Google promises you can see and delete your camera footage, but when the FBI needed footage from a disabled camera with no cloud subscription, Google engineers found it hidden in their backend systems. There is video data Google keeps that you cannot see or delete. Google says they only share your camera footage with your permission, but they can actually give your videos to police without a warrant and without telling you, if they decide it's an emergency. Texas fined them $1.375 billion for exactly this kind of deception with Nest devices.
What they claim: Google Nest security page states: "We commit to being transparent about the data we collect" and "Your video footage will only be shared with third parties with your permission."
What we found: Google's own policies confirm it can share Nest camera footage with police without a warrant in "emergency" situations under the Electronic Communications Privacy Act. The user does not need to be notified or give permission for this disclosure. The $1.375 billion Texas settlement (2025) found Google collected biometric data including voiceprints through Nest devices without adequate disclosure or consent.
What they claim: Google markets Nest Cam with "on-device processing" and "local AI" — person, vehicle, and animal detection run on the device's TPU chip. Familiar Faces facial recognition is described as processing locally with face data stored in encrypted on-device memory.
What we found: Despite on-device AI marketing, the camera connects to 9+ Google cloud endpoints including nest-production.googleapis.com, firebaselogging.googleapis.com, and camera-quiet.googleapis.com. All video streams to Google cloud for storage. Free tier provides 3 hours of cloud event history; paid tiers up to 60 days. The Nancy Guthrie case proved Google retains video data in backend systems even when cameras appear offline. The Texas biometric settlement showed Google collected facial/voice biometric data without consent across the Nest ecosystem.
What they claim: Google Home app requests CAMERA, RECORD_AUDIO, ACCESS_FINE_LOCATION, ACCESS_COARSE_LOCATION, READ_CONTACTS, CALL_PHONE, GET_ACCOUNTS, and QUERY_ALL_PACKAGES permissions for a security camera.
What we found: The Nest Cam is a battery-powered security camera. It needs camera/audio access for setup and two-way audio. However, READ_CONTACTS, CALL_PHONE, GET_ACCOUNTS, and QUERY_ALL_PACKAGES permissions go far beyond what's needed to operate a security camera. QUERY_ALL_PACKAGES lets Google inventory every app on your phone. READ_CONTACTS gives access to your entire address book. The companion app shares these permissions across all Google Home/Nest devices, creating a single data collection point for the entire ecosystem.
What they claim: Google Home app includes only 1 tracker (Google Firebase Analytics) — relatively modest compared to competitors like HP Smart (8 trackers) or Arlo Secure (6 trackers).
What we found: Despite the low tracker count in the app itself, the Texas $1.375 billion settlement found Google was deceptively collecting location data and biometric data across its ecosystem including Nest devices. Mozilla found Google allows "specific partners to collect information from your browser or device for advertising and measurement purposes using their own cookies or similar technologies." The low tracker count in the app is misleading because Google's tracking infrastructure is built into the operating system (Android) and Google Play Services, not just the app.
What they claim: Google Nest privacy commitments state: "We will clearly tell you about the data we collect and why" and "You can review and delete your Nest Cam video history at any time through the Google Home app."
What we found: In the Nancy Guthrie kidnapping case (February 2026), FBI recovered Nest camera footage from Google backend systems even though the camera had been physically disconnected and the user had no paid cloud storage subscription. Google engineers recovered "residual data" that was not visible to or deletable by the user. Google's own policy notes "you may not see a visual indicator when your camera is sending video footage to our servers."
What they claim: Google Nest FAQ states: "Your Nest Cam video footage, audio recordings, and home environment sensor readings are kept separate from advertising and will not be used for ad personalization."
What we found: The Google Home companion app (com.google.android.apps.chromecast.app) includes Google Firebase Analytics tracker. The app requests READ_CONTACTS, CALL_PHONE, GET_ACCOUNTS, QUERY_ALL_PACKAGES, and READ_GSERVICES permissions. Google's own Nest FAQ acknowledges that "the text of" Assistant voice interactions MAY be used to inform ad personalization. Mozilla's review found Google allows "specific partners to collect information from your browser or device for advertising and measurement purposes."
What they claim: Google Nest privacy page states: "We won't use your camera footage, audio recordings, or home sensor readings for ad targeting" and presents the Nest ecosystem as privacy-respecting.
What we found: Mozilla's Privacy Not Included review gave Nest Cams its lowest possible rating ('*Privacy Not Included' warning), with users voting it "Very Creepy." Mozilla found Google uses "publicly available information to help train Google's AI models" and allows partners to collect data for advertising. Multiple multi-million dollar settlements globally for deceptive location tracking practices. Google collects children's data via Family Link including location, voice, and app usage.
What they claim: Google Nest Cam stores up to 1 week of events locally during Wi-Fi/power outages, implying data stays on-device when connectivity is lost.
What we found: The Nancy Guthrie case (February 2026) proved that even when a camera is disconnected and offline, Google's backend systems retained recoverable video data. The camera connects to firebaselogging.googleapis.com and other logging endpoints. Google's privacy policy states "you may not see a visual indicator when your camera is sending video footage to our servers." Local event storage is in addition to — not instead of — cloud transmission.
What they claim: Google commits to "automatic security updates for minimum 5 years" and "independent third-party security assessments" for Nest devices.
What we found: CVE-2023-48419 (CVSS 10.0) and CVE-2023-6339 (CVSS 10.0) — both maximum severity — affected the entire Nest ecosystem including Nest Cam. An attacker in WiFi range could spy on victims or achieve root code execution. Earlier CVE-2019-5035 (CVSS 9.0) allowed brute-forcing pairing codes for full device control via Cisco Talos research. Despite third-party assessments, critical vulnerabilities with the maximum possible severity score were discovered externally, not by Google's own security team.
What they claim: Google Nest Cam FAQ states sensor data and video footage are stored securely and managed through the Google Home app with user control.
What we found: The Google Home app (com.google.android.apps.chromecast.app) requests RECEIVE_BOOT_COMPLETED (auto-starts on phone reboot), FOREGROUND_SERVICE_DATA_SYNC (continuous background data synchronization), FOREGROUND_SERVICE_CONNECTED_DEVICE (persistent connection to devices), and WAKE_LOCK (prevents phone from sleeping). These permissions enable persistent background data collection that operates continuously regardless of whether the user is actively using the app.