eufy's entire pitch was: no cloud. Your video stays on your device. Local storage only. Then a security researcher caught them uploading your face to Amazon's servers. Facial recognition thumbnails, sent to AWS, accessible via URL, no authentication required. Anyone with the link could see your face. Anker denied it. Then admitted it. Then called it "necessary for push notifications." A notification doesn't need your face. A notification needs text. They lied about the most fundamental promise they made — where your data lives — and got caught by one person with a network monitor. Military-grade encryption, they said. Researchers opened VLC, typed in a URL with the camera's serial number, and watched someone's living room. No password. No encryption. No authentication. Just a URL and a serial number. Anker denied it. Then admitted it "in some cases." Then quietly patched it. The camera serial number is printed on the box. Anyone who handled the package — the warehouse worker, the delivery driver, your neighbour — had what they needed to watch your feed. Military-grade encryption with a URL anyone can guess.
What they claim: eufy marketed its cameras with the tagline "No clouds. No costs. Your data stays with you." and promised all footage was stored locally.
What we found: In November 2022, security researcher Paul Moore demonstrated that eufy cameras were uploading facial recognition thumbnails to AWS cloud servers — even when cloud storage was disabled. The thumbnails included facial data and were accessible via URL without authentication. Anker initially denied the findings, then admitted the uploads existed but called them "necessary for push notifications." The unencrypted, unauthenticated cloud uploads of facial recognition data from a product explicitly marketed as local-only storage was one of the most clear-cut privacy deceptions in the smart home industry.
What they claim: eufy claimed all video streams were "end-to-end encrypted" with "military-grade encryption."
What we found: Researchers discovered that eufy camera live feeds could be accessed via VLC media player using a predictable URL scheme with no encryption. The camera serial number and a Unix timestamp were sufficient to construct a working stream URL. This meant anyone who knew or could guess a camera's serial number could watch the live feed remotely. Anker denied unencrypted streams existed, then admitted they existed "in some cases" for the web portal. "Military-grade encryption" with a publicly accessible unencrypted video stream is not a grey area.
What they claim: Anker eventually apologised and committed to independent security audits.
What we found: After months of denial and minimisation, Anker's head of communications admitted to The Verge that the company had "done a really bad job of communicating" and acknowledged the cloud uploads and unencrypted streams. Anker promised independent third-party security audits and a bug bounty programme. However, no comprehensive public audit results have been published. The pattern — deny, minimise, admit under pressure, promise audits, never publish results — mirrors what happens when accountability is voluntary.