This article is more than 1 year old

Eufy security cams 'ignore cloud opt-out, store unique IDs' of anyone who walks by

Gadget maker accused of 'corporate voyeurism' by gathering up footage against your wishes

A lawsuit filed against eufy security cam maker Anker Tech claims the biz assigns "unique identifiers" to the faces of any person who walks in front of its devices – and then stores that data in the cloud, "essentially logging the locations of unsuspecting individuals" when they stroll past.

The complaint, a would-be class action filed in a Florida court in January, was this week transferred to the Northern District of Illinois, docket records viewed by The Register showed.

It's one of three lawsuits filed after infoseccer Paul Moore and a "hacker who goes by Wasabi" both publicly alleged that Anker was not storing and securing people's information the way it said it would. All three suits allege Anker falsely represented that its security cameras stored all data locally and did not upload that data to the cloud.

Moore went public with his claims in November last year, alleging video and audio captured by Anker's eufy security cams could be streamed and watched by any stranger using VLC media player, that famed open-source fave with the white-and-orange-striped traffic-cone logo. In a YouTube video, the complaint details, Moore allegedly showed how the "supposedly 'private,' 'stored locally', 'transmitted only to you' doorbell is streaming to the cloud - without cloud storage enabled."

He claimed the devices were uploading video thumbnails and facial recognition data to Anker's cloud server, despite his never opting into Anker's cloud services and said he'd found a separate camera tied to a different account could identify his face with the same unique ID.

The security researcher alleged at the time this showed that Anker was not only storing facial-recog data in the cloud, but also "sharing that back-end information between accounts" lawyers for the two other, near-identical lawsuits claim.

The Florida plaintiff, Sagar Desai, alleges, among other things, that the company violated America's Federal Wiretap Act, and engaged in deceptive trade practices. Desai's legal team has requested that it be consolidated with the two other claims, which were already borged together in February.

According to the complaint [PDF], eufy's security cameras are marketed as "private" and as "local storage only" as a direct alternative to Anker's competitors that require the use of cloud storage.

Desai's complaint goes on to claim:

Not only does Anker not keep consumers' information private, it was further revealed that Anker was uploading facial recognition data and biometrics to its Amazon Web Services cloud without encryption.

In fact, Anker has been storing its customers' data alongside a specific username and other identifiable information on its AWS cloud servers even when its "eufy" app reflects the data has been deleted. .... Further, even when using a different camera, different username, and even a different HomeBase to "store" the footage locally, Anker is still tagging and linking a user's facial ID to their picture across its camera platform. Meaning, once recorded on one eufy Security Camera, those same individuals are recognized via their biometrics on other eufy Security Cameras.

In an unrelated incident in 2021, a "software bug" in some of the brand's 1080p Wi-Fi-connected Eufycams cams sent feeds from some users' homes to other Eufycam customers, some of whom were in other countries at the time. A spokesperson for Anker told us at the time that only a small number of customers had been affected, adding: "We are sorry we fell short here and are working on new security protocols and measures to make sure that this never happens again."

We have asked Anker Technology Corporation for comment. ®

More about

TIP US OFF

Send us news


Other stories you might like