video surveillance – Techdirt (original) (raw)

It Took Months For Anker To Finally Admit Its Eufy Cameras Weren’t Really Secure

from the let's-just-pretend-this-never-happened dept

Last November, The Verge discovered that Anker, the maker of popular USB chargers and the Eufy line of “smart” cameras, had a bit of a security issue. Despite the fact the company advertised its Eufy cameras as having “end-to-end” military-grade encryption, security researcher Paul Moore and a hacker named Wasabi found it was pretty easy to intercept user video streams.

The researchers found that an attacker simply needed a device serial number to connect to a unique address at Eufy’s cloud servers using the free VLC Media Player, giving them access to purportedly private video feeds. When approached by The Verge, Anker apparently thought the best approach was to simply lie and insist none of this was possible, despite repeated demonstrations that it was very possible:

When we asked Anker point-blank to confirm or deny that, the company categorically denied it. “I can confirm that it is not possible to start a stream and watch live footage using a third-party player such as VLC,” Brett White, a senior PR manager at Anker, told me via email.

Not only that, Anker apparently thought it would be a good idea to purge its website of all of its past promises related to privacy, thinking this would somehow cause folks to forget they’d misled their customers on proper end to end encryption. It didn’t.

It took several months, but The Verge kept pressing Anker to come clean, and only this week did the company finally decide to do so:

In a series of emails to The Verge, Anker has finally admitted its Eufy security cameras are not natively end-to-end encrypted — they can and did produce unencrypted video streams for Eufy’s web portal, like the ones we accessed from across the United States using an ordinary media player.

But Anker says that’s now largely fixed. Every video stream request originating from Eufy’s web portal will now be end-to-end encrypted — like they are with Eufy’s app — and the company says it’s updating every single Eufy camera to use WebRTC, which is encrypted by default. Reading between the lines, though, it seems that these cameras could still produce unencrypted footage upon request.

I don’t know why anybody in tech PR in 2023 would think the best response to a privacy scandal is to lie, pretend nothing happened, and then purge your company’s website of past promises. Perhaps that works in some industries, but when you’re selling products to techies with very specific security promises attached, it’s just idiotic, and kudos to The Verge for relentlessly calling Anker out for it.

Filed Under: cameras, encryption, eufy, privacy, security, smart home, video, video surveillance
Companies: anker

Massachusetts Top Court Says Cops Need Warrants To Engage In Long-Term Video Surveillance Of People's Houses

from the not-quite-the-4th,-but-still-unconstitutional dept

Is a police camera aimed at a publicly-viewable area Constitutional? That’s a question courts have had to answer periodically. In most cases, the answer appears to be “no.” Long-term surveillance — even of a publicly-viewable area — is a government intrusion into private citizens’ lives. This sort of intrusion requires a warrant and sufficient probable cause.

A ruling by Massachusetts Supreme Judicial Court doesn’t quite reach the Fourth Amendment but does find the seven months of surveillance by utility pole mounted cameras violates the state’s Constitution. The long-term surveillance of two residences resulted in multiple motions to suppress by the defendants. None of these have been granted but the SJC has reversed the lower court’s dismissal of the suppression attempts. (via FourthAmendment.com)

Here’s the crucial part of the ruling [PDF], which notes the court isn’t going to go federal with this, leaving the Fourth Amendment question open.

We conclude that the continuous, long-term pole camera surveillance targeted at the residences of Mora and Suarez well may have been a search within the meaning of the Fourth Amendment, a question we do not reach, but certainly was a search under art. 14. We remand for further findings as to whether investigators had probable cause to conduct these searches when the cameras targeted at Mora’s and Suarez’s houses were first installed.

The Commonwealth argued no privacy violations occurred. Everything was out in the open where it could be seen by anyone. It pointed to the lack of fences surrounding the surveilled property, making it visible to passersby. The court points out it’s not willing to create a class-based system for Constitutional rights.

We reject the Commonwealth’s contention that the absence of fencing or other efforts to shield Mora’s and Suarez’s residences from view shows that they lacked any subjective expectation of privacy in those areas. The traditional barriers to long term surveillance of spaces visible to the public have not been walls or hedges –- they have been time and police resources.

[…]

Moreover, requiring defendants to erect physical barriers around their residences before invoking the protections of the Fourth Amendment and art. 14 would make those protections too dependent on the defendants’ resources. In Commonwealth v. Leslie, 477 Mass. 48, 54 (2017), we noted that affording different levels of protection to different kinds of residences “is troubling because it would apportion Fourth Amendment protections on grounds that correlate with income, race, and ethnicity” (quotation and citation omitted). Similarly, the capacity to build privacy fences and other similar structures likely would correlate closely with land ownership and wealth.

[…]

We will not undermine these long-held egalitarian principles by making the protections of art. 14 contingent upon an individual’s ability to afford to install fortifications and a moat around his or her castle.

The court then points out that the Fourth Amendment and Article 14 of the Commonwealth’s Constitution both protect citizens from government intrusion. That does not solely mean protection against physical invasions of their private spaces. It also includes their connections with other people and their everyday habits. Long-term surveillance “invades the security of the home,” something that’s impermissible without a warrant.

[E]ven when pole cameras do not see into the home itself, by tracking who comes and goes over long periods of time, investigators are able to infer who is in the home, with whom the residents of the home meet, when, and for how long. If the home is a “castle,” a home that is subject to continuous, targeted surveillance is a castle under siege. Although its walls may never be breached, its inhabitants certainly could not call themselves secure.

Without the need to obtain a warrant, investigators could use pole cameras to target any home, at any time, for any reason. In such a society, the traditional security of the home would be of little worth, and the associational and expressive freedoms it protects would be in peril.

The court isn’t impressed with the Commonwealth’s assertion that this surveillance required no warrant because no warrant would be required if this surveillance had been performed by officers, rather than cameras.

We are not swayed by the Commonwealth’s argument that this same aggregate data could have been collected by an officer conducting direct surveillance.

[…]

Unlike a police officer, a pole camera does not need to eat or sleep, nor does it have family or professional concerns to pull its gaze away from its target. The “continuous, twenty-four hour nature of the surveillance” is an “enhancement[] of what reasonably might be expected from the police.”

[…]

Even assuming that investigators otherwise could have conducted months of human surveillance without being discovered, these pole cameras captured information that a police officer conducting in-person surveillance could not. All of the footage collected by the cameras was stored digitally, in a searchable format, such that investigators later could comb through it at will. The pole cameras thereby gave investigators the ability to “pick out and identify individual, sensitive moments that would otherwise be lost to the natural passage of time.”

The court here may not have reached a Fourth Amendment conclusion but it does do something far too few courts are willing to do: it lays down new law.

In the future, before engaging in this kind of prolonged surveillance, investigators must obtain a warrant based on probable cause.

The motions to suppress aren’t granted but the Commonwealth will have to prove it had enough probable cause on hand before the cameras went up to support the warrants it never bothered to seek. That’s a tough hill to climb. But even if this somehow results in denied suppression motions, residents of Massachusetts are now protected by a warrant requirement for long-term video surveillance.

Filed Under: 4th amendment, massachusetts, video surveillance, warrants