Eufy told you your doorbell video and face data would never leave your home. They lied. Your face was being uploaded to Amazon's cloud servers without your knowledge. When caught, they quietly deleted their privacy promises from their website instead of fixing the problem. Eufy didn't just upload your face to the cloud — they used it to identify you on other people's doorbells too. If your neighbor had a Eufy doorbell, Eufy's servers could match your face across both cameras using a shared ID, without anyone knowing.
What they claim: Eufy's privacy policy states facial recognition is 'conducted entirely on your device' and local storage data is 'not uploaded to the cloud.' Marketing prominently featured 'No Cloud' and 'Local Storage Only' as key selling points with ten explicit 'privacy promises.'
What we found: Security researcher Paul Moore proved in November 2022 that Eufy cameras were uploading facial recognition thumbnails to AWS cloud servers without user consent. The Verge independently confirmed unencrypted live video streams were accessible via VLC without authentication. NY AG secured $450,000 settlement confirming streams were not encrypted. Eufy silently removed ten privacy promises from their website on December 8, 2022.
What they claim: Eufy's privacy policy claims biometric data processing is 'conducted entirely on your device' and implies facial recognition data is isolated to each user's account and local storage.
What we found: Paul Moore discovered that a separate Eufy camera linked to a different account identified his face using the same unique facial ID — proving Eufy maintained a cross-account facial recognition database on cloud servers, matching biometric data between different users' cameras without consent. Class action Sloan v. Anker Tech. Corp. (N.D. Ill.) cites this as evidence of cloud-based biometric processing.
What they claim: The Eufy Video Doorbell Dual is a stationary device permanently mounted at the front door. Its location never changes after installation.
What we found: The Eufy Security app requests ACCESS_BACKGROUND_LOCATION, ACCESS_FINE_LOCATION, ACCESS_COARSE_LOCATION, and FOREGROUND_SERVICE_LOCATION — persistent location tracking that works even when the app is not in use. Initial Wi-Fi setup may need location for scanning, but continuous background location tracking of the user's phone serves no function for a permanently installed doorbell.
What they claim: Eufy markets its products as privacy-first with 'no cloud' and 'local only' processing. The doorbell is positioned as the secure alternative to Ring.
What we found: The Eufy Security app (v6.0.03_21739) requests ACCESS_ADSERVICES_AD_ID, ACCESS_ADSERVICES_ATTRIBUTION, and AD_ID — Google advertising identifier permissions for tracking users across apps for targeted advertising. Mozilla confirmed Eufy shares personal identifiers with advertisers and data analytics providers. A doorbell marketed on privacy includes advertising tracking infrastructure.
What they claim: Eufy differentiates itself from Ring by emphasizing local-only storage and no cloud uploads, positioning itself as the privacy-first alternative.
What we found: Eufy's California Privacy Notice and privacy policy disclose sharing data with 'law enforcement authorities' and advertising networks. Mozilla confirmed Eufy shares personal identifiers with advertisers. Data obtained from third parties including law enforcement. These are the same practices Eufy criticized Ring for — Ring faced an FTC $5.8M settlement for similar issues.
What they claim: Eufy's privacy policy claims video transmission is protected by 'TLS 1.3 and AES-256' encryption. Marketing materials emphasized 'military-grade encryption' and 'end-to-end encrypted' video.
What we found: The Verge proved live video streams from Eufy cameras were accessible using VLC media player without any authentication or decryption. An Anker PR manager denied this was possible while The Verge was actively doing it. USENIX WOOT '24 research confirmed the unencrypted stream issue stemmed from a design flaw where video was relayed through Eufy's cloud servers with insufficient access controls.
What they claim: Eufy markets its products as a 'security' system with 'military-grade encryption' and positions the Homebase as the secure local storage hub.
What we found: CVE-2022-21806 (CVSS 10.0 — maximum severity): Use-after-free in Eufy Homebase 2 allows remote code execution. CVE-2022-25989 (CVSS 7.1): Authentication bypass allows attacker to redirect video feeds. CVE-2022-26073 (CVSS 7.4): DoS disables all connected cameras. CVE-2023-37822: Homebase wireless network acts as proxy to home network. Cisco Talos and USENIX researchers discovered these.
What they claim: Eufy's post-scandal privacy policy (updated January 30, 2026) still claims data is 'conducted entirely on your device' and emphasizes local storage.
What we found: Anker's response pattern: (1) November 2022 — denied cloud uploads when Paul Moore reported them, (2) Anker PR stated 'it is not possible' to access streams via VLC while The Verge was doing it, (3) December 8, 2022 — silently removed ten privacy promises from website, (4) December 2022 — CEO finally admitted breach. Updated privacy policy still contains similar local-processing claims that were disproven. Language changed but fundamental claims remain.
What they claim: The Eufy Video Doorbell Dual is a battery-powered doorbell camera with 2K video, motion detection, and two-way audio. Its core function is recording video and allowing remote viewing.
What we found: The Eufy Security app requests 49 permissions including ACTIVITY_RECOGNITION, READ_PHONE_STATE, WRITE_SETTINGS, SYSTEM_ALERT_WINDOW, KILL_BACKGROUND_PROCESSES, and REQUEST_IGNORE_BATTERY_OPTIMIZATIONS. A doorbell camera does not need to know your physical activity, read phone identity, modify system settings, or draw over other apps. These permissions suggest data collection beyond device operation.
What they claim: Eufy marketed the Video Doorbell Dual as 'local storage only' with 'no cloud required.' Product page emphasizes all video stays on the 16GB local storage in the HomeBase 2.
What we found: Firmware analysis reveals seven hardcoded cloud endpoints: mysecurity.eufylife.com, security-api.eufylife.com, p2p-stun.eufylife.com, p2p-turn.eufylife.com, push.eufylife.com, api.eufylife.com. USENIX WOOT '24 confirmed devices communicate with AWS. Blocking outgoing connections causes the camera to stop working entirely, even for local features.