A security researcher has alleged that Eufy security cameras upload photos containing personally identifiable information to its servers, in violation not only of its own key selling proposition, but also of the EU’s General Data Protection Regulation (GDPR).

According to a report by Android Central (opens in new tab)security researcher Paul Moore discovered that the Eufy Doorbell Dual camera uploads facial recognition data to the company’s AWS cloud, without encryption.

The company, on the other hand, says it fully complies with data protection regulations and that the data collected is only used for notifications.

GDPR compliant?

In a series of tweets (opens in new tab)

, Moore claimed the data was stored along with usernames and other information that could be used to identify people whose photos were taken. Moreover, Eury retains the data even if the user deletes it from the Eufy app, he claims.

Moore has also said that video feed can be accessed through a web browser simply by knowing the correct URL, with no passwords required. Camera videos encrypted with AES 128 use a simple key that can be broken relatively easily, he said.

Since the news, the company claims to have patched “some of the issues,” but hasn’t been more transparent than that, so it’s impossible to verify if the issue is ongoing.

“Unfortunately (or fortunately, whichever way you look at it) Eufy has already removed the network call and heavily encrypted others to make it nearly impossible to detect; so my previous PoCs [proof of concept exploits] no longer work. You may be able to call the specific endpoint manually using the payloads displayed, which may still return a result,” Moore later added.

Eufy, on the other hand, told the publication that its products are “fully compliant with General Data Protection Regulation (GDPR) standards, including ISO 27701/27001 and ETSI 303645 certifications.” The problem seems to be when a user decides they want thumbnails with their notifications.

Notifications from the camera are text-only by default, meaning no thumbnails will be uploaded unless, as was the case with Moore, users enable the feature manually.

Eufy also said the thumbnails are “temporarily” uploaded to its servers before being sent as notifications. In addition, the company said its push notification practices are “compliant with the Apple Push Notification service and Firebase Cloud Messaging standards” and will be automatically removed. It didn’t say when.

Thumbnails also use server-side encryption, the company added, saying they shouldn’t be visible to unauthorized users.

“While our Eufy Security app allows users to choose between text-based or thumbnail-based push notifications, it was not made clear that choosing thumbnail-based notifications required hosting ephemeral preview images in the cloud. That lack of communication was an oversight on our part and we sincerely apologize for our mistake,” the company concluded.

In the future, Eufy claims that it will change the language of the push notification option, as well as using the cloud for push notifications.