formal Opinion 477R requires attorneys to “understand how client confidential information is transmitted and where it is stored” and to evaluate each device as an access point for security compliance. When the Arkansas Attorney General alleges that Temu can recompile itself and override user privacy settings, no evaluation of that device can conclude it meets security compliance requirements for client data.
The Skeptic’s Position
The objection is predictable: this is overkill. Most attorneys handle matters with no national security dimension. The cost and inconvenience of maintaining two devices outweighs any realistic threat. No disciplinary body has yet sanctioned an attorney for using TikTok on a work phone.
The most serious version of this argument goes further: no court has yet found that TikTok’s keystroke logging, Temu’s location tracking, or Shein’s clipboard access constituted a privilege waiver in an attorney-client context. The privilege consequences described in this piece are logical inferences from doctrine, not decided cases. A disciplinary panel pressed for a specific sanction would confront that gap. The opponent’s best argument is: “Show me the ruling.”
That argument is accurate and should be stated plainly. The response is equally plain: constructive waiver doctrine does not require a prior ruling against you. The question is whether the elements exist, specifically, sensitive attorney-client information transmitted through a channel where a third party with adverse interests can access it, without the client’s knowledge or consent. When the Arkansas Attorney General alleges that Temu can recompile itself and override privacy settings the user believes are in place, the channel is not confidential regardless of whether a court has yet said so. The first sanctioned attorney will not have been warned after the fact. The warning is now.
The “no enforcement yet” argument also confuses absence of prosecution with absence of violation. Disciplinary bodies lag technological developments by years. The question is not whether anyone has been sanctioned. The question is whether your current practices survive retrospective scrutiny when enforcement arrives. The Gravy Analytics breach, in which hackers accessed over 200 billion location records from more than 12,000 apps including fitness trackers and VPN applications, confirmed that location data pinpoints specific rooms within buildings. If your device runs apps feeding that database, your client meeting locations, courthouse visits, and office consultations become part of a record that exists whether or not anyone has subpoenaed it yet.
Practice-Specific Implications
Criminal defense represents the most acute exposure. If your phone logs your location every 30 seconds, it creates a record of every jail visit, every witness interview location, every co-counsel meeting. If your contact list is harvested, every client and potential witness becomes identifiable to anyone who obtains that data. Consider clients whose adversaries have both the resources and the motivation to compromise communications. For the related risk that your client’s own device may be recording the conversation, see [See “The Uncomfortable Reality: Your Client Is Probably Recording You,” Morris Legal Technology Blog, 2025.]
Corporate and M&A practitioners face a different version of the same problem. Deal communications involve material nonpublic information. The 2016 indictment of hackers who breached Cravath and Weil Gotshal to steal M&A intelligence for insider trading demonstrated that sophisticated actors specifically target law firms for deal information. Apps with documented ties to foreign intelligence services compound that exposure to a degree that has no counterpart in prior generations of cybersecurity risk. The question is not whether a sophisticated adversary would want the information. It is whether your device has already provided it.
What to Do Monday Morning
Audit your devices immediately. Review every app on any device used to access client data. Check permissions: which apps access location, contacts, microphone, camera, and clipboard? On iOS, examine Settings, then Privacy, then Tracking. Remove any app that requests permissions its stated function does not require.
Implement device separation. Acquire a dedicated work device. Configure it with only essential professional applications. Keep all social media, games, and consumer shopping apps on a separate personal device that never connects to client systems. Cover your cameras. Mark Zuckerberg does it. Sliding webcam covers cost nothing and eliminate camera compromise risk entirely.
Update client engagement letters. Address mobile device security explicitly. Inform clients about your firm’s policies for securing mobile communications and the risks of using consumer apps on devices they use to communicate with you. Train your staff. Under Model Rules 5.1 and 5.3, supervising attorneys are responsible for staff conduct involving client data. If your paralegal accesses client files on a phone running Temu, the firm shares responsibility for that exposure. Document your decisions. Contemporaneous documentation of your risk assessment and security measures demonstrates “reasonable efforts” under Rule 1.6(c) and provides a defense in any subsequent disciplinary or malpractice proceeding.
The Spy You Invited
Every app on your phone represents a bargain you struck, often without reading the terms. TikTok wanted your attention; you gave it access to your keystrokes. Shein wanted your business; you gave it access to your clipboard. Temu wanted your purchases; you may have given it access to everything.
Those bargains are acceptable for personal entertainment. They are not acceptable for devices that touch client data. Your clients never agreed to share their privileged communications with TikTok. They never consented to having their attorney’s location tracked by Temu. They trusted you to protect their confidences. That trust has a technical dimension.
