The “Nanny” from Beijing. Who Else Is Watching the Baby Monitor Feed?
Texas Sues Lorex for Misleading Consumers—and Exposes the Hidden Surveillance Architecture Inside Home Security Cameras
On February 19th, Texas Attorney General Ken Paxton filed suit in Collin County District Court against Lorex Corporation and Lorex Technology Inc., the maker of home security cameras and surveillance systems sold at Amazon, Best Buy, Costco, and Kohl’s. The complaint—thirty-two pages of controlled fury dressed in statutory citations—alleges that Lorex has been systematically deceiving consumers: selling Texan families surveillance equipment whose core components come from Zhejiang Dahua Technology Co., a Chinese firm that the U.S. Department of Defense has designated a Chinese Military Company, that the F.C.C. has placed on its Covered List of unacceptable national security risks, and that the Department of Commerce has added to its Entity List for its role in building the surveillance infrastructure used to monitor Uyghur populations in Sherqi Türkistan. Lorex, the suit claims, knew all of this and failed to disclose it to consumers. Instead, it marketed its cameras with the slogan “protect what matters most” and featured promotional images of the devices perched above cribs, watching over sleeping infants in night-vision green—false security claims in their purest form.
The case is the third in a volley of four suits Paxton filed in a single week—the others targeting TP-Link, the drone manufacturer Anzu Robotics, and the e-commerce platform Temu—each built around the same core concern: American consumers are buying products with hidden ties to China—to Chinese entities subject to broad intelligence-cooperation duties under PRC law. Taken individually, each case is a consumer protection action targeting deceptive trade practices. Taken together, they represent something more ambitious—an attempt to conscript a Texas statute from the nineteen-seventies into the geopolitical confrontation of the twenty-twenties.
- Commentary on this article — see the discussion on LinkedIn
The Brand Changed Hands. The Chinese Components Did Not.
The facts of the Lorex case have a quality that a novelist might envy: they are both perfectly legible and faintly absurd. Lorex was founded in Canada in 1991 as a security camera manufacturer. Dahua acquired it in 2018. In November of 2022—one day before the F.C.C. issued an order banning further product authorizations for Dahua in the United States—Dahua sold Lorex to Skywatch Inc., a Taiwan-based company. The timing was, at minimum, conspicuous. But the Congressional-Executive Commission on China was not reassured. In an October, 2023, letter to Costco, the commission warned that the sale “does not allay our concerns,” because “Dahua still supplies all the component parts for the Lorex cameras and other surveillance equipment.” The brand changed hands. The Chinese components inside did not.
What Lorex tells consumers is that data privacy is a “top priority,” that the company takes “every step to ensure your security,” and that “staying compliant with security regulations is a top priority.” What Lorex does not tell consumers is that its security cameras appear visually identical to models listed in Dahua’s own product catalogue—a fact documented by IPVM, the independent security-technology research group, which verified the overlap through shipping records, product documentation, and direct testing. The Lorex 2K Dual Lens Indoor Camera, the one marketed as a baby monitor and nursery camera, looks, to a trained eye, like a rebadged Dahua H5D-5F. To an untrained eye—which is to say, to the eye of virtually every parent who has ever bought one—it looks like a Lorex.
The sole disclosure Lorex offers is a line of footer text on its Web site: “Lorex products are designed for consumer and business use only and not for US federal governments, federally-funded projects or contractors subject to NDAA.” The sentence is technically present and functionally opaque. It does not explain what the N.D.A.A. is. It does not link to further information. It does not say why the federal government shouldn’t use these cameras. The deliberate concealment of material product information—or, more charitably, the failure to disclose it—is the legal equivalent of muttering something important while facing the wall.
The Legal Triad: China’s Architecture of Compulsory Intelligence Cooperation
To understand why a home security camera in a nursery in Fort Worth might concern the Department of Defense, you need to understand not just Dahua but the legal architecture in which Dahua operates. And that architecture of compulsory intelligence cooperation is, by any Western standard, extraordinary.
China’s 2017 National Intelligence Law provides, in Article 7, that “any organization or citizen shall support, assist and cooperate with the state intelligence work in accordance with the Law.” The statute is not advisory. It offers rewards for compliance and penalties—dismissal, investigation, detention—for obstruction. Article 14 authorizes intelligence organs to demand that companies provide “necessary support and assistance.” There is no opt-out clause. There is no judicial review in any sense a Western lawyer would recognize. The law applies to every Chinese entity and every Chinese citizen, wherever they happen to be operating.
