Consumer Reports has no financial relationship with advertisers on this site.
You buy a security camera to keep your home safe, but is your camera keeping your privacy and data safe? CR’s Digital Lab evaluates digital products and services for how well they protect consumers’ privacy and security.
After six weeks of testing that included evaluating more than 70 privacy and security criteria on 26 cameras, our experts found that nine security-camera brands—Blue by ADT, Canary, D-Link, Eufy, Honeywell Home, Logitech, Toucan, TP-Link, and Zmodo—still lack two-factor authentication, a more stringent security measure than using just a single password to log in.
There’s no good excuse for not offering it. “Two-factor authentication is an easy-to-implement second layer of authentication that, when enabled, can stop some hackers’ attacks immediately, protecting users' accounts,” says Cody Feng, CR's test engineer for privacy and security. Many manufacturers’ privacy policies also do a poor job of detailing exactly how they use the data from their customers’ cameras.
Two-factor authentication helps prevent cameras from being hacked by sending users a temporary, one-time passcode via text message, email, or phone to use in addition to their password for logging into their accounts. It’s a safeguard against credential stuffing, a tactic where hackers use usernames and passwords from data breaches to log into accounts.
It’s one of the key safeguards CR looks for in our home security camera tests, in addition to other indicators for privacy and security derived from The Digital Standard, an open-source set of criteria created by CR and other organizations for evaluating digital products and services.
“Unfortunately, many company policies are vague and reserve broad rights to put your data to work for the company's own ends, or they don't have the best security measures in place,” says Justin Brookman, director of privacy and technology policy for Consumer Reports. “Testing helps us shine a light on the companies that do a better job handling customer information, and to call out those whose policies need to change.”
As part of our overall digital privacy and security efforts, Consumer Reports sent a letter to 25 major home security manufacturers back in January recommending specific measures for improving the privacy and security of their products.
In all, we evaluated 26 models in this year’s privacy and data security tests; CR members with digital access can see the results in our wireless security camera ratings.
Two cameras in our tests, the D-Link DCS-2630L and the Guardzilla 360, are no longer supported by their manufacturers. D-Link recommends that owners stop using the camera (if you own the DCS-2630L, you can contact the company by emailing firstname.lastname@example.org). Guardzilla recently went out of business and did not respond to our request for more information. Because Guardzilla’s cameras no longer work, we are labeling the Guardzilla 360 camera a CR Don’t Buy.
Tougher Privacy and Security Tests
This year, CR weighed 10 key criteria more heavily than in the past. “We believe these are essential for consumer protection,” says Maria Rerecich, the senior director of product testing at CR.
These security measures include two-factor authentication, automatic software updates, a visual indicator light that lets you know the camera is active, and email notifications for when a user logs in from a new device or IP address.
Many brands do a good job of adopting these security measures, and most earn a Very Good rating for data security in our tests. But there is definitely room for improvement.
For data privacy, we examine privacy policies and other documentation to see whether manufacturers disclose how they collect your data, who they share your data with, whether they attempt to minimize data collection, and whether consumers have a way to request copies of their data or ask for it to be deleted.
“Our evaluation for data privacy leans heavily on companies explicitly stating how they are using, storing, and sharing consumers' data,” says Rerecich. “Since wireless security cameras capture and transmit sensitive data from inside a consumer's home, we have adjusted our scoring methodology to more accurately reflect the shortcomings of these privacy policies.”
As a result of our scoring change, no camera model now receives a data privacy rating higher than Good, which is the middle of our ratings scale.
The Gaps in Two-Factor Authentication
Consumer Reports reached out to the nine brands that don’t offer two-factor authentication and asked if and when they plan to implement it. We received responses from these seven companies:
• Blue by ADT will add multifactor authentication before the end of the year.
• Canary will add it soon.
• D-Link is planning to add the feature to its mobile app before Christmas 2020.
• Eufy is starting to deploy two-factor authentication in the U.S. now.
• Honeywell Home is looking into ways to add it.
• Logitech says the feature is being “actively developed.”
• TP-Link is “targeting” a release for the feature in Q4.
The cameras in our ratings that currently offer two-factor authentication are made by Amazon, Arlo, Blink, Google Nest, Ring, Samsung SmartThings, and Wyze. In our tests, all except Samsung SmartThings require you to enable the security feature in the camera app’s settings. But Ring has since made changes to the feature so that now, both it and Samsung automatically prompts users to enable it when they set up a camera, which CR would like to see all brands do.
“We’re glad to see these companies provide an extra layer of protection, and we hope more companies follow their lead,” says Feng.
Though many of the cameras lacked two-factor authentication, most offered a number of the other nine security features we looked for in our tests. As a result, most of the 26 models we evaluated receive a Very Good rating for data security.
There are two standouts: Arlo and, again, Samsung SmartThings. Models from both brands receive an Excellent rating for digital security. Google Nest cameras earn a Very Good rating, a drop from their Excellent rating last year, due to CR’s tougher data security scoring.
Poor Privacy Policies
We also rate how well companies’ stated privacy policies protect consumers.
Eight companies earned a Good rating, the highest score any company received. Of those, Google Nest stood out for doing the best job disclosing what user data it shares and with whom, though it doesn’t offer good tools for obtaining and deleting your data, nor does it try to minimize data collection.
Top Cameras From CR’s Tests
These are the top six wireless security cameras from our ratings. All offer strong data security and good data privacy, as well as impeccable video quality.
For more ratings and reviews of more models, check our wireless security camera ratings and buying guide.
Clarification: This article has been updated with information about D-Link's plans to implement two-factor authentication and Ring's decision to enable the feature by default.
Consumer Reports is an independent, nonprofit organization that works side by side with consumers to create a fairer, safer, and healthier world. CR does not endorse products or services, and does not accept advertising. Copyright © 2020, Consumer Reports, Inc.