Eufy promised that your face data and videos would never leave your device and would stay stored locally. In reality, the company was secretly uploading facial recognition images to cloud servers without telling you. They even had a hidden database that could match your face across different users's cameras. When caught, they quietly deleted their privacy promises from their website instead of admitting the truth. This is a direct lie about where your most sensitive biometric data goes. Eufy claims your smart lock works locally without the cloud and that everything is strongly encrypted. But the lock actually talks to at least 7 different cloud servers, and researchers showed that the video feed could be watched by anyone who had the right web link — no password needed. The "encryption" Eufy advertised didn't actually exist. If you block internet access, the lock stops working properly, proving it depends on the cloud despite claiming otherwise.
What they claim: Eufy privacy policy states biometric data is "securely stored locally on your device and not uploaded to the cloud" and facial recognition occurs "entirely on your device" with no cloud access to biometric data.
What we found: Security researcher Paul Moore proved on November 23, 2022 that eufy devices uploaded facial recognition thumbnails to AWS cloud servers without consent. Unique facial IDs were shared across different user accounts, proving a cloud-side facial recognition database existed. Anker CEO admitted the breach in January 2023. New York AG investigation confirmed video streams were not always encrypted and were accessible without authentication. Eufy silently removed ten "privacy promises" from their website on December 8, 2022.
What they claim: The Video Smart Lock collects fingerprint biometric data and facial recognition data for device operation. Eufy claims on-device processing for biometrics.
What we found: CVE-2022-21806 (CVSS 10.0) allows remote code execution on the Eufy Homebase hub that coordinates the ecosystem. CVE-2022-25989 allows authentication bypass to redirect video feeds to attacker-controlled devices. A USENIX WOOT '24 paper demonstrated a complete ecosystem compromise requiring only proximity (up to miles with specialized hardware) taking under 20 seconds. The device stores both fingerprint and facial biometric data. If the ecosystem is compromised via these vulnerabilities, an attacker could potentially access the biometric data that Eufy claims is safely stored locally. The 50,000 NY AG settlement confirmed the security architecture was fundamentally flawed.
What they claim: The Video Smart Lock is marketed as a 3-in-1 device: smart lock + camera + doorbell. It should only need permissions related to these functions.
What we found: The eufy Security app requests 49 permissions including: ACTIVITY_RECOGNITION (tracks whether you are walking, driving, or still — irrelevant for a door lock), ACCESS_BACKGROUND_LOCATION (continuously tracks your phone's location even when the app is closed), READ_PHONE_STATE (accesses phone call status and device identifiers), RECORD_AUDIO and FOREGROUND_SERVICE_MICROPHONE (can record audio continuously), CAMERA (accesses phone's camera, separate from the lock's built-in camera), READ_MEDIA_AUDIO/IMAGES/VIDEO (reads your personal media files). A door lock needs Wi-Fi, Bluetooth, and notifications — not activity tracking, background location, or access to your personal photos and audio files.
What they claim: The eufy Security app requests RECORD_AUDIO, FOREGROUND_SERVICE_MICROPHONE, and CAMERA permissions. The device has built-in two-way audio and a 2K camera.
What we found: The app can maintain audio recording in the foreground while the user interacts with other apps (FOREGROUND_SERVICE_MICROPHONE). Combined with the cloud upload scandal — where eufy was proven to send data to AWS without consent — this creates a potential surveillance capability. The 2022 discovery showed eufy uploads happened silently with no user notification. The USENIX WOOT '24 paper demonstrated that the eufy ecosystem can be fully compromised remotely. If the audio/video feeds can be intercepted (as proven by The Verge accessing streams via VLC), the two-way audio on a front door lock becomes a remote surveillance microphone. The class action lawsuit alleges systematic privacy violations across the eufy product line.
What they claim: Eufy's privacy policy states it is the user's "responsibility to ensure that you comply with all such applicable laws" regarding consent for video and facial recognition data collection.