But the National Intelligence Law does not stand alone. It is one pillar of a legal triad that also includes China’s 2017 Cybersecurity Law—which requires “critical information infrastructure operators” to store personal data within China and submit to state security reviews—and the 2021 Data Security Law, which formalizes government authority over cross-border data flows and ties data handling explicitly to national security and “social stability,” a phrase whose meaning, in the PRC context, is capacious enough to encompass almost anything. The 2021 Personal Information Protection Law, China’s answer to the G.D.P.R., contains its own national-security exceptions that swallow much of the consumer data protection rule. Taken together, these statutes create an environment in which, as the Department of Homeland Security has warned, “no data collected can be withheld from PRC authorities should they request it for intelligence purposes.” Western security assessments—including from the U.S., the E.U., and allied security bodies—have concluded that this legal framework can be used to compel not only data disclosure but also the introduction or maintenance of security vulnerabilities and backdoors in equipment sold abroad.
This is the legal environment in which the Chinese manufacturer Dahua produces the components inside Lorex cameras. And Dahua is not an abstract case study. The Commerce Department added it to the Entity List in October 2019 specifically because it had been “implicated in human rights violations and abuses in the implementation of China’s campaign of repression, mass arbitrary detention, and high-technology surveillance against Uyghurs, Kazakhs, and other members of Muslim minority groups.” Dahua developed facial-recognition technology capable of generating real-time alerts upon detecting an Uyghur face. It co-developed “ethnicity tracking” technical standards designed to automatically estimate the probability of an individual being Uyghur, Tibetan, or a member of another targeted group. It built and deployed the camera networks that form the physical backbone of what scholars have called the most comprehensive mass population surveillance system in human history. These are not allegations from advocacy groups. They are the findings cited in federal register notices and congressional letters.
When a parent in Plano mounts a Lorex camera above a crib, she is not, of course, connecting herself to a surveillance network in Kashgar. But she is placing in her home a device whose actual manufacturer—not the name on the box, but the entity that made the components—built its global business on the ability to watch people who did not consent to being watched, in service of a state that does not require their consent.
The Ecosystem: Not a Conspiracy, but a Legal System Governing China’s Tech Industry
Dahua is not an isolated case of consumer data security failure. It is one node in a broader ecosystem of Chinese technology companies whose consumer products carry embedded intelligence and surveillance risks—risks that multiply precisely because the products are good, cheap, and ubiquitous.
Hikvision, Dahua’s sister company in the Chinese video-surveillance industry, is on the same Entity List for the same reasons. Its security cameras have been found with hard-coded backdoors that allowed remote unauthorized access to user data, and its technology has been deployed to conduct ethnic-minority analytics in Sherqi Türkistan—software designed to sort human beings by phenotype. Huawei and ZTE, the telecommunications-equipment giants excluded from Western 5G networks, occupy a parallel position in the networking infrastructure space—their equipment another instance of deceptive market practices at a global scale, where national security threats were hidden behind attractive pricing. DJI, the world’s dominant consumer-drone manufacturer, faces growing restrictions over concerns that flight logs, imagery, and telemetry could flow back to Chinese authorities—concerns that prompted Paxton’s suit against Anzu Robotics, which he alleges is essentially a DJI passthrough designed to circumvent American restrictions. TP-Link, the networking company that controls a substantial share of the U.S. retail router market, is accused by Paxton of allowing PRC-linked actors access to devices that form the connective tissue of American home networks. And Temu, the shopping app owned by PDD Holdings, faces lawsuits from multiple state attorneys general—Arkansas, Nebraska, Kentucky, Arizona, and now Texas—alleging that its app functions as consumer data-harvesting malware dressed in the bright colors of a discount marketplace.
What connects these companies is not a conspiracy. It is a legal system. Each operates under the same PRC statutes that require cooperation with state intelligence. Each has been flagged, to varying degrees, by U.S. federal agencies as a security threat. And each sells products to American consumers who have no practical way of knowing any of this—because the companies deliberately conceal it, and because no federal consumer protection law requires them to disclose it.
A February 2025 DHS bulletin on Chinese-made internet-connected cameras stated the problem plainly: many such devices communicate back to their manufacturers by default, lack robust security controls, and have been exploited at scale by Chinese state-sponsored actors. The bulletin emphasized that white-labeling—the deceptive market practice of selling Chinese-manufactured cameras under Western brand names—is the primary mechanism by which these devices evade the F.C.C.’s 2022 ban. Lorex, of course, is the textbook case.
Deceptive Trade Practices and Consumer Protection Law: the D.T.P.A. as Weapon
Paxton’s complaint rests on the Texas Deceptive Trade Practices–Consumer Protection Act, a consumer protection statute enacted in 1973, and it deploys four counts that approach the same problem from converging angles. The first charges Lorex with engaging in false, misleading, or deceptive acts in trade. The second argues that Lorex has represented its products as possessing characteristics—data security, privacy, consumer protection—that they do not, in fact, possess. The third alleges that Lorex has marketed goods of one standard and quality while delivering goods of another. The fourth, and most consequential, invokes Section 17.46(b)(24) of the D.T.P.A., which prohibits “failing to disclose information concerning goods or services which was known at the time of the transaction if such failure to disclose such information was intended to induce the consumer into a transaction into which the consumer would not have entered had the information been disclosed”—misleading consumers through deliberate omission.
