Avira SafeThings SDK embedded in router firmware sends traffic metadata to Avira cloud servers (safethings.avira.com, iot-api.avira.com) every minute — over 80,000 requests per 24 hours — regardless of whether the HomeCare/HomeShield security feature is enabled or disabled. Users cannot opt out without causing router instability.

In the 2021 data breach, employee Nickolas Sharp stole gigabytes of confidential data from AWS servers and GitHub repositories using standard employee access credentials — demonstrating that customer data stored in Ubiquiti cloud infrastructure was accessible to individual employees. Ubiquiti initially downplayed the breach as a "third-party cloud provider" incident rather than disclosing the true scope. The breach exposed source code, cryptographic secrets, and customer credentials.

In 2024, the US government opened an investigation into TP-Link over national security concerns, with Commerce, Defense, and Justice departments all probing the company. Lawmakers called for a ban on TP-Link routers in US government facilities. TP-Link is headquartered in Shenzhen, China (though it established a US entity in 2024). China's National Intelligence Law requires Chinese companies to cooperate with state intelligence. TP-Link holds approximately 65% of the US consumer router market. A router from a Chinese company subject to Chinese intelligence law sits between your entire home network and the internet, and two-thirds of American homes that buy a router choose this one.

In 2023, the FTC sued Netgear over security failures in its Nighthawk and Orbi routers, alleging the company knew about critical vulnerabilities and failed to fix them. The FTC complaint cited known vulnerabilities dating back years that Netgear left unpatched, including authentication bypass flaws that allowed attackers to take over routers remotely. Netgear stopped providing security updates for routers that were still widely in use, leaving millions of devices permanently vulnerable. The FTC's case argued Netgear's security practices were "unfair" under Section 5 of the FTC Act.

FCC filing lists applicant as TP-Link Corporation Limited (Hong Kong). Testing performed by UL Verification Services (Guangzhou), China. The V1 hardware uses FCC grantee code 2AXJ4 (TP-Link Corporation Limited, HK). V2 uses 2BCGW (TP-Link Systems Inc., US) — a corporate restructuring specifically to distance US operations from the Chinese parent amid a national security probe. The US Commerce Department has proposed banning TP-Link over ties to the Chinese government.

HomeShield subscription service embeds third-party SDKs from NortonLifeLock (Avira) and F-Secure Corporation directly in the router firmware. When Network Security is activated, the device collects and sends DNS queries, HTTP headers, and DHCP data to NortonLifeLock servers. The SDK selection varies by model and firmware version, meaning data collection behavior can change with firmware updates without user notification.

The Nest WiFi Pro defaults DNS to Google Public DNS (8.8.8.8/8.8.4.4), routing every domain name lookup for every device in the household through Google's servers. While the router itself may not "track" websites, Google as a company receives a complete log of every domain every device resolves. Google Public DNS handles the DNS queries — meaning Google knows every website visited by every device on the network. The claim of not tracking websites is technically narrow: the router hardware doesn't log URLs, but Google's DNS infrastructure receives the same information by default.

The VX420-G2v supports TR-069/CWMP remote management (confirmed on TP-Link service provider product page at service-provider.tp-link.com) giving TPG persistent remote access to view all connected devices, push firmware, change DNS settings, and monitor device status — all without customer notification. Modem connects to acs.tpg.com.au (TR-069 management server) and TP-Link cloud endpoints (use1-api.tplinkcloud.com, euw1-api.tplinkcloud.com, devs.tplinkcloud.com). Product page and setup guide make zero mention of browsing data collection despite the privacy policy explicitly admitting to it.