back to article Eufy security cams 'ignore cloud opt-out, store unique IDs' of anyone who walks by

A lawsuit filed against eufy security cam maker Anker Tech claims the biz assigns "unique identifiers" to the faces of any person who walks in front of its devices – and then stores that data in the cloud, "essentially logging the locations of unsuspecting individuals" when they stroll past. The complaint, a would-be class …

  1. Fruit and Nutcase Silver badge
    Coat

    The Rogue Programmer

    sure does get around

    1. that one in the corner Silver badge

      Re: The Rogue Programmer

      He is highly sought after, as employers value his productivity, timekeeping and almost total lack of a moral compass.

      1. b0llchit Silver badge
        Headmaster

        Re: The Rogue Programmer

        ...almost total lack of a moral compass.

        No, no, no! The moral compass is functioning perfectly fine. It is just perpendicular to your moral perspective. Like the EM field conundrum. They are also always perpendicular to each other. Dynamically speaking, one can not do without the other.

        And then, what would the world look like when we only had the one good side? We'd be totally bored and submerged in too good to be true feelings all the time.

        /s

      2. Neil Barnes Silver badge

        Re: The Rogue Programmer

        No-one expects the Rogue Programmer!

        1. Claptrap314 Silver badge

          Re: The Rogue Programmer

          Among his many valued traits are....

    2. Lil Endian Silver badge
      Coat

      Re: The Rogue Programmer

      Rogue programmers.... That was Michel Toy, Glenn Wichman and Ken Arnold, no?

      [Mine's the one with the 5¼" floppy with an eternal Rogue copy on it.]

    3. Fruit and Nutcase Silver badge
      Alert

      Re: The Rogue Programmer

      Round, round, get around

      I get around, yeah

      Get around, round, round, I get around

      I get around

      Get around, round, round, I get around

      From town to town

      Get around, round, round, I get around

      I'm a real cool head

      Get around, round, round, I get around

      I'm making real good bread

      Get around, round, round, I get around

      I'm getting bugged driving up and down this same old strip

      I gotta find a new place where the kids are hip

      My buddies and me are getting real well-known

      Yeah, the bad guys know us and they leave us alon[give us bread]

      I get around

      Get around, round, round, I get around

      From town to town

      Get around, round, round, I get around

      I'm a real cool head

      Get around, round, round, I get around

      I'm making real good bread

      Get around, round, round, I get around

      I get around, round

      Get around, round, round

      ...

      with thanks and apologies to Brian Wilson and Mike Love for the original lyrics

    4. Anonymous Coward
      Anonymous Coward

      Re: The Rogue Programmer

      He believes in transparency, but only of himself. Think about it a bit...

  2. Flightmode

    Adding a new word to the vernacular

    How about we turn "eufy" into a new adjective? It's a perfect combination of "eww" and "iffy".

    As in "I think tech companies' disregard for their customers' privacy is pretty eufy."?

    1. Not Yb Bronze badge
      Coat

      Re: Adding a new word to the vernacular

      Pretty oof-y, too.

  3. Grogan Silver badge

    You could always just put the camera on a wifi network that doesn't have a WAN connection at the back end (i.e. no gateway) to ensure nothing goes to any "cloud", no?

    1. Gene Cash Silver badge

      Sure, but that's not the point. The point is to beat Anker with a large stick as hard as possible for their BS.

      1. Grogan Silver badge

        Actually I'll decide what my point is. It was a suggestion for owners of the device to prevent it from uploading data remotely.

        1. SundogUK Silver badge

          Anker lied. That is the point.

          1. moonpunk

            Exactly! I'm a Eufy doorbell user and if I'm honest I don't really have an issue with them using cloud in order to provide the functionality that I require to enable me to get a notification that someone has rang my doorbell, and in fact one of the reasons I chose Eufy (over Ring for example) is the fact that I can store locally and don't have to pay a monthly cloud subscription (again unlike Ring). But for those people that chose on ethical grounds that their data would NOT be sent to the Cloud were lied to - that's what Eufy need to address!

    2. yetanotheraoc Silver badge

      the point

      Securing your network isn't going to stop your neighbor's camera from sending your picture to the cloud.

