You should also do some research before you buy. Guariglia suggests asking questions like, “What would it take for police to get footage from the company? Where is your data going to be stored? Does this company have a history of data breaches or bad cybersecurity?” Unfortunately, answers aren’t always easy to find. Apple, Arlo, Eufy, and Wyze state that they won’t share footage without a warrant or court order. Ring, however, has a close relationship with police departments, and Google may share Nest footage in emergency situations where there is a threat to life.

With a local storage system, you can potentially avoid uploading video to a company server and take it out of the manufacturer’s hands. Look for end-to-end encryption (preferably as a default). You can opt for a local system with no internet connection, but you would only be able to review video when you’re home. If you have the technical know-how to hook up internet-protocol cameras and DVRs without cloud services and connect via a Virtual Private Network (VPN) service, Heiland says that’s another potentially secure route. 

Perhaps counterintuitively, it might not be a red flag if your chosen camera brand has had problems in the past, provided the company has fixed them.“It’s better if there have been vulnerabilities reported on a camera because it gives us the ability to take a look at how a company deals with them,” Heiland says. “I’d rather go with a company that’s had multiple vulnerabilities in its cameras and shows a track record of fixing them quickly than a company that’s had no vulnerabilities. Because there’s no such thing as no vulnerabilities.” 

Where does Eufy go from here? The flaws have been patched, but it says it’s planning to bring on companies in security consulting, certification, and penetration-testing to conduct a comprehensive assessment of its products and eliminate potential risks. Eufy says there will also be an independent review of its processes and practices from an as-yet-unnamed security expert, and it plans to set up a security bounty program. These are positive steps, perhaps necessary growth for any security brand that expects to be taken seriously. It’s unfortunate that it took another scandal for Eufy to act. 

If you visit a manufacturer’s website, Heiland says it should be easy to find out how to report a vulnerability. If a company has a bug bounty program offering cash rewards to security researchers (incentivizing people to test the cameras and find flaws), all the better. Arlo, Logitech, Nest, and Wyze have some kind of bug bounty program, though the focus and rewards vary. Research should also turn up reports, like this one on Ezviz by Bitdefender, which shows the company is responsive and quick to investigate and fix flaws.

Keeping things secure is not just down to the camera manufacturer. Heiland warns against recycling passwords and strongly suggests picking long, complex passwords (16 to 24 characters) that mix alphanumeric, uppercase, lowercase, and special characters. You can use a password manager to help you keep track. He also recommends setting up security cameras and IoT devices on a network separate from your main computers, laptops, and phones. Most good routers and mesh systems offer guest or IoT network options that allow this.

If you have indoor security cameras, turn them off when you’re home. Look for cameras with shutters and privacy modes, or turn them around, unplug them, or use a scheduled smart plug. Heiland says he would not have a camera in the house but has less of an issue with carefully positioned outdoor security cameras. Just remember that even if you find a system that ticks all your boxes, there’s only so much you can verify.