Eufy Lied.

Getting an anker ad in the middle of this was the definition of irony and made me burst out laughing

It’s even scarier than just cloud storage of your camera pictures/footage. A guy demonstrated that your face is assigned an ID based on Eufy’s facial recognition algorithm. So if your face shows up on SOMEONE ELSE’s camera, the same ID may be generated and now there’s a trace of your location

I’m a Bestbuy employee and I will be sure to inform customers about this issue when asked about eufy

Eufy had one chance to not have this get any worse, and they blew it.

Maybe their idea of "Local only" is like the Cell companies "Unlimited data".

I'm so disappointed in eufy. It was a serious competitor in the affordable home security space but now they're a joke. There's no coming back from this.

Here's what REALLY scary- the non-techie people out there are not seeing this as much of a problem anymore... and... it's really, REALLY unnerving. The fact that not only do they anticipate companies doing what they will with thier info, they welcome it. (or at the very least, do very little to stop it.) There seems to be this mindset that "as long as it's not changing they way I live my life and I'm happy, I don't care." that's going to one day bite many of those kinds of consumers in the rear.

The response from Eufy is a classic example how the wrong response to being called out can make your fault infinitely worse. Just bought some products from Anker - now I’m seriously considering returning them.

There's a point at which it becomes worth it to invest in a NAS capable of running a surveillance software suite. Throw in some WD purples (or equivalent), and make sure to put your cameras in a vlan that doesn't have access to anything but the NAS. The sad thing is that we need to become amateur network engineers and storage experts in order to make sure we're not getting spied on by the equipment we use to try to keep us safe.

I did read the freaking privacy policy and there is no mention about the freaking cloud storage!!
ALSO under the GDPR law. I requested that I get to see ALL personal data Eufy has stored on me and how they have stored the data and how they handle it. This is stated in the privacy policy!
Eufy reply word for word "We do not store your personal data and therefore cannot provide you with your personal data."
This means. They do not have my Email which they did reply. They do not have my purchase information no name no nothing.
I have yet to contact a lawyer about this but I have reported this company to our state wide security operations center

We're moving into our first house next month. I literally had lots of Eufy products in my cart, and I decided to check youtube for info to help me decide on which of their doorbells I should get. Well, now I'm looking for a different company. You just saved us from buying nearly $1k in spyware. Thanks guys!

On Linus's point about being impressed by things just working, I have a Ring doorbell and chimer and it infuriates me to no end that if my WiFi goes down or the stupid thing disconnects itself from the Internet but not the network for some reason as it often does and someone rings the doorbell the chimer no longer works because it has to ping the Ring servers and then they have to ping the chimer instead of just pinging the chimer locally which it knows is there because it has to be on the same network for it to work.

When Linus’s house is done I really hope we get a mega guide on how, from start to finish, with all the hiccups he figured out, all the stuff he used, would be so helpful,, in a more tutorial format than the existing videos which feel more like a showcase

What I hated most about this situation is the story seemed to break during black friday and when I tried searching about it after hearing in the WAN show, google instead showed me a bunch of shopping deals on eufy devices. It was until way later that journalist started to pick up the story and intially in European non English sites.
I hated how long it took for this to come up, I hated how google news tab was not news, I hated how this didn't get the attention it should have intially.

I think a bunch of the smart home / security stuff is really cool. But in a world where every company and their dog wants to harvest data of literally every flavor I'm perfectly happy with a thermostat that I need to walk to and physically manipulate in order for it to do anything. Every single time Alexa wakes up completely unprompted while nobody is talking and says "Sorry I didn't catch that.", my skin crawls and I revisit the thought that maybe her convenience isn't worth it.

Eufy was like: we tested our own systems and accusations and found out we did nothing wrong.

They advertise it's local only, they made it not local only. This is false advertising.

Wow, the thermostat?? The more I keep my house out of the cloud the happier I am with that decision.

Wow, last week I was so close to buying specifically an Eufy doorbell exactly because of their "local only" promise. Glad that I postponed it till I do a bit better research.

If Signal can do end-to-end encryption of messages, Eufy can do end-to-end encryption of images to support push notifications when you're not on your local network.