This last provision is the heart of the case, and its elegance lies in what it does not require. Paxton need not prove that Lorex lied. He must show only that Lorex knew something material, chose silence, and that the silence was calculated to keep consumers buying—a classic pattern of violating consumer rights through concealment of information. The evidentiary standard is, by design, generous to the plaintiff: the D.T.P.A. asks whether the conduct “has the capacity to deceive an ignorant, unthinking, or credulous person”—a test established by the Texas Supreme Court in Spradling v. Williams (1978) and reaffirmed in Doe v. Boys Clubs of Greater Dallas (1995). The question is not whether a cybersecurity researcher could have uncovered Lorex’s hidden ties to Dahua. The question is whether a parent browsing Costco’s Web site, seeing an image of a camera overlooking a crib and the words “Safe & secure—In-Camera AI & Privacy Mode,” would have any reason to suspect that the device’s components were manufactured by a company that built ethnicity-tracking systems for the Chinese state and operates under compulsory intelligence-sharing obligations with the People’s Republic of China.
The answer—and the measure of how thoroughly Lorex misled its consumers—is obvious: no.
Bridging the Gap: From Government Ban to the Nursery
The deeper innovation in Paxton’s approach—one of significance for every consumer protection practitioner—is structural. The federal restrictions on Dahua—the N.D.A.A. ban, the F.C.C. Covered List, the Commerce Department Entity List, the Secure Equipment Act—were designed to protect government networks and critical infrastructure. They were not designed to protect consumer data or a family in Plano. A consumer walking into a Costco has no federal shield against buying a Dahua-made product, because Dahua is not banned from the consumer market. It is banned from government procurement. The distinction is, from a consumer rights standpoint, incoherent—if a device is too dangerous for a federal contractor’s office, it is difficult to explain why it is safe enough for a child’s bedroom—but it is, as of today, the law.
Paxton’s complaint bridges this gap by arguing that the existence of those federal restrictions is itself material information that Lorex was obligated to disclose—and that its omission constitutes misleading consumers under the D.T.P.A. If the U.S. government considers Dahua’s equipment an unacceptable security risk, and Lorex knows its products contain Chinese components made by Dahua, and Lorex tells consumers those products are “safe” and “secure” without mentioning any of this—then the omission is not a technicality. It is a business model built on the deliberate concealment of information.
He is not alone in this legal theory. Nebraska’s Attorney General filed a parallel suit against Lorex in September 2025, and Florida’s Secretary of State has subpoenaed the company over the same concerns. If the Texas theory survives judicial scrutiny, it will become a template for consumer protection across the United States. Other state attorneys general will notice. The implications extend well beyond surveillance cameras: any Internet-of-Things device sold under a Western brand but built on components from a restricted Chinese supplier could face the same analysis. The router in your home office. The doorbell camera on your porch. The smart thermostat that knows when you’re away.
The Gap Between Privacy Claims and Security Vulnerabilities
There is one more dimension worth noting, and it is the one that gives the case its particular chill.
Lorex’s privacy policy acknowledges, in vague terms, that it may share personal data with “government bodies and law enforcement” and that data may be transferred internationally. It does not mention China. It does not mention Dahua. It does not mention the National Intelligence Law. To its credit, Lorex states repeatedly that consumer data protection is built into its architecture: video is stored locally and encrypted on the user’s device, and the company does not have default access to footage unless the user explicitly shares it for technical support.
But that data security assurance—however well-intentioned—exists in tension with the documented cybersecurity vulnerabilities of the product. Security researchers have previously discovered serious flaws and hard-coded remote-access paths in Dahua firmware. The DHS bulletin on Chinese-made cameras documented large-scale exploitation by PRC state-sponsored actors, noting that many such devices communicate with manufacturer servers by default in ways that are not transparent to the end user. The Lorex complaint itself catalogs six documented security vulnerabilities in Dahua components—including unauthorized access to video and audio feeds, remote code execution, and privilege escalation—drawn from the National Vulnerability Database. And the PRC legal framework is unambiguous: under Articles 7 and 14 of the National Intelligence Law, Chinese authorities can seek access to data moving through Dahua-controlled infrastructure or services, including when the devices are installed in American homes, if such access is technically available. The question is not whether Beijing has a guaranteed, on-demand right to a nursery camera feed in Fort Worth. The question is whether the legal and technical conditions for such access exist. The answer, based on the public record, is that they do.
