TP-Link says they collect data when you use their services. But the router secretly sends your network information to a third-party company (Avira) every single minute, even when you have turned off the security feature that supposedly needs that data. You cannot stop it without breaking your router. TP-Link sells a "security" feature called HomeCare that scans ALL internet traffic from every device in your home. But multiple US government agencies are investigating whether TP-Link could be forced by Chinese law to hand over exactly this kind of data to the Chinese government. Your router's "security" feature is also a surveillance capability — and the US government considers this a national security threat.
What they claim: TP-Link privacy policy states they collect data when users "access or use" their services, implying active user engagement triggers collection.
What we found: Avira SafeThings SDK embedded in router firmware sends traffic metadata to Avira cloud servers (safethings.avira.com, iot-api.avira.com) every minute — over 80,000 requests per 24 hours — regardless of whether the HomeCare/HomeShield security feature is enabled or disabled. Users cannot opt out without causing router instability.
What they claim: TP-Link markets HomeCare as a security feature that protects your home network using Trend Micro threat intelligence.
What we found: HomeCare performs deep packet inspection (DPI) of ALL traffic from every device in your home. The router occupies a privileged position seeing every website visit, every smart device communication, and every file transfer. Meanwhile, the US House Select Committee on the CCP, Commerce Department, Justice Department, and Defense Department are all investigating TP-Link over concerns that China's National Intelligence Law (2017) could compel TP-Link to share this data with the Chinese government. Microsoft confirmed a botnet of compromised TP-Link routers (CovertNetwork-1658) was used by Chinese state actor Storm-0940.
What they claim: Tether app requests CAMERA permission for QR code scanning during router setup.
What we found: While CAMERA access is justified for setup QR scanning, the app also requests ACCESS_FINE_LOCATION, ACCESS_COARSE_LOCATION, SYSTEM_ALERT_WINDOW (draw over other apps), READ_EXTERNAL_STORAGE, and WRITE_EXTERNAL_STORAGE. Combined with the router's ability to see all network traffic and firmware that phones home to 9 different cloud endpoints (including TP-Link cloud servers in US, EU, and Asia-Pacific regions), the app serves as a secondary data collection vector alongside the router itself.
What they claim: TP-Link privacy policy states they "do not use information that personally identifies you to display interest-based ads."
What we found: The TP-Link Tether companion app (com.tplink.tether v4.12.212) includes Google Firebase Analytics tracker which collects user behavior data, and requests BILLING permission for in-app purchases. The policy carefully avoids stating they do not sell personal data — only that they do not use it for interest-based ads, leaving the door open for other forms of data monetization.
What they claim: TP-Link privacy policy describes sharing data with "authorized partners" and "service providers" without specific naming.
What we found: Firmware analysis reveals the router connects to at least 2 third-party data processors not prominently disclosed: Avira SafeThings (safethings.avira.com, iot-api.avira.com) for traffic analysis and Trend Micro for HomeCare deep packet inspection. These third parties receive detailed information about network traffic patterns from every device in the home. The policy's vague "authorized partners" language obscures that your network traffic data flows to multiple Chinese-headquartered (TP-Link) and European (Avira/Gen Digital) companies.
What they claim: Tether app requires TP-Link Cloud account for remote management, collecting name, address, phone, email.
What we found: TP-Link is headquartered in Shenzhen, China, and is subject to China's National Intelligence Law (2017) Article 7: "All organizations and citizens shall support, assist, and cooperate with national intelligence efforts." User account data (name, address, phone, email) collected by the Tether app flows to TP-Link cloud infrastructure. The US Commerce, Justice, and Defense departments are investigating whether this data could be compelled for disclosure to Chinese intelligence agencies.
What they claim: TP-Link router firmware receives OTA updates automatically from TP-Link servers (download.tp-link.com, static.tp-link.com).
What we found: CVE-2024-54126 demonstrates improper signature verification in TP-Link Archer firmware upgrade process, allowing attackers to upload malicious firmware. Combined with the US government investigation into whether TP-Link could be compelled by Chinese law to push malicious updates, the automatic firmware update mechanism represents a potential supply chain attack vector. TP-Link controls what software runs on a device that sees all home network traffic.
What they claim: Microsoft documented that compromised TP-Link routers formed the CovertNetwork-1658 botnet used by Chinese state-sponsored hackers (Storm-0940).
What we found: The router firmware has 3 critical CVEs (CVE-2024-21833, CVE-2023-1389, CVE-2024-5035) demonstrating persistent command injection vulnerabilities across the Archer product line. The botnet maintained ~8,000 active compromised devices at any time, with 20% being TP-Link routers. These compromised routers were used for password spray attacks against North American and European think tanks, government organizations, NGOs, and defense industry targets.
What they claim: Router firmware has 4 known critical/high CVEs in the Archer product line, including CVE-2024-21833 (CVSS 8.8) affecting the AX5400 specifically.
What we found: Despite this pattern of critical security vulnerabilities (3 critical, 1 high severity) across the Archer firmware family, the Tether app (v4.12.212) includes only 2 trackers — Google CrashLytics and Firebase Analytics — and no security-focused telemetry for detecting compromised routers. TP-Link marketing emphasizes security features (HomeCare, parental controls) while the underlying firmware has a documented history of remotely exploitable command injection vulnerabilities.
What they claim: TP-Link Tether privacy policy states parental controls data (browser history) is "only stored on the TP-Link product" and "won't be uploaded or stored on TP-Link cloud servers."
What we found: When Real-Time Protection is enabled, TP-Link "records and analyzes a device's attempted URL connections" — URL data IS processed. The router contacts TP-Link cloud servers (use1-api.tplinkcloud.com, euw1-api.tplinkcloud.com, aps1-api.tplinkcloud.com) and Avira SafeThings servers constantly. The distinction between "parental controls data stays local" and "security feature data goes to cloud" is a technicality — both involve monitoring what websites every device in your home visits.