Uefy: When we say locally, we mean on the same planet.

do not trust a company, or person, that is only sorry after they get caught. if they can do it, get caught, and youll forgive them for "changing", then theyll get better at hiding it the next time they do it.

My take on the notification, as a mobile app developer I work with them on a daily basis: Yes, a notification can have images without having to send them to any server, but only if the notification is not handled by Firebase itself on the receiving end (Yes, Eufy and literary every other app uses Firebase), but by the receiving app. By using a "data" notification the app receives the data without a notification being shown, which allows the app to build its own notification, this also allows an app to potentially enrich that notification with local data (if it is available on the device or if the device is locally connected).
So yes, images are possible without having to send them to the cloud, but it comes with some drawbacks (as the phone will not always have access to the local network).

I specifically chose Eufy for my doorbell camera because of the local only storage. As soon as I listened to last week's WAN show I took it down. I have since destroyed and thrown away the camera because I could not bring myself to sell it to someone who doesn't know all the security risks with this doorbell camera.

Here in norway a server for a company that sell electric wall mounted heaters broke down.. and a lot of houses got cold.

I really don't understand how you could argue against this.
They promised it's local.
It is in fact NOT.
They scammed their customers and they should be punished.
It's as simple as it gets :D

In light of this, I'd be interested in seeing some reviews of alternative products. I had security cameras on my to do list and Eufy was the direction I was headed.

They could've easily used end-to-end encryption for the notification images and even include that in the promotional material as advantage. The images would be stored encrypted in the cloud, with the key only available to the camera, and the user's phone. There's no excuse for what they did.

We really should get Legal Eagle to look at this - this undoublty breaks several laws and I'm not even an expert

9:18 I think legal eagle just talk about this when he talked about Established Titles. That there are laws specifically against advertising something different from what's in the agreement/fine prints.

There is a point where I start to think, if you really care and want security go with a business system with hardwired Ethernet/poe which typically can be cloud connected or not, use port forwarding or cloud linking, can't be killed by a cheap wifi jammer, tend to be very reliable, often have better quality especially in terms of dynamic range issues and low light performance, but are typically a bit more expensive and being hardwired do need cabling installed.

The biggest clue that the "Local Only" camera wasn't local only was that it didn't work without an active internet connection. Since i got this thing to be able to monitor a room using a battery backup so it would stay on even through a power outage makes me rather irritated that they lied.

Really sucks about Anker. I’ve always bought their stuff from all their brands because I trusted their quality. Idk if I’ll stop buying their chargers but definitely not ever buying any of their connected devices again.

Don't back down, just because brand fans want to justify their purchase, or are cool with careless companies.

Reminds me of Vizio's smart TVs. They had an opt-out feature called "Smart Interactivity" that would take a screenshot each second (60 in one minute!) of whatever was on your screen. And did so without telling customers.
So if you're writing an e-mail, checking your bank account, logging into a website, or anything, really -- Vizio grabbed it all. Fortunately, the FTC smacked them down.

What sucks the most is those of us that are pretty heavily invested in the products and they already have our money after being sold on "local storage."

It was just a misunderstanding bro. Chill 😂 just read the TOS
-eufy

Eufy’s slogan should be “Local storage stored remotely”

This, boys and girls, is a prime example of how not to respond to such situation. Eufy is only making things worse for themselves. And as for them being a part of Anker, I would really like to know just how much control exactly does Anker have over them? I like Anker products and it would be a shame if I would have to stop buying their products and search for someone with a similar product and price.

Eufy should not be claiming anything about "local only" when that's not true, and they should be better securing the things they store non-locally so that unintended eyes can't access them. That's purely false advertising. But if a camera is local only, how would you get its video feed or notifications when you're not home and not on the same WiFi network? Also this is a legit question, not a criticism of their position on the issue.

Time to gather the tech-tubers and campaign against cloud based solutions when it obviously isn't necessary for a majority of things. Find an alternative that seems good for things and push them to viewers over the competition. And you don't necessarily have the explicitly say, "Hey pick this over that." You can just not support cloud based BS by not ever showing them in videos.

As a Network Security Engineer, I would never open a port on my router to a IoT device with questionable software. If that device gets infected, it can be used as jumphost to your local LAN.