This is the information that Lorex did not disclose to consumers. Not a speculative risk. Not a geopolitical abstraction. A documented pattern of security vulnerabilities in the very components it sells—manufactured by a company legally obligated to cooperate with a state that has already demonstrated—in Sherqi Türkistan, at industrial scale—exactly what it does with the surveillance technology it acquires.
Financial Penalties, Injunctive Relief, and Consumer Rights
The D.T.P.A. provides for civil penalties of up to ten thousand dollars per consumer rights violation. In a state-enforcement action under Section 17.47, the Attorney General need not prove actual consumer harm—no proof of data exfiltration, no forensic evidence that anyone’s camera feed was ever accessed without authorization. The consumer protection statute requires only that the company engaged in acts that were false, misleading, or deceptive and that had the capacity to deceive. In a case involving mass retail distribution through Amazon, Costco, Best Buy, and Kohl’s across the state of Texas, each transaction is a potential violation. The aggregate penalty exposure could be enormous—though the precise figure will depend on discovery, and Lorex’s lawyers will no doubt contest the per-transaction theory vigorously.
Paxton has also requested temporary and permanent injunctions that would require Lorex to disclose its use of components from the Chinese manufacturer Dahua, to inform consumers that their data may be accessible to Chinese authorities through Dahua-controlled infrastructure, to stop misleading consumers by marketing its products as safe and private without appropriate qualifications, and to obtain express, informed consent before collecting or sharing consumer data. If the court grants this relief, Lorex will face a stark commercial choice: full supply-chain transparency—which would almost certainly devastate sales—or a wholesale replacement of its component supplier. Neither option is attractive. Both are, arguably, overdue.
Lorex has previously stated that it is committed to compliance with applicable laws and regulations and has emphasized its local-storage architecture as a consumer data privacy safeguard. Dahua has denied that its products pose undue security risks and has pointed to the consumer-oriented nature of its OEM partnerships. Neither company has publicly addressed the specific allegations in Paxton’s complaint.
European Perspective: Different Consumer Protection Tools, Same Problem
For European observers—and for practitioners of consumer protection law in civil-law jurisdictions—similar risks are addressed through the General Data Protection Regulation, the NIS 2 Directive, and the recently enacted Cyber Resilience Act, which imposes direct obligations on IoT device manufacturers regarding the security of digital products. Each is a purpose-built regulatory instrument with its own enforcement machinery, designed to protect personal data and consumer rights in the era of connected devices. The Texas approach is, from this perspective, both admirable and faintly bewildering. Paxton is wielding a consumer protection statute written during the Nixon Administration to address a problem that involves Chinese intelligence law, firmware security vulnerabilities in IoT devices, and the geopolitics of semiconductor supply chains. The tool is blunt. It is also, within its jurisdiction, remarkably effective: the D.T.P.A., in a state-enforcement action, requires no showing of actual consumer harm, no proof of a data security breach, no forensic evidence that Beijing actually accessed anyone’s camera feed. It requires only that the company knew something important, deliberately concealed that information, and kept selling.
There is a lesson in this for the broader consumer products market, and it is not a subtle one. In the current climate of U.S.-China technological confrontation, the companies most exposed are not the ones doing something illegal. They are the ones doing something legal but undisclosed—selling perfectly functional products with perfectly hidden provenance, betting that consumers will never look past the brand on the box. The bet rested on a particular assumption: that the gap between what a government bans for itself and what it permits for its citizens will persist indefinitely, and that no one will think to bridge it. For years, that assumption held. In Collin County, Texas, it just collapsed.
Robert Nogacki is a legal counsel (radca prawny) and the founder of Kancelaria Prawna Skarbiec, a Polish law firm specializing in international tax and legal advisory services.
Founder and Managing Partner of Skarbiec Law Firm, recognized by Dziennik Gazeta Prawna as one of the best tax advisory firms in Poland (2023, 2024). Legal advisor with 19 years of experience, serving Forbes-listed entrepreneurs and innovative start-ups. One of the most frequently quoted experts on commercial and tax law in the Polish media, regularly publishing in Rzeczpospolita, Gazeta Wyborcza, and Dziennik Gazeta Prawna. Author of the publication “AI Decoding Satoshi Nakamoto. Artificial Intelligence on the Trail of Bitcoin’s Creator” and co-author of the award-winning book “Bezpieczeństwo współczesnej firmy” (Security of a Modern Company). LinkedIn profile: 18 500 followers, 4 million views per year. Awards: 4-time winner of the European Medal, Golden Statuette of the Polish Business Leader, title of “International Tax Planning Law Firm of the Year in Poland.” He specializes in strategic legal consulting, tax planning, and crisis management for business.
