Anker's Privacy Claims for Eufy Cameras 'Misleading,' Says Class Action
Anker’s claims that its eufy security products keep customers’ data “safe within your home” are “false and misleading,” alleged a Dec. 23 breach of contract class action (docket 2:22-cv-1816) in U.S. District Court for Western Washington in Seattle. .
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
Plaintiff Ryan Blodgett, a Buffalo resident, pointed to a report from cybersecurity investigator Paul Moore cited in a November Ars Technica article saying eufy products including security cameras and video doorbells upload video thumbnails and facial recognition data to Anker’s cloud servers, despite numerous claims in the company’s marketing materials suggesting local data transmissions will be securely handled and protected from outside intrusion, said the complaint.
Moore was able to monitor signal transmissions from the eufy security app to cloud storage, which included artificial intelligence-recognized facial information from people in photos captured by eufy products, thumbnails of video captures and live video streams using a “simple media player as a result of incredibly weak encryption,” the complaint said.
Cybersecurity consultant company SEC Consult found in November that transmission to cloud servers included unencrypted eufy traffic, making the device’s user name, account ID and commands sent “publicly visible,” the complaint said. SEC also identified that hard-coded encryption/decryption keys common to all “homebase” devices were made visible, said the complaint.
Sales information for eufy products didn’t disclose that Anker stored customers’ data in the cloud rather than locally on devices, transmitted their data without encryption, allowed unencrypted access to their cameras and shared data with third parties, the complaint asserted.
Blodgett considered information on eufy labels and disclosures as “representations and warranties” by Anker that the products would store data locally and securely, said the complaint. If Blodgett had known the products would transmit his data to cloud servers, send unencrypted transmissions and allow for unencrypted access to his cameras, “he would not have purchased” the products, he said. “If Anker remedied these problems,” he would “purchase eufy products again.”
In addition to breach of warranty, the complaint alleges Anker violated the Federal Wiretap Act, prohibiting the intentional interception of the contents of electronic communication, and New York’s General Business Law 349, prohibiting deceptive acts in commerce. It also made claims for false advertising and unjust enrichment.
The plaintiff is seeking compensatory damages over $5 million to be determined by proof, costs, reasonable attorneys’ fees, punitive damages and an order enjoining Anker from engaging in “wrongful acts.” Anker didn’t comment Thursday.