This *definitely* breaks the GDPR (assuming they sell this in the EU as well). What 30 day? You cannot collect any data, without the user explicitly agreeing to it (and no, burying it in privacy policy doesn't work either) in the first place! The EU should just straight up bad these for non-compliance.

You're better than this, Anker. Thanks for the update, guys.

While what you're saying about exposing a local port is true, given how insecure the existing cloud services are, do you really trust them to implement a secure service running on your local network, or one that's full of security holes like lack of encryption, lack of authentication and other glaring security fails?

Even if they keep the data after the delete request for longer, which there are valid technical reasons for (for example, collecting a lot of delete requests to process them in batches for better storage performance), they absolutely 100% must mark the content as "scheduled for deletion" and make it unavailable to access through the API. There is ABSOLUTELY NO VALID REASON that anybody, even the person who this data "belongs to", should be able to access it after requesting its deletion.

I'm surprised that Linus is not using a ground source heat pump up in Canada, that would be a far better (but also more expensive up front) option as down 20 feet or so there's plenty of heat to pull out.

Been wondering if we are ever going to see a video about this from Jerryrigeverything considering the entire office for notawheelchair is covered in Eufy cams.

I almost bought a Eufy SoloCam based on the local only sales pitch for my parents. Like that was the entire reason I was looking at it. I decided against it because the SoloCam couldn't eventually connect to a home base and I wasn't ready to invest that kind of money, and boy am I glad I didn't buy it.

I have to say, downplaying opening random ports on your router is a bad take Linus.
My job as a penetration tester is very much centered around clients opening random ports for niche IoT devices and nonstandard software because "it's easier" but it is absolutely a valid security risk.
Not saying that Eufy's method is any better because it's CLEARLY not lol, but I just don't think saying "it only happens in the movies" is a good take, especially when viewers who aren't network/security savvy might dangerously take that at face value and carry that mindset forward into their home networks or future workplaces.

This is why regulations like the GDPR or CCPA are so so so incredibly important for us as consumers. Even though its not a proactive tool, it provides us a lawful request for companies to disclose and/or delete any data they have stored about you.

We need to get Legal Eagle on this. He *just* did a piece about those Scottish Titles thing, and made the point that it is NOT legal to say one thing in big bold marketing, and do the opposite, EVEN when the fine print says "we're allowed to do the opposite."

On a tangent, the last Logitech webcam that I used had a feature that let you disable the light when it was being used as a motion detecting security camera. They haven't always been designed in such a way that the activity light can't be defeated.

It is almost impossible for iOS and would be very inefficient for Android to send notifications without a notification service but Eufy could use end to end encryption between sensors and mobile devices in the payload level with an additional layer. And they don't.

Open ports on a router or other system on your network with security issues can allow remote malefactors in. That isn't exactly rare, but it would require you to have an unpatched security issue and someone looking at your network. Then again, when was the last time you updated the firmware on your router?

Sorry, this is 2022, API calls (over a network) should ALWAYS be encrypted... security 101.

In the US, marketing verbiage is considered equally as important as a EULA and similar documents. It creates a customer expectation that informs their buying decisions. Putting fine print that directly countermands marketing material does not invalidate said marketing. Moreover, the bit about "an informed customer" is irrelevant. The assumption is that a purchaser knows only what is on the box before buying. Eufy operating completely counter to what their customers justifiably think they are getting will probably lead to a class action here. I do have a few Anker products and have been completely happy with them. Sucks that a sub-brand has done this. Almost wish I had a few of their cameras, though. lol

"Provided local storage" says to me that they got an on-prem link to whatever storage cloud they are using, and even though it's accessible through the larger cloud API it's "local" because it's their disks. That statement or "disagreement and compliance" is 100% corporate hand waving with no commitment to reconciliation, though.

LOL I love that Happy Gilmore line “Are you too good for you home? Answer me?!” @0:33 😂 Bummed out about Eufy since I was so close to investing in them

oh boi the eu is gonna have a field day with this one ;)

12:00 The only way they could offer free local storage is if they gave away servers to their customers for their products, meaning that their customers now have free local storage. However, that doesn't cover the electric cost for running the server at home, so it still wouldn't truly be free local storage...

