Grizzly Research's September 2023 report found 18 dangerous software functions including runtime.exec() — the holy grail of malware — allowing code injection at runtime bypassing security scans. Independent experts unanimously called Temu very virulent malware/spyware. Texas AG Ken Paxton described it as Chinese Communist spyware disguised as a shopping app.

Microsoft researchers found Shein's Android app version 7.9.2 silently reading clipboard contents, testing for URLs with prices, packaging clipboard data into POST requests sent to a remote server. Passwords, bank details, private messages — all read and potentially exfiltrated. Sophos called it rogue behavior.

A class action lawsuit (filed in Cook County, Illinois) alleged that Walgreens deployed facial recognition security cameras that scanned customers' faces without disclosure or consent, violating the Illinois Biometric Information Privacy Act (BIPA). The lawsuit notes customers "lost the right to control the collection, use, and storage of their biometric identifiers" simply by walking in to pick up prescriptions. The FTC separately banned competitor Rite Aid from using facial recognition for 5 years in December 2023 for similar practices.

In January 2025, noyb filed complaints in five EU countries for unlawfully transferring data to China. Lawyer Kleanthi Sardeli: China is an authoritarian surveillance state with no EU-level data protection. AliExpress faces potential fines up to EUR147 million.

The FTC revealed Amazon's secret Project Nessie algorithm, which ran from 2014 to 2019 and generated $1.4 billion in excess profits by deliberately raising prices on products where Amazon predicted competitors would follow suit. Amazon ran Nessie 24/7 except during Prime Day. Internal documents called it an incredible success. Amazon's spokesperson claimed it didn't work as intended. In 2022, Doug Herrington suggested reviving our old friend Nessie. Amazon settled with the FTC for $2.5 billion in September 2025.

Woolworths owns 50% of Quantium, a data analytics company that processes shopping data from 13 million Everyday Rewards members -- roughly half of all Australians. Quantium sells consumer insights derived from this shopping data to CPG brands (Coca-Cola, Nestlé, Unilever), government agencies (including during COVID for population movement analysis), financial institutions, and advertisers. Your grocery purchases at Woolworths feed an analytics company that sells insights about your behaviour to corporations and government. Purchase data reveals health conditions (diabetic products, gluten-free), pregnancy (prenatal vitamins, folate), alcohol consumption patterns, financial stress (switching to budget brands), dietary restrictions (halal, kosher, vegan), and household composition. Thirteen million Australians enrolled in a loyalty programme that feeds a data analytics company selling their shopping patterns to the highest bidder. The points buy you discounts. Your data buys Quantium's clients.

In September 2025, the OAIC found Kmart breached the Privacy Act by using facial recognition technology in 28 stores between June 2020 and July 2022. The system captured the face of every person who entered these stores — not just suspected fraudsters. The Privacy Commissioner found the collection was disproportionate to the fraud risk: scanning the faces of millions of innocent shoppers to catch a small number of fraudsters. Kmart was ordered to publish an apology. The technology captured children, elderly people, and anyone who walked through the door — none of whom were suspected of anything. To stop a few people stealing, Kmart scanned millions of faces.

Palantir -- the company that builds ICE's ImmigrationOS deportation system, the CIA's intelligence platform, and NHS England's health data platform -- now processes 10 billion rows of Coles data across 840 Australian supermarkets. The partnership covers every store, every team member, every shift, and every allocation across all intervals in every day. Palantir also has contracts with the Australian Department of Defence, the Australian Signals Directorate (ASD), and AUSTRAC (Australia's financial intelligence agency). GetUp launched a campaign noting that "Coles says Palantir is being used for internal planning purposes -- but also that their tools have access to 10 billion rows of data." Palantir responded that software "can only be used to process data in strict accordance with the wishes of the customer." The same assurance Palantir gives to every customer, including ICE. Your weekly grocery shop is now processed by the same software platform that helps the CIA analyse intelligence and ICE deport immigrants.