Eufy, maker of popular security cameras for HomeKit, was not clear about how the camera images are used. The company turned out to upload images to the cloud, even if you turned this off. The company has now responded and made an adjustment to the app. But there's another problem. 
Update 1 February 2023: After many months of ambiguity, Eufy finally provides text and explanation about the entire situation around her security cameras. Although the company has always stated that the camera images are end-to-end encrypted, researchers have shown that this is not always the case. Eufy denied this for a long time, but now the company has finally confessed to The Verge how it really is. Camera images via the Eufy Security app were and always are end-to-end encrypted, but the streams on the web login portal were not. A while ago, the developers of Eufy decided to add the live stream to the web portal, so that users can also view the images from the desktop. But no end-to-end encryption has been applied. Removing a link of the stream from the web portal's code allowed it to be used in video players such as VLC. So anyone who had such a link could watch the images.
The link could only be found after logging in with the Eufy account, but once logged in anyone with the link could view the images. Eufy has now taken measures to make it no longer possible to trace this link and has applied end-to-end encryption at the same time. The company adds that the October 2022 Homebase 3 and eufyCam 3/3C will use WebRTC for end-to-end encryption, and any current Eufy camera will be updated to do so. This encryption means that only the user can view the images.
The Verge has published all of her questions and Eufy's answers. The company behind the cameras hopes to clean up and regain the trust of users. In it they emphasize once again that all streams are now encrypted with end-to-end encryption, including those from the web portal.
Update 17 December 2022: Eufy shows many promises in the field of privacy by simply having it removed from the website. These are 10 promises that were questioned and have now completely disappeared.
Update 6 December 2022: Eufy has now made a change to the app. As promised earlier, Eufy is now more honest about the use of (temporary) cloud storage when sending push notifications with thumbnails. To show a notification containing a screenshot of a camera image, a still image is temporarily uploaded to the cloud. You can specify what should be in the notifications in the notification settings of the Eufy app. You can therefore also choose not to receive push messages with screenshots to prevent images from being saved in the cloud.
Although Eufy is now more transparent to users about how the images are used, there is another problem that may be even bigger. It would still be possible to watch a stream from the camera through a third-party app like VLC, as long as you have the link to that stream. It would not be necessary to verify you. Access to the web portal of your Eufy account is required, but once you have the link you can watch the stream. Eufy is said to be still investigating the reported issues.
Below is the original article from November 30, 2022
Eufy, an Anker brand, specializes in various types of security cameras and doorbells. Some of them work with HomeKit and they can all be controlled with the Eufy Security app. You can also choose to subscribe to a cloud service, on which the images are stored so that you can view them in more places. If you prefer not to have that for privacy reasons, you can simply disable it. But a researcher discovered that Eufy still stores camera images in the cloud, even if you don't use the cloud storage. What's going on here?
Eufy uploads camera images to the cloud
Security researcher Paul Moore discovered that Eufy puts camera images in the cloud. He has made a demonstration video of this to show where and how Eufy does this. In the source code of the online portal you can find a link where a shot of your camera image can be seen. He also switches off the HomeBase to prove that the images are actually in the cloud, because after switching off the bridge, the images can still be viewed online. These are snapshots of the camera stream, not moving images.
Eufy also uses facial recognition for the uploaded images. There is now a considerable discussion on Reddit about this discovery. The remarkable thing is that the Eufy website advertises heavily about local use of the camera and the privacy-friendly measures. But the fact that Eufy uploads snapshots of the camera images to the cloud without you as a user being aware of it is quite contradictory. Moore also shows that the streams can be viewed remotely via an app such as VLC, without encryption or authentication. How exactly that works and whether this is a leak is not entirely clear.
Eufy responds: images used for push notifications
Eufy has now responded and clarifies what the images are used for. The camera maker uses the snapshots of the camera streams to send notifications from the Eufy app. You will see this still image with the notification, so that you can immediately see what exactly is going on from the notification. Eufy says these thumbnails are hosted briefly and securely on an AWS cloud server. According to Eufy, this means they comply with GDPR standards and other privacy rules. They add that the images will be removed immediately if the notifications are removed or the account is closed.
Moore disputes the latter. In a second video he shows that the images can still be downloaded even after a notification has been removed, as long as you still have the link from the source code of the web portal. This link would be usable for another 24 hours. Whether the images will be kept for longer than 24 hours is still the question.
Eufy tells MacRumors that there is a lack of communication to users and that they will make changes. In the Eufy Security app, the settings for push notifications state that thumbnails of the camera images are temporarily stored in the cloud. In addition, in all marketing material, for example on the website, it is more clearly indicated that cloud servers are used to display notifications in push messages.
It is not the first time that Eufy has been in the news regarding privacy. There was already a Eufy privacy leak that allowed a very limited number of users to watch other people's images. This was resolved within an hour at the time.
See also our overview of HomeKit security cameras, which also includes a number of cameras that do not use their own cloud service and only work with HomeKit and HomeKit Secure Video.
Also view 
These HomeKit cameras are available in the Netherlands (with and without HomeKit Secure Video)
If you are looking for a camera with HomeKit support, you can go to several manufacturers. These are the HomeKit cameras you can choose from and we give you the best choice for a HomeKit-enabled security camera.
Revision history:
- 2023 – February 01, 09:56: Article updated with new statement from Eufy, promising that all images encrypted with end-to-end encryption.
- 2022 – December 06, 08:57: Article updated after making change to Eufy app.