BRICKING their cameras and issuing refunds is a rather unsmart hottake🤔
say what you will about their marketing etc. The Eufy cams I have on my property have been extremely dependable unlike many other companies I've tried.
I've caught my FORMER dogs sitter bringing ladies into my baby's room and using the bed. I've also caught people loitering by my garage door at 3am and also used video from my Eufy cams to prove a DHL delivery person didnt deliver my iPhone as they said resulting in apple sending me a free replacement.
They fit my budget and do what I need them to do. I'll be sticking with them for now.

I haven't actually seen them say "Local ONLY", they just say "Local storage". That could well mean (and apparently does mean) you have a local COPY. Unless they specifically say they do not upload to the cloud, then you should assume they upload to the cloud. All Eufy say is "No Cloud Fees", not no cloud uploads.

I'm mildly certain that if you bought any of these on any credit card or through PayPal, you could contact your credit card company or PayPal to get a refund based on the product being different from what was advertised.

On the topic of „smart home should run locally and just work“: I don’t know if it’s just happening in my circle but most people that I know that have built/renovated a house as a smart home actually don’t use integrated smart systems. They use simatic or similar industrial automations systems, or their downgraded versions like logo!, which will have a much longer guaranteed support window and parts availability.

I'm a little surprised at this controversy.
I have a Eufy camera and when I activated the full notification, with the images, I was told that the images were going to be temporarily sent to the Cloud! It's written in full in the app, very clearly!
There is nothing hidden. Well, if the images in the Cloud are poorly secured, that's another story. But, the fact is that the activation of the function which send the images in the cloud, it's well notified. And it's easy to choose the option of notifications withoud integrated images, which avoids the cloud!

Hopefully this does not mean their entire product stack is compromised because I have a Eufy deadbolt and this news has me a little concerned.

Woah, I literally ordered a security camera from them off Amazon yesterday. I was wondering why it was so discounted on Amazon😂.

The whole "well, this is necessary in order to provide..." argument doesn't hold water. Let's say they're 100% correct that it's necessary in order to offer particular features. For the sake of a focused argument, let's just give them that and not debate it...
It doesn't change the fact that they consistently said they were NOT doing it. And they didn't just say it as an off-hand comment, that was a key, primary selling point. That was front in center in all their marketing. "What happens in your home, stays in your home. No subscriptions, no clouds." If the features they're talking about require sending pictures, then they had no business making those claims, because they were not true. It's false advertising, pure and simple.

They also say. The video clips are stored on the HomeBase 2 (like a hub) by default. The HomeBase 2 comes with a non-removable 16GB local storage. It can store 2 months’ worth of videos for a system with 1 camera, or 1 month for a system with 2 cameras (30 motion detections a day and 60 seconds recording each time). The old video clips will be overwritten by a loop when the space is full.

If Eufy really want to include a picture in the email, they could embed it in-line (base 64 encoded as a string) in the HTML email source code. This avoids the need to store the pictures on their server after the email is sent.

I was going to recommend the robot vacuum eufy makes cause of the price. Not anymore. I hope Anker will drop eufy and/or fix this cause Anker chargers and cables are some of my favorite.

4:01 Heat Pumps, do Not, Pull Heat, Out of the Air, there is a Temperature Differential, between the Low Pressure and High Pressure Side.

13:30 I disagree entirely, it's not "reasonable" to assume it's being uploaded to the cloud when it's specifically advertised as NOT that. Customers and users should "reasonably" be able to trust what the company advertising says.

Even if they had a cache server that temporarily held notification images in case of intermittent connection on either end of the "local" WAN link (home network to cellphone), there's no excuse for there not being end to end encryption, with keys held truly locally so that the cache server just holds encrypted content it can't make heads or tails of.