    3. Timop

      Did you mean one should create an remote exploit to these doorbells that somehow drops all WAN connections before any IDs get uploaded to Anker servers when one walks by? My moral compass is now confused.

      1. Grogan Silver badge

        Me? No, I was just suggesting a possible way for an owner of said device to prevent it from uploading data to the cloud.

    4. Alistair
      Windows

      Eufy sec cams -

      I can speak from experience with the crud, after installing a set for a family friend, you *CANNOT* get the overall package working without an internet connection. Period.

      Yeah, the doorbell would ring, but only at the endpoint. It *would not* pair with the image storage node under any circumstances until I wired it to the network.

    5. moonpunk

      You could - but that would remove one of the major pieces of functionality which is to recevie a notification on your mobile device that someone is at your door having rang your doorbell and giving you the option to interact with them.

  4. Sp1z

    Disappointed

    Goddammit, I thought Anker were one of the good ones. Their power products and cables are built well and reliable.

    This is indeed a shame.

    1. This post has been deleted by its author

    2. Adam Azarchs

      Re: Disappointed

      Hard to say whether this was malicious or just incompetent. The are very few companies I tried to do Internet connected security correctly. Anker / Eufy seem pretty good at hardware but apparently software is another thing entirely.

      Part of the problem here is web standards. It's nearly impossible to do https without phoning home to a cloud server. And the companies that are essentially in control of those standards (Google, Amazon, Microsoft, et al) have no interest in changing that. That doesn't excuse sloppy storage of data once it gets there of course, but it helps to explain why it's possible in the first place.

      1. Anonymous Coward
        Anonymous Coward

        Re: Hard to say whether this was malicious or just incompetent.

        I'd say neither, more like 'careless'. As in 'they don't give a money's....' Well, I hope it's going to cost them.

      2. Anonymous Coward
        Anonymous Coward

        Re: Disappointed

        It's nearly impossible to do https without phoning home to a cloud server "Nearly impossible" makes it sound like quantum computing. But a self signed cert will do it, and any tech company could easily and cheaply provide a one click solution set that up inside your home network.

        However, if your home network is secure HTTP would suffice.

        1. Anonymous Coward
          Anonymous Coward

          Re: Disappointed

          If you home network is not secure, then you need HTTPS and at least a password to log into your camera server.

          If the camera is phoning home at all, the potential for being a trojan horse exists.

        2. Not Yb Bronze badge

          Re: Disappointed

          Modern browsers, do not accept self-signed certificates, without warning notices about the lack of security.

          A bad actor could self-sign a certificate purporting to be the same place, and the user would only know, if they'd previously visited the site before the attack and accepted the previous certificate despite the warnings.

      3. Rich 2 Silver badge

        Re: Disappointed

        Who says you have to use https? You can use whatever protocol you like - make one up if you want and use that

        1. Not Yb Bronze badge

          Re: Disappointed

          Aside from the large number of people who have worked on improving https over the years...

          Creating a security protocol you can't break yourself is fairly easy. Creating one no one else can break is hard.

    3. Anonymous Coward
      Anonymous Coward

      Re: Anker were one of the good ones

      Anker is only 'one of the good ones', in the sense that they are more selective about quality of non-branded products they order to have their branding applied to. Just a different target audience. As to morals, they're just as corrupt, as any other successful business.

      1. SundogUK Silver badge

        Re: Anker were one of the good ones

        You're going to love the world you end up with if you ever get rid of all these 'successful businesses.'

    4. SidSlippers

      Re: Disappointed

      Anker are a Chinese-owned company.

      1. Sp1z

        Re: Disappointed

        I'm aware of that. Doesn't mean the quality of their products is bad, in fact in this case the opposite.

        1. werdsmith Silver badge

          Re: Disappointed

          I have Eufy Roomba clone. It is truly excellent and works without cloudy connections .

          Though I choose to use the cloudy stuff.

  5. Anonymous Coward
    Anonymous Coward

    Hello!

    Camera controlled by an app? WTF were you expecting? Of course it's tracking and storing info about you in the cloud. I bet it's even a wireless camera, right?