What we found: The policy shifts legal responsibility for biometric data compliance to users while the company was secretly uploading biometric facial data to cloud servers in violation of GDPR and BIPA. The app requests USE_BIOMETRIC and USE_FINGERPRINT permissions for the lock's fingerprint reader, plus CAMERA for the facial recognition system. Illinois BIPA claims survived dismissal in Sloan v. Anker (N.D. Ill.), and the class action is proceeding. Eufy collected biometric data (fingerprints, faces) while telling users THEY were responsible for compliance — even as Eufy itself was violating biometric privacy laws by uploading this data without consent.
What they claim: The Video Smart Lock uses 2.4GHz Wi-Fi and BLE per FCC filing 2AOKB-T8531, with additional 24GHz radar for presence detection. The FCC grant was issued October 2023.
What we found: The FCC filing was granted in October 2023, AFTER the November 2022 cloud upload scandal, AFTER the 50,000 NY AG settlement process began, and AFTER multiple class action lawsuits were filed. Anker proceeded to release a new biometric device (collecting fingerprints and face data) into the same ecosystem with known systemic security flaws. CVE-2022-21806 (CVSS 10.0 RCE) and CVE-2022-25989 (video feed hijacking) had been publicly disclosed for over a year. The USENIX WOOT '24 paper confirmed the ecosystem remained vulnerable. Releasing a device that stores fingerprints and face data into a known-compromised ecosystem shows prioritizing product launches over user security.
What they claim: Eufy's current privacy policy states data is shared with "processors, ad networks and advertising partners, business and marketing partners, third-party providers." Policy allows collection from third parties including "credit reference agencies" and "law enforcement authorities."
What we found: Mozilla's Privacy Not Included review gave eufy a warning label, noting the company shares personal identifiers with advertisers. The privacy policy deteriorated between 2021 and 2022 according to Mozilla's tracking. Data deletion rights are specifically mentioned only for California users, creating a two-tier privacy system. For a device that captures biometric data (fingerprints, face images) and has a 2K camera pointing at everyone who approaches a front door, sharing data with "advertising partners" is extraordinary. The app's AD_ID and ACCESS_ADSERVICES_AD_ID permissions confirm advertising data flows are technically implemented, not just theoretically permitted.
What they claim: Eufy's privacy policy states the company collects standard account information and device data. The Exodus Privacy report shows 0 trackers in the eufy Security app, suggesting minimal third-party data collection.
What we found: Despite showing 0 known trackers, the eufy Security app requests ACCESS_ADSERVICES_AD_ID and AD_ID permissions — these are specifically designed for advertising tracking and serve no security function. The app also requests ACCESS_ADSERVICES_ATTRIBUTION for ad attribution tracking. The privacy policy confirms data sharing with "ad networks and advertising partners, business and marketing partners." Mozilla's Privacy Not Included review confirmed eufy shares personal identifiers with advertisers. A security camera and door lock app has no legitimate reason to integrate advertising infrastructure.
What they claim: Eufy markets the Video Smart Lock with "no monthly fee" and local-only storage, implying the device functions independently without cloud dependency. Privacy policy claims AES-256 encryption protects local data and TLS 1.3 with ECDH key exchange secures transmissions.
What we found: The device has hardcoded cloud endpoints including mysecurity.eufylife.com, security-api.eufylife.com, p2p-stun.eufylife.com, and push.eufylife.com — at least 7 cloud servers the device communicates with. The Verge confirmed in 2022 that eufy video streams were not end-to-end encrypted as claimed, and could be accessed via VLC media player without authentication using predictable URLs. Anker admitted in January 2023 that their encryption claims were false. Blocking outgoing connections disables even local features, contradicting "local only" claims.
What they claim: Eufy's privacy policy states: "Your audio and transcription data stored locally on your mobile device are protected with AES-256 encryption" and emphasizes secure data transmission via "TLS 1.3 and ECDH key exchange with AES-256."
What we found: The New York AG investigation found that video streams were NOT always encrypted with end-to-end encryption as claimed. Active video streams were accessible by anyone with the relevant URL without any authentication. Anker admitted in January 2023 that eufy cameras were not natively end-to-end encrypted, contradicting years of marketing. The company pledged to implement WebRTC encryption only AFTER being caught. The $450,000 settlement specifically required the companies to "implement appropriate encryption processes, including the encryption of video in storage and in transit" — confirming this was not already being done.