TP-Link says your Deco router only tracks your browsing if you turn on Parental Controls. But users discovered the router secretly looks up popular websites like Netflix and Amazon on its own — even when nobody is using the internet. This means your router may be monitoring what sites your household visits without your knowledge or consent. TP-Link says they keep your data safe. But the U.S. government is investigating whether TP-Link routers are a national security threat. Three federal agencies are looking into the company, and they're considering banning TP-Link products entirely. Chinese law could force TP-Link to hand over your data or push malicious updates to your router. Thousands of TP-Link routers have already been hijacked by Chinese government hackers.
What they claim: The Deco companion app (com.tplink.tpm5) requests the CAMERA permission from Android users.
What we found: The TP-Link Deco M5 is a mesh Wi-Fi router with no camera hardware. FCC filing TE7M5 confirms the device has only Wi-Fi, Bluetooth, and Ethernet radios. The CAMERA permission is not needed for any router management function. The app also requests SYSTEM_ALERT_WINDOW (draw over other apps), which is unrelated to router management.
What they claim: TP-Link Deco privacy policy states Real-Time Protection records and analyzes a device's attempted URL connections to block malicious websites.
What we found: When Real-Time Protection is enabled, the router intercepts and records every URL connection attempt from every device on the network. This security feature doubles as a comprehensive browsing surveillance system. The privacy policy does not specify how long this data is retained, who has access, or whether it is transmitted to TP-Link cloud servers for analysis. Combined with the app's location tracking and the router's DNS surveillance queries, this creates a near-complete picture of household internet activity.
What they claim: The Deco app collects location data (ACCESS_FINE_LOCATION, ACCESS_COARSE_LOCATION) and device information. The router itself sees all DNS queries and connection metadata from every device on the network.
What we found: As a mesh router, the Deco M5 is uniquely positioned to monitor ALL internet activity from every device in the household — smartphones, laptops, smart TVs, IoT devices. Combined with the companion app's fine location tracking and the Parental Controls feature that records browser history and access times, TP-Link can build a comprehensive profile of household internet activity, physical location, and daily routines. The privacy policy allows sharing this data with marketing partners receiving 'anonymized user information.'
What they claim: TP-Link Deco privacy policy states: they won't sell user data to third parties.
What we found: The same privacy policy discloses sharing data with marketing providers receiving 'anonymized user information' and service providers for advertising and analytics. Data is processed across US, Ireland, Singapore, and partner locations. Under CCPA, sharing user data with advertising partners for targeted marketing may legally constitute a 'sale' of personal information regardless of whether money changes hands.
What they claim: TP-Link markets the Deco as a trusted home networking solution and states in their privacy policy that they protect user data with appropriate measures.
What we found: Three U.S. federal departments (Commerce, Defense, Justice) opened investigations into TP-Link in 2024. The Commerce Department proposed banning future sales. TP-Link devices were found on U.S. military bases. Chinese law requires TP-Link to comply with Chinese intelligence agency requests. Microsoft documented CovertNetwork-1658, a Chinese state-sponsored botnet of 8,000+ compromised TP-Link routers used for attacks on U.S. critical infrastructure.
What they claim: TP-Link privacy policy promises appropriate security measures to protect personal data and device integrity.
What we found: The Deco product line has a documented pattern of critical command injection vulnerabilities spanning multiple years: CVE-2023-40193 (Deco M4, CVSS 8.0), CVE-2024-21833 (Deco X50, CVSS 8.8, actively exploited by Russian APT 28), and CVE-2026-0654 (Deco BE25, critical). All three allow attackers to execute arbitrary OS commands on the router — the device that sees all network traffic from every connected device in the household.
What they claim: TP-Link Deco privacy policy discloses collecting Wi-Fi credentials as part of device configuration data.
What we found: The Deco M5 requires a TP-Link cloud account for setup and management — there is no local-only setup option. Wi-Fi credentials (SSID and password) are transmitted to and stored on TP-Link cloud servers during configuration. Combined with the national security investigation and the documented Volt Typhoon botnet of compromised TP-Link routers, this means your Wi-Fi password is stored on servers of a company under active federal investigation for potential Chinese government ties.
What they claim: TP-Link Deco privacy policy states they collect data based on user consent and for delivering basic functionality. Policy claims browsing history is only recorded when Parental Controls are enabled.
What we found: Community users documented the Deco M5 making unprompted DNS queries for netflix.com, amazon.com, reddit.com, and youtube.com even when no devices are actively browsing and Parental Controls are disabled. These queries occur even in AP mode when the Deco should not be performing DNS resolution at all.
What they claim: TP-Link privacy policy states that after the Deco is bound to a cloud account, only limited data is collected for basic functionality like remote management.
What we found: Firmware analysis shows the Deco M5 communicates with multiple TP-Link cloud endpoints (use1-api.tplinkcloud.com, euw1-api.tplinkcloud.com, aps1-api.tplinkcloud.com, devs.tplinkcloud.com, n-devs.tplinkcloud.com) and sends approximately 400 NTP requests to NIST servers every 10 minutes. All device management is routed through cloud infrastructure — there is no local-only management option.
What they claim: The Deco app requests BLUETOOTH_PRIVILEGED permission, which allows the app to pair with Bluetooth devices without user interaction.
What we found: The Deco M5 uses Bluetooth 4.2 for initial device setup/onboarding only. BLUETOOTH_PRIVILEGED is a system-level permission that enables pairing without user confirmation — this goes beyond what is needed for a one-time setup process. Standard BLUETOOTH and BLUETOOTH_CONNECT permissions would suffice. The privileged permission could allow the app to silently interact with other Bluetooth devices in the vicinity.