Nearly three weeks after a security researcher discovered major privacy issues in Anker Eufy’s security cameras, the company is now removing privacy promises from its “privacy commitment” instead of giving answers.
The Verge caught Eufy changing their privacy commitment to customers by removing 11 things on their site as of December 8. The changes mainly revolve around Eufy’s data storage practices, the ability to access a feed from their cameras remotely and the claims made about their camera’s security in the previous disclosure.
Basically, any claims Eufy made on its website regarding keeping recorded footage local, private and accessible only to the camera’s owner have been removed. Anything regarding the data being encrypted during transmission and being accessible outside of Eufy’s authorised apps and accounts has been removed too.
Eufy also made it clear whether or not they share camera recordings with law enforcement agencies. According to the company, it will not disclose video recordings without the customer’s consent unless “it is necessary to comply with the law of if there’s an emergency involving imminent danger of death or serious physical injury to a person”.
The company was caught uploading facial imagery to its AWS cloud without encryption in addition to its cameras’ video feeds being accessible via VLC without any authorisation required.
The company claimed that the imagery was being temporarily uploaded to provide users with images in their push notifications but did not specify how long these images are stored.
Since then, the company has been trying to set things in order again by nerfing its privacy commitment to be in line with what its products actually deliver, instead of improving products to be more in line with the privacy commitment.