Consumer Electronics Daily was a Warren News publication.
'No Recourse'

Eufy Violated Ill. Biometrics Law by Storing Facial Data Without Consent: Class Action

Smart home brand Eufy collected, stored and used biometric identifiers and information of delivery drivers without providing them notice, obtaining informed written consent or publishing a data retention schedule, alleged a Nov. 27 privacy class action (docket 5:23-cv-02407) in U.S. District Court for Central California in Riverside. Fantasia Trading owns Eufy, a sister brand to Anker.

Plaintiffs Isiah Sheppard, Hilscio Rivera, Helene Lauzier-Meyer and Bernabe Benitez, all residents of Illinois, are delivery drivers who make drop-offs at customers’ homes. As part of their regular delivery process, they walk to the front door of customers’ homes, and on multiple occasions, Eufy cameras captured scans of their face and/or hands in violation of Illinois’ Biometric Information Privacy Act (BIPA), said the complaint.

Eufy advertises that its cameras' AI system “accurately detect[s] humans and vehicles” 95% of the time, said the complaint. The brand's optional BionicMind AI-equipped base station uses “self-learning algorithms after every facial and body shape scan to improve recognition accuracy to more than 99.9% over time,” regardless of what subjects are wearing or how they approach the camera, said the complaint.

When the same individual appears across multiple cameras within a certain time frame, Eufy’s system automatically locates and merges the footage into a single video so that the homeowner can “easily review the entire activity of that specific individual in a single video,” the complaint said, citing Eufy documentation. The homeowner receives an alert that the camera has detected an “already catalogued face,” such as a friend, or a “new, unknown visitor” such as a delivery driver, it said.

Eufy makes identifications by storing and analyzing biometric data so the AI engine can “keep learning the details of the characteristics of people, including different angles of the face and bodies” to “help the AI recognize a person more accurately and quickly,” the complaint said. That data is then accessible to the Eufy customer via an app.

Eufy documentation says its cross-camera tracking function depends on a human feature recognition algorithm that determines the similarity of an individual’s appearance in two videos to stitch them together, the complaint said. “Even if the face is not visible in the video, videos of similar-looking individuals are still identified and stitched together,” it said.

Technology journalists reported late last year that Eufy cameras were producing unencrypted streams, and a January Verge article said Anker “has finally admitted its Eufy security cameras are not natively end-to-end encrypted -- they can and did produce unencrypted video streams for Eufy’s web portal.” The Verge accessed streams “from across the United States using an ordinary media player,” it said.

One security expert was “easily able to hack into his own Eufy system -- despite unplugging it -- and ‘could pull up a thumbnail image of himself, an image of the feed shortly before he was visible, and -- perhaps more concerning -- ID numbers indicating his recognized face and his status as the camera owner,’” the complaint said, citing a November 2022 Ars Technica article.

Eufy has since hired outside security testing companies to audit its practices, the complaint said, but “unsecured biometrics stored on easily compromised systems -- as Eufy did -- is precisely the type of risk BIPA was enacted to protect the subject of a recording from.” Biometrics are “biologically unique” to an individual and once compromised, “the individual has no recourse, is at heightened risk for identify theft, and is likely to withdraw from biometric-facilitated transactions,” said the complaint.

Under BIPA, a private entity such as Eufy may not obtain or possess an individual’s biometrics unless it informs the person in writing that biometric identifiers or information will be collected or stored, the complaint said.

The plaintiffs seek statutory damages of $1,000 for each BIPA violation and $5,000 for each BIPA violation committed “intentionally or recklessly,” plus litigation costs, it said. They also seek injunctive relief, including an order requiring Eufy to collect, store, and use biometric information in compliance with BIPA. Eufy didn't comment.