    People these days....

    1. Anonymous Coward
      Anonymous Coward

      Re: Hello!

      Hello! indeed ...

      WTF were you expecting? Of course it's tracking and storing info about you ...

      +1 -> Logged in to say the exact same thing.

      Should anyone be surprised?

      It's not that the writing has not been on the wall for the longest time.

      And it will get worse, much worse.

      More than 10 years ago, a chap by the name of Eben Moglen gave a speech at re:publica 2012 in Berlin.

      The subject was Freedom of Thought, Free Media and Free Technology in the future.

      It should be mandatory reading in any elementary IT course.

      "We need free software. Unless we control the software in the network, the network will in the end control us."

      .

    2. ITMA Silver badge

      Re: Hello!

      Unfortunately this is all too common.

      End users (both home and business) sleep walking into a security quagmire and privacy fiasco all in the name of "convience". They're becoming addicted to controlling things via apps on their phone (laziness?) which almost invariably require some sort of "cloud" service to work.

      Manufacturers are equally to blame by encouraging it - realesing products which do not work, or are hard to make work, except via some (usually the manufacturer's) "cloud" service.

      All business MUST have a policy for internet connected and IoT devices, as part of or in addition to their IT and security policies. It is grave mistake not to.

      And a recommendation to everyone - STOP making or wanting everything under the sun to be "connected". There are even internet connected ovens FFS! It is getting ridiculous.

      1. tel2016

        Re: Hello!

        "...There are even internet connected ovens FFS! It is getting ridiculous"

        I have always been confused as to why remote controls for VHS & DVD players have an eject button. You're going to have to get up anyway.

        1. Jamie Jones Silver badge

          Re: Hello!

          Obviously, they have them to scare the cat.

        2. ITMA Silver badge
          Devil

          Re: Hello!

          I take it you don't have a cat?

          The hours of fun that can be had endlessly ejecting/re-inserting (if your DVD player allows you to do that via the remote) the disc tray while watching your cat try and grab or "bat" it is awesome.

          Be prepared to have to replace it though if you cat is quicker than you and you end up with a "feline vandalised" machine.

          Talk about "Paws of Fury" (just without Hank).

          https://www.youtube.com/watch?v=Js3xUgNICNY

  6. simonlb Silver badge
    FAIL

    "working on new security protocols"

    I'll keep saying it: We need a new specific IoT protocol built from the ground up with security as the first priority, which is inherently secure, vendor agnostic and adopted as an industry standard. Ideally, it also needs to be managed by panel or forum of people who specialise in security so that security best practices are fully integrated into the protocol. This, right now, is easily achievable, but no-one seems to want to step up and do something about it.

    1. Paul Crawford Silver badge

      Re: "working on new security protocols"

      It is already possible to design safe and secure devices. It just needs folks to give a shit about it...

      1. Anonymous Coward
        Anonymous Coward

        Re: "working on new security protocols"

        .. and be willing to pay for it.

        Doing security right costs money and adds complexity. That means you need competence and be prepared to maintain the code you put out (which is argument no1 for keeping it SIMPLE, but I digress). Now I could point at Microsoft to show just how hard it is, but that would be ignoring the question of what if you deliberately leave in some problems so people get used to not questioning your updates?

        That said, I'm both fascinated and absolutely horrified by the suggestion that this lot is busy collecting biometric facial scans of everyone in reach and assigning them IDs: WTF? That alone should lead to a total ban in Europe, but I fear the reverse may happen because of what is happening in the Netherlands.

        There, the police is subject to very stict rules when it comes to putting cameras in public spaces. Private people are supposed to be subject to those rules too, but (a) nobody bothers to follow them and (b) there's zero enforcement, the reasons for which now seem to have become apparent - bear with me. Last year, the police wanted a mandatory register of private cameras. That didn't happen, but there's now a voluntary register which has loads of entries already (no idea if that was after local police 'encouragement', but I digress).

        This register allows the police to approach these private owners directly for footage, which thus neatly bypasses all those pesky restictions the police is subject to, and without any need to bother the Court for a judge's permission, naah. No doubt the next step is to ensure that data submission can be legally forced, and so complete the police end run around the restrictions originally imposed to protect public privacy.

