eufy told customers their baby monitor video stays on the device and is encrypted end-to-end. In reality, video was being uploaded to cloud servers without encryption, and anyone who figured out the URL could watch the feed. The New York Attorney General fined them $450,000 for this deception. This means footage of your sleeping baby may have been accessible to unauthorized people on the internet. eufy doesn't tell you where your baby's data goes. But the company is Chinese-owned (Anker, based in Shenzhen), and researchers found data being sent to both Amazon cloud servers and Chinese servers. Chinese law allows the government to demand access to data held by Chinese companies. This means your baby's heart rate, blood oxygen levels, sleep patterns, and 24/7 video feed could potentially be accessed by the Chinese government, and eufy never told you this was possible.
What they claim: eufy marketed all products including baby monitors as using "local-only storage" and "end-to-end encryption" for video data. The privacy policy implies data stays on the device or under user control.
What we found: Security researcher Paul Moore discovered in November 2022 that eufy cameras upload unencrypted facial recognition thumbnails and video data to AWS cloud servers (s3.amazonaws.com). The New York Attorney General confirmed video data was NOT protected by end-to-end encryption, and active streams could be accessed without authentication via predictable URLs. Anker admitted in February 2023 that they had been lying about encryption. Firmware analysis reveals hardcoded endpoints including s3.amazonaws.com and p2p-connector-cn.eufylife.com (Chinese server).
What they claim: eufy's privacy policy does not disclose where baby monitor data is processed or stored geographically. The policy implies data handling complies with privacy laws.
What we found: Anker Innovations Limited is headquartered in Hong Kong with primary operations in Shenzhen, China. Under China's PIPL, National Security Law, and Cybersecurity Law, Chinese authorities can compel access to data held by Chinese companies. The 2022 scandal revealed data was being sent to AWS servers (s3.amazonaws.com) and Chinese P2P servers (p2p-connector-cn.eufylife.com). The class action lawsuit alleges eufy stored facial recognition data with identifiable information on cloud servers. Baby biometric data (heart rate, blood oxygen) collected by the smart sock is processed through this same infrastructure.
What they claim: The S340 Smart Sock collects baby biometric data (heart rate, blood oxygen, sleep patterns) and transmits it via BLE 5.0 to the base station, then via WiFi to the app.
What we found: The smart sock sensor (T8340) monitors heart rate and blood oxygen via PPG (photoplethysmography) — this is biometric health data under HIPAA, GDPR, and state biometric privacy laws (e.g., Illinois BIPA). The privacy policy does NOT specifically mention biometric data collection or provide biometric data-specific consent. The BLE 5.0 connection between sock and base has a max output of 5.43 dBm — adequate range but the eufy ecosystem has proven security weaknesses (CVE-2023-37822 showed WPA2 keys based on serial numbers). Baby's biometric health data transits through an ecosystem with documented encryption failures and no biometric-specific privacy protections.
What they claim: A baby monitor app should need camera, microphone, and network permissions. The eufy Baby app requests 40 Android permissions.
What we found: The eufy Baby app requests permissions far beyond baby monitoring: WRITE_SETTINGS (modify system settings), SYSTEM_ALERT_WINDOW (draw over other apps), PREVENT_POWER_KEY (prevent phone from sleeping), FLASHLIGHT, CHANGE_WIFI_MULTICAST_STATE and CHANGE_WIFI_STATE (modify WiFi settings), MAINLINE_NETWORK_STACK (deep network access), USE_BIOMETRIC/USE_FINGERPRINT, SCHEDULE_EXACT_ALARM, and SET_ALARM. The firmware connects to p2p-connector-cn.eufylife.com (Chinese P2P server) and s3.amazonaws.com. With 40 permissions including system-level controls, the app has far more access to the parent's phone than needed for viewing a baby camera.
What they claim: The eufy Baby app requests RECORD_AUDIO and CAMERA permissions, described as needed for baby monitoring features like cry detection.
