eufy Indoor Cam S350 Privacy Review

On the plus side, you have the option to use a MicroSD card for local storage. Eufy also confirms whether you want the microphone on the first time you boot the camera up. Even if it is on, some of the more potentially invasive features like alerting you when it hears a baby’s cry or motion tracking based on sound are off by default.

The first actual issue you’ll notice is that when you’re asked to set up how push notifications work, you have the option to enable a thumbnail attached to your alert. If you switch to thumbnail-based notifications, these preview images are uploaded to eufy's AWS servers. It’s unclear how long these previews are saved for.

By default, eufy will collect “the site from which you came, the site to which you are going when you leave our services, how frequently you access our services, whether you open emails or click the links contained in emails, whether you access our services from multiple devices, and other browsing behavior and actions you take on our services”. That’s both a pretty wide remit and worryingly vague.

All of this data collection is enabled through the “Share App Analytics” toggle, which is on by default. It also seems strange that the option to turn this off is buried inside the “Terms and Conditions” part of the app.

AI-powered human detection is on by default, but it’s switched off for pets and any other motion. You can also set up the camera to manually track moving objects in its field of vision using AI, but this is also turned off by default.

The biggest problem we have with the S350 is how it handles cloud upload. To be clear, video upload is turned off unless you buy into eufy’s cloud subscription service. However, once it’s on, any video you send to the cloud isn’t protected with true end-to-end encryption. Unless you turn on a separate setting enabling E2E encryption, there’s no guarantee that your videos couldn’t be viewed by a third party.

Facial recognition is off by default, and Eufy states this processing takes place entirely on-device. Given what's documented in the track record section below, you should make your own decision about how much confidence to place in that claim.

Setup requires downloading the eufy Security app and registering an account with Anker, eufy's parent company. This is mandatory; you cannot configure the camera without one.

When you create an account, Anker collects your username, email address, and/or phone number, which are linked to your devices and used across all Anker brands and applications.

As for the camera itself, it collects plenty of device and network data. Beyond the standard IP address, device type, and operating system, the privacy policy also covers your device's MAC address, WiFi network name (SSID), device serial number, and (most importantly) a list of all applications installed on your phone.

If you subscribe to cloud storage, your video clips are uploaded to Anker's cloud infrastructure. We’ve confirmed through traffic analysis that Anker uses Amazon Web Services nodes in Germany, France, and Sweden when routed through the UK. However, their privacy policy also states that AWS nodes in the US could be used depending on your jurisdiction.

On the question of whether Anker employees can access your stored video footage, the policy states that access to personal information is restricted to employees, contractors, and agents "who need that information in order to process it," under confidentiality obligations. This is standard boilerplate, and it's meaningfully weaker than the "not viewed, shared, or used for other purposes" language that appears on eufy's separate Privacy Commitment page.

Despite promises of local-only storage and end-to-end encryption, there’s plenty of evidence to say that eufy needs to up their game.

In November 2022, security researcher Paul Moore published evidence that eufy cameras were uploading thumbnail images and facial recognition data to eufy's AWS servers even when cloud storage was disabled. He found that eufy was uploading thumbnail images of faces and user information to its cloud service when cloud functionality was not enabled, and that the images remained accessible even after footage was deleted from the eufy app. Shortly after, further investigation by The Verge revealed unencrypted live camera streams from eufy cameras could be accessed using video playback software such as VLC, with no authentication required, from anywhere in the world.

The New York Attorney General's office investigated eufy following the 2022 disclosures and secured a $450,000 settlement, with findings confirming that video streams from eufy cameras were transmitted without end-to-end encryption and could be accessed without authentication by anyone with the relevant URL. The settlement required eufy's distributors to implement proper encryption, conduct regular penetration testing, and maintain a vulnerability management program going forward.

Eufy is a sub-brand of Anker Innovations, a company founded in China and still headquartered there.

Eufy states that it does not sell your personal data. However, data is shared with third-party service providers including AWS, and with platform partners such as Amazon Alexa and Google Assistant when those integrations are enabled. The policy does not specify exactly what camera data is passed to voice assistant platforms when those integrations are active.

We’re more concerned about eufy’s internal data-sharing practices. The privacy policy confirms that Anker's China-based entities receive data as part of global operations covering data processing and customer support. The reason this is concerning is that China's National Intelligence Law requires Chinese companies to cooperate with state intelligence agencies on request, meaning data held or processed by Anker's Chinese entities could in principle be accessed by Chinese authorities without your knowledge or any obligation to notify you.

The S350 supports local storage via microSD and NAS via RTSP, meaning it's genuinely possible to use this camera with no cloud involvement whatsoever after the initial setup. For NAS storage, eufy explicitly states it has no access to footage stored on your own network-attached device.

We’ve also analyzed S350’s behaviour when the privacy mode is turned on. It swivels into the position it determines is “most private” and deactivates the camera and microphone. While in this mode, the S350 continues to phone home to AWS servers but does not appear to send video or audio content.

It’s impossible to get away from eufy’s data sharing practices. While the S350 does offer end-to-end encryption for video uploaded to the cloud, it’s not on by default.

Push notifications with thumbnail previews require images to be briefly uploaded to cloud servers, even without a cloud subscription. This is something eufy has been transparent about since the 2022 controversy. If you want zero cloud contact, you'll need to use text-only notifications.

We’ve also noticed some interesting behaviour coming from the camera itself. The S350 makes DNS requests to facebook. We’re not totally sure why, given that there seems to be no facebook integration into the app or camera. It could be that the S350 uses code libraries built by facebook, but there’s no documentation to suggest this is the case.

The company did not respond to a request for comment.

Eufy’s data sharing practices are concerning enough that you should run the S350 as “offline” as possible. Use local storage only. That means either a microSD or a NAS. Don't subscribe to eufy's cloud service. Switch notifications to text-only to prevent thumbnail uploads.

Don’t turn on the “Enhance My AI” setting in the eufy app. In return for explicitly handing over your video to improve eufy’s AI training model, eufy rewards you with raffle entries and points you can spend inside eufy’s ecosystem. Despite eufy’s attempts to gamify the self-surveillance space, we don’t think handing over your camera footage is worth the points.

Keep the S350 isolated on a separate network from your main devices and computers. Blocking the camera's outbound internet access entirely at the router level won’t disable the camera completely, but it will keep it from phoning home back to eufy’s AWS servers so you can use it without worrying about your private moments being uploaded to the cloud.

The eufy S350 is a technically excellent camera, but the company’s track record makes it hard to recommend. The hardware is genuinely strong, the local storage options are real and reasonably well implemented, and the physical privacy mode is a thoughtful design choice.

Eufy was caught uploading data it said it wasn't uploading, streaming video without encryption it said it was providing, and its first instinct was to quietly rewrite its privacy promises rather than come clean. A $450,000 settlement with the New York Attorney General is not the track record of a company that has earned the benefit of the doubt on privacy.

If you buy one, run it locally, keep it off your main network, and treat every privacy claim eufy makes as something to verify rather than assume. The camera can be made reasonably private in practice but you'll have to do the work yourself, because the company's word isn't enough.