        Now add facial biometric recognition to this mix - using, I may add, a methodoloy, technique and granularity that has as yet not been proven, validated or certified so errors are not only possible but likely, some ignorant court use of the 'computer says no' type and you have a major problem. And that's not in the distant future, it's basically here, right now.

        Yes, Eufy/Anker deserve to be beaten with a very large legal stick, and then some.

    2. Dan 55 Silver badge
      Devil

      Re: "working on new security protocols"

      The Marketing Data-Slurping Complex won't allow it to happen.

    3. DJO Silver badge

      Re: "working on new security protocols"

      ...inherently secure...

      Impossible. Like it or not, security is a moving target.

    4. Jellied Eel Silver badge

      Re: "working on new security protocols"

      I'll keep saying it: We need a new specific IoT protocol built from the ground up with security as the first priority,

      Nah, we have that already. All the 'telemetry' from our IoT thing is transmitted via HTTPS, and the data between thing and Cloud is encrypted. Ergo, as the thing's owner has no idea what it's transmitting, it's secure.

      I think what is needed is strict enforcement of (mostly existing) data protection regulations. Most already work on the lines of requiring data controllers to store only the minimum personally identifiable information necessary, and generally with some form of consent. A camera that snaps any passer by, assigns a UID and stores it without either the device owner's consent or the data subject's consent would already seem in breach of UK Data Protection and GDPR regulations.. Which can come with large fines attached, and for cameras, has already been tested a few times in UK courts.

      Call it the Cloud-Be-Gone Act (or Blue Skies?) where devices must comply with the minimum requirements, and give users a simple opt-out for cloud storage, and especially data sharing. Something as simple as a doorbell doesn't really need a 'cloud' to operate, just some local storage, a local server that can forward or answer 'net or mobile queries and is already a feature of many of those devices. They don't really need any cloudybollocks, so the ICO should take a long, hard look at why vendors are slurping that data.

  7. Anonymous Coward
    Anonymous Coward

    Ha! Maybe Jeff Bezos hard at work........

    Quote: "...uploading facial recognition data and biometrics to its Amazon Web Services cloud..."

    .......does this quote RING a bell?

    I think we should be told!!

    1. Anonymous Coward
      Anonymous Coward

      Re: Ha! Maybe Jeff Bezos hard at work........

      ...and in other news about Jeff Bezos.....

      Link: https://www.theregister.com/2023/03/08/police_ring_privacy/

  8. Lil Endian Silver badge
    Flame

    It just goes to show...

    ...what a bunch of Ankers the eufy of today are.

    [I am not smiling.]

  9. Simian Surprise

    Who else?

    Desai's complaint specifies the proposed class as

    > All persons who purchased one or more of the eufy Security Cameras within the applicable statute of limitations

    Oh come on, can I not be part of a lawsuit if any of my neighbors have one? Or if I can prove that I walked by one and it has me in the database? (In my case, they don't, and I can't without discovery, but it's the principle of the thing for others.)

    I know that such people didn't rely on any misrepresentation of the company, so for this specific action they're not similarly situated, but why can't we have a law against doing this crap? People are having so much fun with internet-privacy laws like GDPR, but I'm much less concerned about advertisers knowing some stuff about my purchasing habits and interests than cops* and hackers knowing about my travel habits and recent locations.

    * oh right, never mind, that's why.

  10. Happy_Jack

    I love my Eufy doorbell. Do I care if Chinese military intelligence can see who rings my doorbell or walks past my front door? No, not in the slightest.

    1. Anonymous Coward
      Anonymous Coward

      Do you care if the MET get warrantless access to this data (for the purpose of the investigation this isn't data it's 'metadata' and so requires no warrant)

      And it picks up somebody who looks like a known drug dealer/illegal immigrant/Gary Lineker

      That Happy_Jack driving past our ANPR camera? He's a known associate of .... better pull him over

  11. The Central Scrutinizer

    Well that's just fucking great.A friend just installed one of those camera/doorbell pieces of shit. I'll be sure to wear a gorilla mask or something equally stupid when I next go to her place.