I think the local push notification only works when an app on your phone wants to display a notification at the system OS level, without the data leaving your phone. when an external source, like a server, or a wifi camera wants to send a push notification to your phone, it does, indeed, need the thumbnail to be hosted somewhere on the internet, with an sufficiently obfuscated URL. also this whole guessing URL on amazon S3 key thing is *extremely* hard to brute force, not in a humanly reasonable timeframe. Dropbox actually experienced this same exact problem years ago, where they stored all users files on a single S3 bucket, and were publicly accessible if you were able to guess the URL including the token. This is standard amazon S3 CDN usage. also - "deleting" from amazon cloudfront's CDN is a very slow process. the CDN distributes copies of each file in datacenters around the world, and keeps copies of files in memory all over the place for maximum distribution speed, and minimum latency, so it just takes some time to clear things from this global cache. I still agree the advertising was very untruthful, and there were lies in the marketing, but still - there is no glaring security flaw or leak here. you cant actually hack anyones video feed, I have yet to see any convincing way this can be done. as far as i can tell, the video feed URL can only be obtained with the proper auth token, which requires user login, which is basically mimicking exactly what the eufy mobile app itself does, no more no less, its not a hack. this is just how the internet actually works. all of the engineering practices are pretty standard practice. all the guy did was reverse engineer what the eufy mobile app by observing it. its a little bit like sharing a google doc link where "anyone with the link can view" - this is just how URLs work. a sufficiently unguessable URL is the same as a secure endpoint, even if the URL is "plain text". anyone can painstakingly replicate an app by observing its API calls, but it cant do any more or less than the original app. I can build an instagram clone which talks to the instagram backend and pretends to be the instagram app, but it doesnt mean i hacked instagram. as much as I would like to see a chinese company get caught doing something evil, this is not it. (unlike the WYZE V2 security flaw, where it *was* actually possible to get access to a random persons video feed, and they covered it up). by all means, take eufy down for the dishonest advertising about local vs cloud, but theres no security flaw, im still waiting to see if a real hack comes up.

I read a great book about this recently, 'This is how they tell me the world ends,' it's all about tech security, and is really well researched, highly recommend :)

Port forwarding isn’t guaranteed to work anyway. Some ISPs like many here in Australia use an additional layer of NAT at the ISP to conserve the number of public IPs they use. Either customers will need to ask them the also forward the port, ask for the NAT to be removed or have a static IP address be assigned.

This is why I do not put ANY camera in living spaces in my home. Cameras monitor the yard, doors and garage but nothing inside the house.

Data Notifications? Interesting? Can someone provide me with a link on how to use/implement these server-less data push notifications? I'd really love to use them in my next hobby-app-project!

You are right about the seriousness of this issue. I would avoid Eufy. But I would not necessarily extend this to Anker products. I would imagine that different management teams are involved in batteries and cameras.

I wonder how much of this is pure malignancy on the part of the company leadership vs. programmer incompetence. Some people are just really bad at their job.

I got into smart home this year, and set out from the start to do everything "the right way" - favor Zigbee over WiFi, only use Home Assistant along other open source software, with strict "no data leaves the home, unless it's going to my phone when I'm not home" policy. What I found is that this very reasonable set of requirements eliminates 50-90% of products in the smart home market. In Europe, I only know of 2 models of radiator thermostats that fit the requirements. Others either use WiFi or freaking DECT (why, AVM???), or only work through the cloud, or only work with proprietary bridges, or don't support all functions through Home Assistant or other software.
On this note, giant freaking props to Danfoss. The Danfoss Ally TRVs are incredible. Affordable, sleek design, and while they *ahem* STRONGLY RECOMMEND you use their proprietary Zigbee bridge with them - EVERYTHING is supported through Home Assistant. Setting temperature targets, sending measurements from external thermometers, controlling internal window-open detection, using external window-open detection, OTA firmware updates, everything. So if you're looking for a smart radiator thermostat - I can't recommend the Danfoss Ally TRV enough, those things are incredible.

This is the kind of thing where Rossmann would say "don't accept the premise of assholes." People will use anything to justify their narrative even going as far as denying their own experience in some cases by putting blame on themselves. This mentality just does not make sense. It's scary in a way.

I don't understand why people are defending this corporation

The issue is about *opting in*. None of this was by choice of the user.
There's an argument the product violates the Implied Warranty of Merchantability (in the US) as it fails to do what it claims to do in plain language.

If you say "local only" enough times in rapid succession it sounds like "Yoko Ono". That's the final nail in the coffin.

