Last week, Florida’s two U.S. senators–Republicans Marco Rubio and Rick Scott–teamed up with U.S. Sen. Tom Cotton, R-Ark., to send a letter to U.S. Department of the Treasury Sec. Janet Yellen to express concern regarding the national security threat posed by the People’s Republic of China (PRC)-based company, Tuya.
Tuya is a dominant firm in the Internet of Things industry, which powers “smart” devices such as doorbells, refrigerators, and security cameras in millions of Americans’ homes. The senators urged the Department to add Tuya to its list of Non-SDN Chinese Military-Industrial Complex Companies List operating directly or indirectly in the United States in accordance with President Biden’s Executive Order 14032.
The letter is below.
Dear Secretary Yellen:
We write to express concern regarding the national security threat posed by the People’s Republic of China (PRC)-based company Tuya, a business with significant control over the international “Internet-of-Things” (IoT) market. As such, we urge the U.S. Department of the Treasury to add Tuya to its list of Non-SDN Chinese Military-Industrial Complex Companies List operating directly or indirectly in the United States in accordance with President Biden’s Executive Order 14032.
Companies in the IoT market function by providing internet connectivity to otherwise unconnected devices. The sector has grown rapidly over the last decade, with tens of millions of Americans buying and using “smart” home thermostats, security cameras, lighting systems, refrigerators, and beyond. American consumers’ regular usage of these technologies also means that the data the devices collect is a treasure trove, providing an extraordinarily intimate window—often complete with audio or visual recordings—into users’ households and daily routines.
The threat of that data falling into the wrong hands is enormous, which only underscores how dangerous it is that the leading IoT company is Tuya, a firm that, by PRC law, must follow the directives of the Chinese Communist Party (CCP). Tuya has seen dramatic growth since its founding in 2014, thanks in part to its backing from CCP-linked conglomerate Tencent. As of December 2020, more than 200 million devices around the world are powered by Tuya’s hardware, software, cloud technology, and applications, covering 1,100 categories of devices in 220 countries and regions. More than 5,000 brands, such as Dutch multinational corporation Philips, have worked to build Tuya into their products, which are frequently sold at Walmart, Amazon, Target, and elsewhere. In March 2021, the company listed on the New York Stock Exchange for a total offering size of $915.4 million.
Cyber and national security experts have already raised significant concerns about Tuya’s lack of protections over users’ data. However, there is also a more basic reality that, as a PRC company, Tuya is obligated to comply with CCP orders, including requests to share American and other users’ data with the Chinese government. Specifically, the company is subject to China’s Data Security Law, which mandates that Chinese firms must cooperate with Chinese law enforcement on data if it concerns national or economic security, as well as bans any company in the PRC from providing Chinese-stored data to foreign law enforcement.
Per these PRC laws, Americans with Tuya technology in their home or workplace risk their data being directly accessible to the CCP. This is a profound, unacceptable threat. Continuing to provide Beijing a direct line to Americans’ private data would only empower an unaccountable Chinese firm and contribute to the CCP’s Military-Civil Fusion strategy, which explicitly aims to transform the PRC into the leading superpower by midcentury. It would also deepen the risk of Chinese exploitation of the IoT sector’s vulnerability to malware attacks, which criminals have already used to shut down massive portions of the East Coast’s internet access in 2016.
As such, we urge that the Department of the Treasury add Tuya to its list of Non-SDN Chinese Military-Industrial Complex Companies List operating directly or indirectly in the United States in accordance with President Biden’s Executive Order 14032.
Thank you for your attention to this matter. We look forward to your prompt response.