    1. heyrick Silver badge

      Why not round up everybody you know, walk past the thing, then the entire lot of you file a class action against the company.

      Since it's been demonstrated that the cameras do this......

    2. heyrick Silver badge

      France has some pretty strict rules about the use of security cameras, including respecting the privacy of visitors to your home, so these things that dump information to a cloud may well be infringing.

      https://www.cnil.fr/fr/la-videosurveillance-videoprotection-chez-soi

  12. morsey

    Tuya WiFi security cameras

    :) I bought myself one of the 'replaces the peephole on your front door' camera's that are all over Amazon at the moment.

    I'm under no illusions on how much is handed off to someone else with it and I'm a strong believer in not renting my doorbell to someone else.

    I've been picking it apart to see how bad it is (it's not getting fitted till I've looked under as many rocks as I can find and blocked the snakeholes).

    I've gotta say, I thought it would be bad, but it's much worse. It's a big bloated generic build that's been optimised by configuration for the particular model.

    Because of this there are a couple of heavy lifting binaries in it that seem to do all the main work, ankya_ipc being one of them. A couple of years ago these generic builds were easy to get a root shell to, but the builds now are doing basic good things (long passwords so John is unlikely to crack them in my lifetime) making it harder to simply open a telnet, give it a sdcard hosted file to update it's config and call the save function to set that as part of it's firmware image.

    I'm at the point now that I can at least watch what it's output is throwing while it 'does stuff' and I've gotta say, before I was leery about it being fitted, now it's an absolute no, not until it's walled in and I've made it truly local only.

    Here's the thing, these devices have face recognition on board, they are little linux'es so that's entirely feasible. They do a fair amount of the instantaneous heavy lifting onboard for this, but as the article says, it's all sent up to a centralised location. With that as well, a lot of it is centralised in one way. The way to view the feeds on this thing are to use the app, there are local feeds you can access and find, but it's very much not a trivial thing to work out.

    Final point is this, mine has a mic and speaker so if someone is at the door I can enable the mic and speak to them. This is only accessible (so far that I've found so far) through the app, so the app sends the command to the device.

    So the stream is an endpoint on the apps servers

    the ability to enable mic audio into the stream is an endpoint on the apps servers

    the ability to send audio to the speakers is an endpoint on the apps servers

    ...so anyone who can find my cameras endpoint on the public application can watch, listen and send audio through my camera.

    1. heyrick Silver badge

      Re: Tuya WiFi security cameras

      "I thought it would be bad, but it's much worse."

      If it's able to be controlled using http commands, passes the username and password in the URL, and uses the GoAhead server... there are various little connected cameras with a critical flaw. If you send a request to the camera without the leading / in the request, it may completely bypass the so-called security and return any file you request. Like, say, GET system.ini (instead it /system.ini like normal).

  13. Kane
    Boffin

    Time to break out the Scramble Suit

    The post is required, and must contain letters.

  14. Johnb89

    Spray paint

    For those concerned about being watched by every camera one walks by, there's at least a moral case to spray paint over the lens. Of each one. Can one do that without getting caught?

    If 'they' are going to blather my image illegally all over the internet, with tracking no less, I have a right to mitigate against that, up to and including disabling it. And if accused of breaking the law the case that you were preventing their crime is not unreasonable. Whether a judge would agree is a question.

    Now my neighbour may not KNOW his camera is doing that, but ignorance on his part does not signify acceptance on mine. Interestingly, my neighbour-with-a-doorball-cam took pains to point out that he'd pointed it only at HIS door, not the street, not at my house etc. Bless 'im.

  15. Missing Semicolon Silver badge

    I'd like to buy a wifi camera or a doorbell.

    Where do I get one that isn't crap?

    I currently have one of those old IpCam remote-controlled ones, that really is local-only. The only "cloud" it supports is an FTP server of my choosing. I'd keep using it, but it's Wifi is old and insecure and the sensor is crap.

    Does anyone make a replacement with modern wifi and sensor?

  16. MOH

    This story is very confusing without an initial indication that the (all lower case) "eufy" is a brand name

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like