Google says your smoke detector data stays separate from advertising, but your Nest Protect's occupancy sensor feeds into Google's Home/Away system, which tracks when you're home and which rooms you're in. Texas sued Google for $1.375 billion partly because it lied about how it collected data from Nest devices. Your smoke detector has motion sensors, ultrasonic presence detectors, light sensors, temperature sensors, and a microphone in every room of your house — including bedrooms and bathrooms. These sensors form a mesh network that maps which rooms are occupied and when. It's sold as a smoke detector but it's actually a whole-home surveillance system.
What they claim: Nest privacy statement claims: 'Under no circumstance do we share personal information for any commercial or marketing purpose unrelated to the activation and delivery of Nest Products.' Google safety page commits sensor readings are kept 'separate from advertising.'
What we found: Google Home presence sensing documentation confirms Nest Protect's occupancy sensor is used as a signal for Home/Away detection across the entire Google ecosystem. Multiple Nest Protects create a distributed room-level occupancy map feeding Google Home automations. Google also admits 'the text of' Assistant voice interactions (transcripts) MAY be used to inform interests for ad personalization. The $1.375 billion Texas settlement found Google deceived users about location data collection and collected biometric data through Nest devices without adequate disclosure.
What they claim: Nest Protect is marketed and sold as a smoke and carbon monoxide detector — a safety-critical device. Privacy statement frames data collection as necessary to 'provide a great experience with Nest products and services — to help save energy, stay safe, and keep you connected with your home.'
What we found: Hardware includes PIR occupancy sensor (120-degree FOV, 20-foot range), ultrasonic transducers for presence/gesture detection (Pathlight), ambient light sensor, temperature/humidity sensor, and a microphone. Multiple Nest Protects form a Weave 802.15.4 mesh network creating a distributed sensor grid throughout every room of the home. Occupancy data is used for Google Home presence sensing. This is a comprehensive home surveillance infrastructure installed in bedrooms, bathrooms, and every room — disguised as a smoke detector.
What they claim: Nest Protect is a smoke and CO detector. Its core function is detecting smoke, carbon monoxide, and alerting occupants to danger.
What we found: The Google Home companion app (v4.11.56.1) requests 37 permissions including: ACCESS_FINE_LOCATION (precise GPS), CAMERA, RECORD_AUDIO, CALL_PHONE, READ_CONTACTS, GET_ACCOUNTS, WRITE_EXTERNAL_STORAGE, and BLUETOOTH_SCAN. A smoke detector does not need access to your camera, phone contacts, ability to make phone calls, or precise GPS location. The app also includes Google Firebase Analytics tracker for telemetry.
What they claim: Nest privacy statement mentions a microphone for 'Safety Checkup or Sound Check' audio verification. This is presented as a minor safety feature for self-testing the alarm.
What we found: Hardware teardown confirms a microphone is present in every Nest Protect unit. These devices are installed in bedrooms, bathrooms, and every room of the home — creating microphone coverage throughout the entire house. The Google Home app requests RECORD_AUDIO permission. Google's companion ecosystem (Nest Mini, Nest Hub) is always-listening. The presence of a microphone in a device installed everywhere, combined with Google's demonstrated history of undisclosed audio collection (Texas settlement), raises serious concerns about potential ambient audio capability beyond the stated 'Sound Check' purpose.
What they claim: Nest privacy statement states: 'Nest does not sell your personal information' and 'We do not rent or sell our customer lists.'
What we found: Same privacy statement also says de-identified information may be used for 'sales, marketing, and business decisions.' Google's privacy policy broadly permits sharing 'aggregated, non-personally identifiable information' publicly and with partners. The Texas AG settlement revealed Google's definition of 'personal information' was narrower than what consumers would expect — Google collected and used data it classified as 'non-personal' that most people would consider private, including occupancy patterns, home routines, and presence data.
What they claim: Google's Nest privacy commitments state sensor data is kept 'separate from advertising' and third-party sharing requires 'explicit' permission.
What we found: The Google Home app (v4.11.56.1) includes Google Firebase Analytics tracker, which sends telemetry data to Google's analytics infrastructure. The app requests QUERY_ALL_PACKAGES (can see every app on your phone), GET_ACCOUNTS (access to Google accounts), and READ_CONTACTS. These permissions enable cross-referencing Nest usage data with other personal data on the phone. While Firebase Analytics may be classified as 'first-party' rather than advertising, it feeds into the same Google data infrastructure that powers ad targeting.
What they claim: Nest Protect connects to Google cloud services for alerts and monitoring. Privacy statement frames cloud connectivity as necessary for 'send[ing] you alerts and to let you know your home is safe.'
What we found: Device connects to at least 10 hardcoded cloud endpoints including frontdoor.nest.com, home.nest.com, home-frontdoor-pa.googleapis.com, firebaselogging.googleapis.com, and accounts.google.com. Firebase logging endpoint means the device sends telemetry to Google's analytics platform. connectivitycheck.gstatic.com performs regular connectivity checks. Multiple Google-domain endpoints beyond what's needed for simple smoke/CO alerts. A device that could function as a standalone detector is instead tethered to Google's cloud infrastructure.
What they claim: Nest Protect uses the Weave protocol over 802.15.4 for reliable inter-device mesh communication. Google positions this as a safety feature — Protects can alert each other even if WiFi goes down.
What we found: Cisco Talos discovered critical vulnerabilities in the OpenWeave protocol: CVE-2019-5035 (CVSS 9.0) allows brute-force pairing and full device control, CVE-2019-5036 enables denial-of-service attacks on Weave sessions, CVE-2019-5034 allows pairing information disclosure. For a safety-critical device that people depend on to detect fires and carbon monoxide, having a CVSS 9.0 vulnerability that allows full device control means an attacker could potentially disable smoke detection in a home — a life-threatening scenario.
What they claim: Google commits to automatic security updates for a minimum of 5 years and independent third-party security assessments for devices released after 2019.
What we found: Nest Protect 2nd Gen was released in 2015 — four years before the 2019 cutoff for third-party security assessments. The Weave/802.15.4 vulnerabilities (CVE-2019-5035, CVE-2019-5036, CVE-2019-5034) existed for years before discovery. Google has discontinued Nest Protect sales while millions remain installed in homes. The 5-year update commitment from the 2015 release date would have expired around 2020, meaning these safety-critical devices may receive diminishing security support while remaining in service for decades (smoke detectors have 10-year lifespans).
What they claim: Nest privacy statement says information is collected to help you 'stay safe' and that data practices serve 'the activation and delivery of Nest Products.'
What we found: Google Home presence sensing uses Nest Protect occupancy data not just for safety but for automations, energy management, and ecosystem-wide routines. Google keeps 'a recent history' of presence events. The data flows from a safety device into Google's broader smart home platform, enriching Google's understanding of user behavior patterns across their entire product ecosystem. This represents function creep — safety sensor data being repurposed for convenience, automation, and ecosystem lock-in.