Adrian J Cotterill, Editor-in-Chief
Surfshark, a cybersecurity company offering products including an audited VPN, certified antivirus, data leak warning system, private search engine, and a tool for generating an online identity, has released a new study revealing that AI capabilities in smart security cameras pose additional privacy risks that many users are unaware of.
Beyond video capture and alerts, many popular devices now include smart facial recognition and vehicle detection, which they say raises the stakes for biometric and metadata exposure for camera owners and their neighbors. In addition, despite claims of enhanced safety, most camera companion apps gather additional user data unrelated to core camera functionality.
Miguel Fornes, cybersecurity expert at Surfshark told us “Imagine that suddenly the most personal and intimate part of your life – your home – is available to unknown individuals, with no known security controls to protect the recordings. The central risk isn’t only the capture. When people can’t meaningfully opt in or out and are not informed about where their biometric data is stored, what additional data points are being collected, and with whom it’s shared, you’ve created a privacy hazard. Scanning faces or car plates of neighbours – especially without explicit consent – should be treated as a major privacy concern if not a breach of privacy regulations.”
Amazon Ring has recently been criticized by privacy watchdogs over its ‘Familiar Faces’ feature, which claims to identify people captured on camera. This particular case raised concerns about consent and the handling of biometric data.
As these AI features become more prevalent, particularly facial recognition, manufacturers must navigate increasingly complex global privacy regulations. Facial recognition features are strictly regulated in the EU and UK, with high privacy standards enforced by the GDPR. By contrast, frameworks in the US, Canada, and Australia are less comprehensive and vary by jurisdiction.
According to Miguel Fornes, even when the law allows it, people often overlook the fact that in order to enable these smart features, AI cameras need to constantly ship data back to the manufacturer’s servers. “It’s not just recordings or snapshots. Camera’s companion apps may be siphoning additional data points – including location, device IDs, contact information, usage patterns, and even biometrics – creating a parallel surveillance stream that can amplify the damage of any breach. Once a smart camera has a known vulnerability, bad actors can silently take control – turning it into a live feed that spies on you and even your neighbors. For such attackers, highly sophisticated skills are not even necessary; there are numerous readily available platforms that literally list compromised webcams, allowing anyone to break in,”
Among the eight leading brands analyzed in Surfshark’s study, six offer AI-powered facial recognition, seven provide smart vehicle detection, and all of them feature person detection and intelligent alerts. Despite vendor claims, most popular models require companion apps for setup, notifications, and cloud storage – apps that often collect additional information unrelated to core camera functionality.
The study found that Amazon Ring’s companion app was the most data-hungry, collecting 15 unique data types linked to the user, followed by Google Nest with 14. Arlo, SimpliSafe, and Vivint each collected 11, Frontpoint collected 10, and ADT collected nine.
- Amazon Ring ecosystem collects far more than biometrics, including location, device or user ID, email address, name, phone number, photos or videos, physical address, product interaction, purchase history, and other data types. Notably, Amazon’s camera app groups 10 data types under a vague “Other Purposes” category, leaving the reason for collecting these data points unclear in several cases. The disclosed advertising-related data practices varied widely among the analyzed apps. Arlo stands out by collecting and sharing device IDs specifically for third-party advertising and by gathering more data types for developer advertising than any competitor, with five data types collected. Vivint and Google Nest each collect four data types for developer advertising, SimpliSafe collects three, and Amazon Ring and ADT each collect one.
- TP-Link, while being the most privacy-friendly among the security cameras in Surfshark’s analysis, also offers the option to connect to third-party services. While this feature is disabled by default, enabling it can reduce device security and increase privacy risks. Generally, camera manufacturers recommend using the native camera ecosystem and avoiding third-party connections unless you thoroughly understand the potential risks associated with them.
Follow DailyDOOH