Glenn Chafetz spent his career inside the CIA’s intelligence collection apparatus. His conclusion about Chinese app companies in 2024 was direct: the only prudent response to a law compelling data collection for state intelligence is to treat every company subject to that law as a potential intelligence collector. He did not say potential. He said treat it as actual until proven otherwise.
John Chambers built the networking infrastructure this argument runs on. He developed lawful interception systems. He holds a law degree. And he invested his own money in anti-surveillance hardware because he watched the infrastructure he built become the attack surface. The spy in your pocket was invited in when you clicked Accept. The question is whether you will ask it to leave before it costs your clients something they cannot recover.
About the Author
JD Morris is Co-Founder and COO of LexAxiom, an AI platform for the business of law. He holds a Master of Legal Studies from Texas A&M University School of Law, a Master of Engineering from George Washington University, and dual MBAs from Columbia Business School and UC Berkeley Haas. He writes the Morris Legal Technology Blog under the series banner “The Technology Blind Spot.” Connect with him on LinkedIn at http://www.linkedin.com/in/jdavidmorris, on X at @JDMorris_LTech, or on Bluesky at @JDMorris-ltech.bsky.social.
References
1. ABA Model Rule 1.1, Comment 8 (Technology Competence) (2012).
2. ABA Model Rule 1.6(c) and Comments 18–19 (Confidentiality — Reasonable Efforts).
3. ABA Model Rules 5.1, 5.3 (Supervisory Responsibilities).
4. ABA Formal Opinion 477R (May 2017) — Securing Communication of Protected Client Information.
5. Irish Data Protection Commission, TikTok Decision, €530 Million Fine (May 2, 2025).
6. France CNIL, Shein €150 Million Cookie Consent Fine (September 3, 2025).
7. New York Attorney General, Shein $1.9 Million Data Breach Settlement (2022).
8. Arkansas Attorney General Tim Griffin v. Temu, Complaint (June 25, 2024).
9. Kentucky Attorney General Russell Coleman v. Temu, Complaint (July 17, 2025).
10. CSIS Strategic Technologies Blog, “Looking Beyond TikTok — The Risks of Temu.”
11. Google Play Store, Pinduoduo Removal for Malware (March 2023).
12. CNN Investigation: “Pinduoduo — One of China’s Most Popular Apps Has Ability to Spy on Users” (April 3, 2023).
13. Sophos, “Shein Shopping App Goes Rogue, Grabs Price and URL Data from Your Clipboard” (March 2023).
14. Microsoft Security Research, Shein Clipboard Data Collection (2023).
15. Felix Krause, iOS Privacy Research: In-App Browser Keystroke Monitoring (August 2022).
16. Grizzly Research, Temu Analysis: “The Most Dangerous App in Wide Circulation.”
17. Cybernews, “Hackers Can Access Laptop Webcams Without Activating the LED” (November 28, 2024).
18. Andrey Konovalov, POC 2024 Conference: ThinkPad Webcam LED Control Research.
19. Johns Hopkins / GWU Research: MacBook Camera LED Bypass (2013).
20. In re Gravy Analytics, Inc. & Venntel, Inc., FTC Matter No. 2123035 (January 14, 2025).
21. U.S. v. Hong et al., S.D.N.Y. (December 2016) — Law Firm Hacking Indictment.
22. TikTok Privacy Policy (Updated August 19, 2024).
23. John Chambers, “Voice is the Next Interface, But What Does That Mean for Mobile Security?” Privoro Blog (October 2, 2018).
24. JC2 Ventures Biography: John Chambers (jc2ventures.com).
25. West Virginia University College of Law Alumni: John T. Chambers (J.D. 1974).
26. MSSP Alert, “Smartphone Security Startup Privoro Raises $30 Million” (August 16, 2023).
27. Privoro, SafeCase Product: NTSWG Approval for Classified Facilities.
28. Cisco Lawful Intercept Architecture Documentation.
29. National Intelligence Law of the People’s Republic of China, Article 7 (June 27, 2017).
30. U.S. Department of Homeland Security, Data Security Business Advisory: Risks and Considerations for Businesses Using Data Services and Equipment from Firms Linked to the People’s Republic of China (December 22, 2020).
31. Glenn Chafetz, “How China’s Intelligence Law Backfired,” The Cipher Brief (July 4, 2025).
32. Morris, JD. “The FBI Says Stop Texting: Here’s the Privilege Problem Nobody’s Discussing.” Morris Legal Technology Blog, 2025.
33. Morris, JD. “The Uncomfortable Reality: Your Client Is Probably Recording You.” Morris Legal Technology Blog, 2025.
34. Morris, JD. “Why Hackers Target Law Firms: Where All the Secrets Are Buried.” Morris Legal Technology Blog, 2025.
