18 votes

Anker’s Eufy lied to us about the security of its security cameras. Despite claims of only using local storage, Eufy has been uploading identifiable footage to the cloud.

Posted by cfabbro
Tags: security.home, privacy, anker, eufy, paul moore, cloud, facial recognition, encryption, streaming.unencrypted, cameras.security, author.sean hollister, source.the verge
https://www.theverge.com/2022/11/30/23486753/anker-eufy-security-camera-cloud-private-encryption-authentication-storage

Link information

This data is scraped automatically and may be incorrect.

Title
Anker's Eufy lied to us about the security of its security cameras
Authors
Sean Hollister
Published
Dec 1 2022
Word count
1232 words

6 comments

  1. [4]
    cfabbro
    Link
    Follow up to this article: Anker’s Eufy deleted these 10 privacy promises instead of answering our questions

    Follow up to this article:
    Anker’s Eufy deleted these 10 privacy promises instead of answering our questions

    It’s been two weeks since we reported that Anker’s Eufy lied to us about the security of its security cameras, and we’ve been pushing the company for answers ever since. But the company hasn’t answered a single one of our questions — in fact, I haven’t gotten a single reply since December 1st.

    Today, on a whim, I thought I’d take a peek at Eufy’s website... maybe find some answers there? Instead, I found that Anker has quietly scrubbed all of its most promising privacy promises from its “privacy commitment” page. It got nerfed — hard.

    Here are 10 things that were written on Eufy’s privacy commitment page as of December 8th, 2022, that are no longer there today:

    • “To start, we’re taking every step imaginable to ensure your data remains private, with you.”
    • “[Y]our recorded footage will be kept private. Stored locally. With military-grade encryption. And transmitted to you, and only you.”
    • “Here at eufy, we’re not just all talk and no action.”
    • “With secure local storage, your private data never leaves the safety of your home, and is accessible by you alone.”
    • “All recorded footage is encrypted on-device and sent straight to your phone—and only you have the key to decrypt and watch the footage. Data during transmission is encrypted.”
    • “There is no online link available to any video.”
    • “You need to use Eufy software and your account to decrypt the clips for viewing. No one else can access or read this data.”
    • “For Your Eyes Only”
    • “Peeking Prohibited”
    • “Everything In-House”

    There’s an 11th item missing, too. It’s a little long, but I think it’s an important one:

    Does eufy share video recordings with law enforcement agencies?

    In response to legal requests from law enforcement agencies, we will not, without the customer’s consent, disclose video recordings unless it is necessary to comply with the law or if there is an emergency involving imminent danger of death or serious physical injury to a person. We object to overbroad or otherwise inappropriate demands as a matter of course. Unless prohibited from doing so or eufy has clear indication of illegal conduct in connection with the use of eufy products or services, eufy notifies customers before disclosing content information.

    It’s not all deletions, mind you. Anker also makes it clearer that customers can access footage through a web portal and that you can “choose to store” your video clips in the cloud. It also promises that “your video recordings will not be viewed, shared, or used by eufy for any other purpose” beyond troubleshooting. Anker also now says that “Your video can not be accessed or shared by anyone without access to your account.”

    We’ve heard from a tipster that Eufy’s customer support agents (here’s their email) are indeed trying to answer questions like “why the heck could The Verge access a stream through VLC,” and I’d love to have copies of those answers if you manage to get them! (I’m at sean@theverge.com.)

    Because Anker’s PR department, I’m afraid, isn’t sending them to me.

    7 votes
    1. [3]
      unknown user
      Link Parent
      You can also tell they had those promises up until very recently because Linus Sebastian (of Linus Tech Tips) showed their website, with one of said promises, live on stream not too long ago (←...

      You can also tell they had those promises up until very recently because Linus Sebastian (of Linus Tech Tips) showed their website, with one of said promises, live on stream not too long ago (← link to an official clip on the matter).

      7 votes
      1. [2]
        Greg
        Link Parent
        I really appreciated such an uncompromising take from a high profile channel on this - Anker outright lied, that’s what matters, and anyone even slightly trying to justify their actions has missed...

        I really appreciated such an uncompromising take from a high profile channel on this - Anker outright lied, that’s what matters, and anyone even slightly trying to justify their actions has missed the point. The insanely bad security practices compound the issue, but incompetence could at least be fixed by hiring better engineers; the fact they chose to take the data in the first place, though? That’s malice, and that’s an awful lot harder to come back from.

        “It’s a shame we can’t work with them anymore, because they’ve been a good partner up until now” is exactly the level of seriousness that’s warranted. No equivocation, just frustration that their otherwise genuinely good products are now tainted to the point that nobody should buy them in future.

        5 votes
        1. unknown user
          Link Parent
          To be clear: Linus and Co. have committed to not working with Anker (parent company of Eufy) on a previous stream (timestamped; see: 6:16). ← The clip is from Nov 29. The actual show (not...

          To be clear: Linus and Co. have committed to not working with Anker (parent company of Eufy) on a previous stream (timestamped; see: 6:16). ← The clip is from Nov 29. The actual show (not timestamped) is from Nov 26.

          It's not a sudden change of pace as of recently. They went with a resounding "fuck that" way back when the news first broke out.

          3 votes
  2. [2]
    Eabryt
    Link
    I know a lot of people are complaining about this (for very good reason) but I'm mostly just disappointed because Anker have been my go-to phone cable brand for years. I'll need to find a new...

    I know a lot of people are complaining about this (for very good reason) but I'm mostly just disappointed because Anker have been my go-to phone cable brand for years.

    I'll need to find a new place, so I'm taking suggestions if anyone has any.

    5 votes
    1. cfabbro
      (edited )
      Link Parent
      Ditto. Anker is one of the very few brands I actually trust when it comes to chargers, cables, surge protectors, power banks, etc. So I'm super disappointed in them over this too. However, despite...

      Ditto. Anker is one of the very few brands I actually trust when it comes to chargers, cables, surge protectors, power banks, etc. So I'm super disappointed in them over this too.

      However, despite being disappointed, in all honesty I will probably still keep buying products from them since their prices are hard to beat, and they have yet to fail on me or damage any of my electronics. And the only other companies I can say that about are APC and Belkin, who I also occasionally buy stuff from too.

      So if you're looking for an alternative to Anker, Belkin is who I would recommend for most things. Belkin products tend to be a bit more expensive than Anker, and they have less product variety, but they're also incredibly reliable. I would also recommend APC too, but they only make surge protectors and battery backup/UPS systems, and also tend to be much more expensive than the others since they typically have lifetime warranties, and come with insurance against equipment damage.

      2 votes