To be fair, in their marketing, Eufy does go on and on about “it’s local! It’s local!”, which it very well may be (on an SD card or otherwise), and they don’t lean so much on “there are absolutely no cloud integrations in our system”. They just boast that they have this local functionality but gloss over the cloud sound (at least from the marketing shown by Luke in this video). Doesn’t make this any more right, but just another angle to look at it

I recommend anyone with outstanding Eufy orders cancel them immediately, because when the class-action lawsuits for deceptive advertising start to hit (and they will), they're going to fold like a cheap card table.

My eufycam and the storage just stops working when the internet goes out 🤷
So much for an offline solution 🤷

I wonder if eufy vacuums will start pushing pictures of me on the shitter to my phone. "Hey bud, u pooping again?"

If you ever try to set up a device/software and actively block the internet most devices simply won't function. They may say they are offline but are always calling home to look for updates ect. I heard about one security camera that would let you record all day/week/year but the second you wanted to save/export the video they made you pay a subscription.

I used to work for an insurance company in the UK. I'm not sure how this applies to other industries, but in the insurance industry if your detailed T&Cs contradict what you were marketed to at the point of sale, that is legally a missale and FCA (financial conduct authority, a govt body) can give such an insurance company huge fines if they catch the wind of it, and especially if they find it's a standard practice within the company's culture, and not just a rogue worker not playing by the rules to get them sales. Whatever is in the easy to approach marketing materials (as opposed to the small print T&Cs) or whatever is promised told to you on the phone (calls always recorded!), trumps the smallprint T&Cs. If the customer is misled in any way to lead to the purchase, that is considered to be pressure selling, preying on vulnerable customers (and temporary vulnerabilities like simply being tired and therefore of an impaired cognition a given day being applicable if only they can be somehow proven, e.g. a tired or confused tone of voice on a call), and a few other categories like that are possible, including one that just call out outright deceit, sometimes more than one will apply - there will be something this kind of a thing can be classed as. Surely other countries also have some equivalent laws and that will be also applicable to consumer rights outside the insurance industry, it won't be identical what I described but still "hurrr durrr they accepted the T&Cs that nobody reads" is not going to actually protect the seller from taking responsibility for misselling on a product when something as critical and data privacy of personal spaces like homes is concerned. T&Cs can often include illegal clauses but those are never binding if they contradict provisions of law that are in power, there is a hierarchy in which international laws abrogate the country laws, then there's constitutional laws, then there's codexes of criminal, civil, etc. law, then there's local laws (ordinances, etc.), then there's internal regulations of a given body and contracts. Anything of a lower order in hierarchy has no power if it conflicts a provision higher in hierarchy. And surely no provisions in T&Cs will protect anyone from being held accountable for illegal missales with misleading marketing.

I own a eufy doorbell and homebase. It just watched my front door at my apartment, but it definitely is annoying to hear my “local” isn’t “local”

As a dev, I’m about gripe about push notifications in general. WAYYY back in Android 2.0 days Google’s advice was NOT TO SEND CONTENT in notifications. Instead you send a “tickle” to let your app know that there’s data to download.
It feels like NO apps adhere to this advice. I’m looking at your Outlook. If it did than I would get 100+ notifications of read e-mails because my device was turned off when they were sent.

i've been always against chinese technology companies, anker and eufy were different, but now i see i shouldn't have trust them either

It is so funny that two non-engineer talk show RUclipsrs are selling their “perfect” idea about a consumptive production based on “anonymous” resource. But it indeed surprises me that so many “tech” guys are wasting time on their BS instead of building their own server. Just one tip: judging the engineering’ trade off is cheap, providing the feasible design will make Apple pay you millions. Wasting time here makes you as the real production. 😊

I have all my cameras on a VLAN such that they can only see my local server. The server is set up so I can forward a feed to my own cloud server(as in a server I rent, and have root access to), which I normally only do when I'm not home. The cloud server is insurance against someone stealing the local storage, as well as a cheap static IP so I can access the camera from my phone.

The answer to where this case can be prosecuted is all countries where the offenses took place, there is no such thing as international double jeopardy, all countries that Eufy operates in they are liable for their false advertising.

I finally got fed up with my Anker headphones not charging properly and was all ready to upgrade to a newer version from Anker when this news hit.
Not that I think they're bugging my Bluetooth, but it gave me just enough pause to ask why I'd give a company more money for having to replace their broken product.