Google says your voice recordings won't be used for ads, but they convert your voice to text and then use that text to target ads at you. They technically keep the audio file separate from ads, but everything you said still gets used to sell you things. Google promises your Nest Mini only listens after you say "Hey Google," but it has been caught recording when nobody said the wake word. Google admitted a software bug caused speakers to record everything. A security researcher also showed someone nearby could hijack the microphone and listen to you remotely.
What they claim: Google states the Nest Mini microphone "only sends audio to Google after it detects an activation, like when it hears Hey Google" and "won't send what you're saying to Google servers" in standby mode.
What we found: Google Assistant Privacy Class Action lawsuit documents that Google Assistant on Nest/Home devices activates and records conversations without the wake word being spoken. A 2020 Security Magazine report confirmed Google admitted a software update caused Home speakers to record at all times. Separately, researcher Matt Kunze demonstrated (2021, $107,500 bounty) that an attacker could remotely access the Nest Mini microphone feed by installing a backdoor account via the Google Home app.
What they claim: Google Home app requests CAMERA permission and CALL_PHONE permission for controlling a smart speaker that has no camera and no telephony hardware.
What we found: The Google Home companion app (v4.11.56.1, Exodus Privacy report) requests 37 permissions including CAMERA and CALL_PHONE. The Nest Mini 2nd Gen is a speaker with microphones — it has no camera. The CAMERA permission grants access to the phone's camera, and CALL_PHONE allows initiating phone calls from the user's device. Google's privacy commitments page does not disclose that the companion app accesses the phone's camera or makes calls.
What they claim: Google Home app requests READ_CONTACTS and GET_ACCOUNTS — access to the user's entire contact list and all accounts on their phone.
What we found: Exodus Privacy report for Google Home v4.11.56.1 shows READ_CONTACTS and GET_ACCOUNTS permissions. Google's Nest privacy page does not disclose that the companion app accesses the user's full contact list or account information. The privacy commitments state data is only shared with third parties with "explicit homeowner permission" but do not mention the app itself harvesting contacts from the phone.
What they claim: Google Home app requests RECORD_AUDIO permission for a device marketed as only listening locally for the wake word.
What we found: The companion app requests RECORD_AUDIO (Exodus Privacy report, v4.11.56.1), giving it access to the phone's microphone. The Nest Mini itself has three far-field microphones that are always listening. Combined: both the speaker AND the phone app can record audio. Google's firmware notes describe on-device wake-word detection via the Synaptics AS-370 ML chip, implying audio stays local — but the app's RECORD_AUDIO permission means the phone microphone is also accessible, creating a second audio capture point not disclosed in Google's privacy commitments.
What they claim: Google states environmental sensor data is collected to "improve device functionality and user experience" and keeps it separate from advertising.
What we found: Google's Nest privacy commitments confirm sensor data (motion, occupancy, temperature, humidity, ambient light) is "regularly sent to Google." The Texas AG's $1.375 billion settlement (2025) found Google deceived users about data collection practices across its ecosystem including Nest devices, and collected biometric data (voiceprints) through Google Assistant without adequate disclosure. The FTC/COPPA settlement confirmed Google failed to honour deletion requests for children's data.
What they claim: Google Nest privacy page states audio recordings are "kept separate from advertising and not used for ad personalization."
What we found: Google's own Nest privacy commitments page simultaneously states that "the text of" Assistant voice interactions (transcripts) MAY be used to inform interests for ad personalization. The audio is transcribed, then the transcript feeds the ad system — a distinction without a meaningful difference to users who believe their voice interactions are private from advertising.
What they claim: The Nest Mini communicates with 9 Google cloud endpoints including analytics and crash reporting servers.
What we found: Firmware analysis shows hardcoded endpoints including firebaselogging.googleapis.com (analytics), clients3.google.com (crash/metrics reporting), and assistant.googleapis.com. Google's privacy page states devices only send data "when you or someone in your home is interacting with your Assistant or if you use a feature that needs it." However, analytics and crash reporting endpoints transmit data continuously regardless of user interaction — the device phones home to Google even when sitting idle.
What they claim: Google Home app requests QUERY_ALL_PACKAGES — the ability to see every app installed on the user's phone.
What we found: Exodus Privacy report for Google Home v4.11.56.1 shows QUERY_ALL_PACKAGES permission, which allows the app to enumerate all installed applications on the user's device. This creates a detailed profile of user interests, app usage, and potentially sensitive information (health apps, dating apps, financial apps). Google's Nest privacy commitments make no mention of inventorying the user's installed applications. Android restricted this permission in API 30+ due to privacy concerns.
What they claim: Google's Nest security page promises automatic security updates for minimum 5 years and independent third-party security assessments for devices released after 2019.
What we found: Despite these commitments, CVE-2023-48419 (CVSS 10.0 — maximum severity) allowed an attacker within WiFi range to eavesdrop on Google Home/Nest Mini users. CVE-2023-6339 (CVSS 10.0) allowed root code execution on Nest devices. Both were critical severity vulnerabilities in devices that had supposedly undergone third-party security assessments. The WiFi eavesdropping vulnerability existed in firmware shipped to millions of devices before being patched in December 2023.
What they claim: Google claims to respect data deletion requests and gives users control over their data through privacy settings.
What we found: FTC/DOJ COPPA settlement confirmed Google failed to honour data deletion requests for children using Nest/Home devices. The Texas AG $1.375 billion settlement found Google deceived users about location data collection even after users turned off location tracking. Google Assistant Privacy Class Action alleges systematic violation of user privacy expectations. Despite Google's stated privacy commitments, three separate legal actions found a pattern of collecting and retaining data contrary to user preferences and legal requirements.
What they claim: Google Home app requests ACCESS_FINE_LOCATION and ACCESS_COARSE_LOCATION for a stationary smart speaker.
What we found: Exodus Privacy report shows the Google Home app requests both ACCESS_FINE_LOCATION (GPS-level precision) and ACCESS_COARSE_LOCATION. The Nest Mini is a stationary device plugged into a wall — it does not move. While location may be used for initial setup, continuous fine location access is not justified for controlling a fixed speaker. Google's privacy page does not explicitly disclose that the app continuously tracks the phone's precise GPS location.