On September 9, U.S. Senators Marco Rubio (R-FL), Rick Scott (R-FL), and Tom Cotton (R-AR) sent a letter to Treasury Secretary Janet Yellen expressing concern about Chinese “Internet of Things” (IoT) company Tuya, and asking the Treasury Department to add Tuya to a “Chinese Military-Industrial Complex Companies List,” which would restrict U.S. persons from purchasing and selling Tuya stock. How the Treasury Department will respond, if it does at all, is an open question.

Tuya and the Internet of Things

As explained in a March Bloomberg article discussing its $915 million IPO on the NYSE, Tuya is a Chinese software company backed by New Enterprise Associates and Tencent Holdings Ltd. Its cloud computing platform is used by businesses “to deploy, connect and manage large numbers and different types of smart devices.” A Tuya SEC filing explains its IoT products further:

We have pioneered a purpose-built IoT cloud platform that delivers a full suite of offerings, including Platform-as-a-Service, or PaaS, and Software-as-a-Service, or SaaS, to businesses and developers. … Our IoT PaaS offering enables businesses and developers to quickly and cost-effectively develop, launch, manage and monetize software-enabled devices and services. Our Industry SaaS offering enables businesses to easily and securely deploy, connect, and manage large numbers and different types of smart devices. ...

Our products enable customers across a broad range of industry verticals, such as smart home, smart business, healthcare, education and agriculture. Our multi-cloud platform allows customers to switch among major cloud infrastructure providers, such as Amazon Web Services, Microsoft Azure and Tencent Cloud, and integrates mainstream third-party technologies, such as Amazon Alexa, Google Assistant and Samsung SmartThings, to make smart devices more intelligent.

Conservative commentators raise concerns

In late July, two scholars at the American Enterprise Institute wrote an op-ed raising concerns about Tuya. They described Tuya as “a nominally private Chinese company backed by Beijing-government crony Tencent.”

They then stated that “[a] recent investigation by cybersecurity firm Dark Cubed found that Tuya-powered devices ‘had at least one network connection to servers based in China … failed basic security checks … provided complete visibility into private images to anyone in the network … [and] are woefully insecure and sending data to China.’” They argued that, “Tuya may well be funneling the information picked up on home security cameras and connected health devices — just to name two examples — back to Beijing.” To address this concern, they suggested that “Congress should consider barring it from operating in the United States and from doing business with U.S. companies.”

In late August, a Voice of America article entitled “Cybersecurity Experts Worried by Chinese Firm’s Control of Smart Devices” discussed this issue further. The article said that “cybersecurity experts worry about the lack of protection for the consumer data collected by Tuya tech in household items and in products used in health care and hospitality.” It quoted Klon Kitchen, one of the American Enterprise Institute authors, as saying the concern is that companies like Tuya must comply with China’s new Data Security Law, which says Chinese enterprises and individuals must support, assist and cooperate with law enforcement on data concerning the national economy, national security and the public. According to Kitchen: “This data might be collected, moved, and held in a ‘secure’ fashion … but it must still be given to the CCP (Chinese Communist Party) and therefore there is a persistent threat that must be addressed. Tuya doesn’t have to be incompetent or malicious to be a threat, it only needs to be compliant with Chinese law.”

The Senators’ letter to Yellen

On September 9, Senators Rubio, Scott, and Cotton weighed in on the matter, sending a letter to Treasury Secretary Yellen that expressed concern about “the national security threat” posed by Tuya. They “urge[d] the U.S. Department of the Treasury to add Tuya to its list of Non-SDN Chinese Military-Industrial Complex Companies List operating directly or indirectly in the United States in accordance with President Biden’s Executive Order 14032.”

The Senators’ letter states that “[t]he threat of that data falling into the wrong hands is enormous, which only underscores how dangerous it is that the leading IoT company is Tuya, a firm that, by PRC law, must follow the directives of the Chinese Communist Party (CCP).” They argued that there is “a more basic reality that, as a PRC company, Tuya is obligated to comply with CCP orders, including requests to share American and other users’ data with the Chinese government.” As a result, “Americans with Tuya technology in their home or workplace risk their data being directly accessible to the CCP.” This would “empower an unaccountable Chinese firm and contribute to the CCP’s Military-Civil Fusion strategy,” and would “deepen the risk of Chinese exploitation of the IoT sector’s vulnerability to malware attacks, which criminals have already used to shut down massive portions of the East Coast’s internet access in 2016.” On this basis, they “urge[d] that the Department of the Treasury add Tuya to its list of Non-SDN Chinese Military-Industrial Complex Companies List operating directly or indirectly in the United States in accordance with President Biden’s Executive Order 14032.”

The relevant law

Executive Order 14032 is entitled “Addressing the Threat From Securities Investments That Finance Certain Companies of the People’s Republic of China.” It was issued on June 3 of this year and expands on an Order issued during the Trump administration. Some of the actions under the Trump administration’s order had been challenged successfully in court (see, e.g., here) and the Biden administration decided to shore it up in the revised Order.

Executive Order 14032 prohibits any purchase or sale by U.S. persons “of any publicly traded securities, or any publicly traded securities that are derivative of such securities or are designed to provide investment exposure to such securities” of companies “listed in the Annex to this order or of any person determined by the Secretary of the Treasury, in consultation with the Secretary of State, and, as the Secretary of the Treasury deems appropriate, the Secretary of Defense”: “(i) to operate or have operated in the defense and related materiel sector or the surveillance technology sector of the economy of the PRC; or (ii) to own or control, or to be owned or controlled by, directly or indirectly, a person who operates or has operated in” those sectors or is listed in the Annex or is otherwise subject to the prohibitions.

OFAC has said that it “expects to use its discretion to target, in particular, persons whose operations include or support, or have included or supported, (1) surveillance of persons by Chinese technology companies that occurs outside of the PRC; or (2) the development, marketing, sale, or export of Chinese surveillance technology that is, was, or can be used for surveillance of religious or ethnic minorities or to otherwise facilitate repression or serious human rights abuse.”

The Annex to the Order lists 59 companies who have been determined to meet these criteria, including Huawei and several other technology companies. A White House Fact Sheet explained that: “The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) will also list these 59 entities on its new Non-SDN Chinese Military-Industrial Complex Companies List (NS-CMIC List).” Additional companies can be added by the Secretary of the Treasury (in consultation with the other agencies). Inclusion of Tuya on the list could mean the delisting of the company from the NYSE.

The Fact Sheet also offers some guidance on the administration’s view of the scope and meaning of “surveillance technologies,” stating that:

This E.O. ... expand[s] the U.S. Government’s ability to address the threat of Chinese surveillance technology firms that contribute — both inside and outside China — to the surveillance of religious or ethnic minorities or otherwise facilitate repression and serious human rights abuses. It signals that the Administration will not hesitate to prevent U.S. capital from flowing into ... Chinese companies that develop or use Chinese surveillance technology to facilitate repression or serious human rights abuse.

Next steps

The Treasury Department has a great deal of discretion on the issue of whether to add a company to the list, subject to legal challenges such as those under the Administrative Procedures Act. The Department is not likely to act without clear evidence here, as it will not want to lose in court.

In addition, a press release and public letter might not be as effective as private communications between members of Congress and the Treasury Department. And it is worth noting that the three Senators involved here are fairly conservative, which might make it unlikely that the Democratic Biden administration would act quickly on their demands. It remains to be seen whether the Senators will try to broaden the scope of people who are pushing to put Tuya on this list and perhaps make this a more bipartisan demand, and, if so, whether this convinces the Biden administration to take action.