eufy Security is designed as a local home security system. All video footage is stored locally and encrypted on the user’s device.
With regard to eufy Security’s facial recognition technology, this is all processed and stored locally on the user’s device.
Our products, services and processes are in full compliance with General Data Protection Regulation (GDPR) standards, including ISO 27701/27001 and ETSI 303645 certifications.
To provide users with push notifications to their mobile devices, some of our security solutions create small preview images (thumbnails) of videos that are briefly and securely hosted on an AWS-based cloud server. These thumbnails utilize server-side encryption and are set to automatically delete and are in compliance with Apple Push Notification service and Firebase Cloud Messaging standards. Users can only access or share these thumbnails after securely logging into their eufy Security account.
Although our eufy Security app allows users to choose between text-based or thumbnail-based push notifications, it was not made clear that choosing thumbnail-based notifications would require preview images to be briefly hosted in the cloud.
That lack of communication was an oversight on our part and we sincerely apologize for our error.
This is how we plan to improve our communication in this matter:
We are revising the push notifications option language in the eufy Security app to clearly detail that push notifications with thumbnails require preview images that will be temporarily stored in the cloud.
We will be more clear about the use of cloud for push notifications in our consumer-facing marketing materials.
eufy Security is committed to the privacy and protection of our users’ data and appreciates the security research community reaching out to us to bring this to our attention.
Unfortunately, this response falls short of addressing all the concerns that were brought forward in the outline of the problem. This does not address the unencrypted video streams at all. The recorded demonstration shows there are larger concerns than the thumbnails one.
They didn’t bring this to your attention. They roasted you with it. Your response is terrible and is whitewash. Nothing in your response addresses anything. NOTHING. It’s not about push notifications, it’s not about being clear and creating these BS “we are wrong, here’s what we do” posts are just crap.
How about you DON’T do it to begin with and you won’t have anything to apologize for? Hows that?
This is not a sufficient response. I have 2 indoor Pan & Tilt cameras. I do not have push notifications enabled for these cameras and never did. They are still uploading face thumbnails to the S3 server. So updating the option in the configuration screens doesn’t resolve this issue. What are you planning to do about this?
“A guarantee that you have control over your own data.” Nothing like blatantly lying to your customers. I smell a class action lawsuit coming eufy’s way in the very near future.
So glad to see other users calling Eufy out that this statement is just as empty a google telling they care for your privacy.
I hope someone here has understandings of the law and can gather people around somewhere and start a combined lawsuit against eufy. Count me in !
And as far as i am concerned, because Eufy shows they really don’t care about the problem with this empty statement, i will never buy Eufy or Anker products again. Damage has been done wont be fixable.
Not good enough, the fact that you’re admiting to changing the language in an attempt to circumvent the issue speaks volumes. I didn’t care too much for your response to my GDPR complaint either.
I feel like I got scammed. The whole point was local storage with no monitoring or cloud service unless opted for. Eufy markets HEAVILY to that. The free aspect of local storage without having to pay for cloud storage is good and great, but really the big deal for anyone that thinks about that is security and privacy. Why do I even have a hardware Homebase if anything has to be processed on a 3rd party server? Then there is the issue of trust given Eufy/Anker’s sketchy response and denial of the vulnerability discovered by security researchers and verified by media outlets, this puts a “what the heck else is going on that I don’t know about” kind of mindset in user’s heads.
I’m in for the class action lawsuit. I noticed on my router the connections to aws so I blocked the camera from the Internet and the app would no longer show local video! I called tech support and was told the camera needs access to the internet to function.
Eufy, no, the camera does not need access to the Internet for the app to view locally stored videos! Fix your app and camera firmware so they can be used with NO Internet connection!
I knew something shady was going on when the support agent told me the camera HAS to have access to the Internet for functionality! Why? What reason? Honestly, WHY? I have a pretty good idea why… it’s because they are creepy perverts eavesdropping on people’s cameras. That and/or they are secretly selling the streams to people (law enforcement, advertising agencies etc.)
I wish the camera and app would work without Internet access!
Eufy app has a new developer name. it is no longer Anker.
The new guy in charge of Anker was from Google China. So I wonder if Eufy started selling our data a year ago.