What we found: The app requests RECORD_AUDIO (microphone access on the parent's phone) in addition to the baby monitor camera's built-in microphone. The privacy policy admits collecting "images and video of the infant for remote monitoring" plus "device status, event logs, error and fault logs." For cloud storage subscribers, "videos related to those cloud storage subscriptions will be uploaded to the cloud." The class action lawsuit alleges eufy stored facial recognition data with identifiable information, meaning the AI cry detection feature may involve cloud processing despite local-only claims. Mozilla's Privacy Not Included review gave eufy a warning label.
What they claim: eufy's privacy policy describes collecting baby data (name, gender, date of birth, weight, photographs) and states data retention is "for the minimum period necessary."
What we found: The eufy Baby app requests READ_EXTERNAL_STORAGE, WRITE_EXTERNAL_STORAGE, READ_MEDIA_IMAGES, and READ_MEDIA_VIDEO — permissions to access ALL photos and videos on the parent's phone, not just baby monitor content. Combined with CAMERA (phone camera access) and the lack of transparent data retention periods, the app can potentially access and upload the parent's personal photos and videos. The 2022 scandal proved eufy was uploading data to cloud servers without disclosure. The class action alleges facial recognition data was not deleted even when users deleted footage from the app.
What they claim: eufy's privacy policy states they share data with "Anker affiliates and group entities" and with "advertising networks and marketing partners" — even for their baby monitoring products.
What we found: The privacy policy explicitly lists sharing with advertising networks for a product that exclusively monitors infants. The NY AG settlement confirmed eufy's security and privacy claims were misleading. Mozilla awarded eufy a Privacy Not Included warning. The class action alleges secret cloud uploads of facial recognition data. Despite all this enforcement action and public scandal, eufy's current privacy policy STILL permits sharing baby monitoring data with advertising partners — the policy has not been narrowed for baby monitor products despite the device category's extreme sensitivity.
What they claim: eufy's privacy policy states they do "not sell the Personal Data of individuals we know to be less than 16 years of age" for targeted advertising, suggesting child data protection.
What we found: The eufy Baby app (com.oceanwing.care.cam v2.1.8) requests ACCESS_ADSERVICES_AD_ID and ACCESS_ADSERVICES_ATTRIBUTION — Android advertising tracking permissions — plus AD_ID and BIND_GET_INSTALL_REFERRER_SERVICE for install attribution. The privacy policy admits sharing data with "advertising networks and marketing partners." A baby monitor app's sole purpose is monitoring an infant (always under 16), yet the app contains advertising infrastructure permissions that enable tracking of the parent's device while it displays baby monitoring data.
What they claim: eufy products are marketed as having strong security with encrypted local storage. FCC filings describe standard WiFi and BLE operation.
What we found: Six CVEs have been identified in the eufy ecosystem: CVE-2022-21806 (CVSS 10.0 — maximum severity RCE in Homebase), CVE-2022-25989 (CVSS 7.1 — authentication bypass via DHCP), CVE-2022-26073 (CVSS 7.4 — DoS via reboot), CVE-2023-37822 (WPA2-PSK based solely on serial number — offline brute force in seconds), CVE-2021-3555 (buffer overflow in RTSP server). The NY AG settlement confirmed companies lacked sufficient security testing. The eufy ecosystem shares cloud infrastructure across products — baby monitors using the same app and cloud backend are exposed to these vulnerabilities.
What they claim: FCC filings show the baby monitor camera and sock base were approved in July 2021 as standard WiFi/BLE consumer devices.
What we found: The FCC filings (2AOKB-T8360, 2AOKB-T8351) show standard wireless device certifications from 2021. However, by late 2022, security researchers had discovered that eufy's entire product line had fundamental security flaws: no real end-to-end encryption, unencrypted cloud uploads, streams accessible via serial-number-based URLs. The NY AG settlement in 2023 required eufy to implement comprehensive security programs and third-party testing — meaning these security measures did NOT exist when the baby monitor was approved and sold. The FCC certification covers only RF emissions, not data security, leaving a gap where devices with critical security flaws pass regulatory approval.