Google promises your Nest sensor data won't be used for ads. But there's a loophole: when you talk to your thermostat ('Hey Google, set it to 72'), the text of what you said CAN be used to target ads at you. Google was fined $1.375 billion in Texas for exactly this kind of deceptive privacy practice — collecting voice data from Nest devices without properly telling users. Google says your Nest thermostat's microphone only listens after you say 'Hey Google.' But a maximum-severity security flaw (CVE-2023-48419) let attackers nearby eavesdrop on any Nest device without the owner knowing. A class action lawsuit says these devices record conversations even without the wake word — and Google admitted one update made speakers record everything all the time.
What they claim: Google's Nest privacy page states: 'Microphones transmit audio only upon detecting wake words like Hey Google.' Google commits that audio recording requires active wake word detection.
What we found: CVE-2023-48419 (CVSS 10.0): An attacker in WiFi proximity can spy on Google Nest devices without user interaction. The Google Assistant Privacy Class Action lawsuit alleges devices record when anything remotely similar to command words is uttered. Google itself admitted a software update caused Home speakers to record at all times, not just after the wake word. Two critical CVEs (CVE-2023-48419, CVE-2023-6339) with maximum severity scores demonstrate the 'only after wake word' claim is technically unreliable.
What they claim: Google's Nest privacy commitments focus on thermostat functions: temperature control, scheduling, presence detection, and energy management. The thermostat is marketed as a simple home comfort device.
What we found: The Google Home companion app (com.google.android.apps.chromecast.app) requires 37 permissions including: CAMERA, RECORD_AUDIO, READ_CONTACTS, CALL_PHONE, ACCESS_FINE_LOCATION, GET_ACCOUNTS, QUERY_ALL_PACKAGES (sees all installed apps), and MANAGE_ACCOUNTS. A thermostat needs none of these — it needs WiFi access and temperature data. The app can see your contacts, make phone calls, access your camera, record audio, track your precise location, and inventory every app on your phone.
What they claim: The Google Home app requests QUERY_ALL_PACKAGES permission, which allows it to see every app installed on the user's phone.
What we found: A thermostat companion app has no legitimate need to inventory all installed applications on a user's phone. The Nest Thermostat communicates via WiFi, Bluetooth, and Thread — none of which require knowing what other apps are installed. QUERY_ALL_PACKAGES enables Google to build a comprehensive profile of user interests based on installed apps (games, dating apps, health apps, banking apps, political apps). Combined with the thermostat's occupancy data and the app's FINE_LOCATION access, this creates a surveillance profile far beyond what's needed to control home temperature.
What they claim: Google states: 'We do not sell your personal information to anyone.' The Nest privacy page emphasizes that Google does not monetize Nest data through sales to third parties.
What we found: The Google Home app includes Google Firebase Analytics tracker, which feeds data into Google's advertising ecosystem. The app requests ACCESS_FINE_LOCATION (precise GPS), GET_ACCOUNTS (Google account info), and READ_CONTACTS. While Google may not technically 'sell' data, it uses this data internally for its $280+ billion advertising business. The Texas AG $1.375 billion settlement specifically found Google deceived users about how it monetized location and biometric data. The distinction between 'selling data' and 'using data to sell ads' is legally and practically meaningless to the homeowner.
What they claim: Google's Nest privacy commitments state: 'We do not use environmental and activity sensor data for ad personalisation.' The policy also states video footage, audio recordings, and sensor readings are 'kept separate from advertising.'
What we found: Google explicitly admits that 'the text of' Assistant voice interactions (transcripts) MAY be used to inform interests for ad personalization. The Texas AG $1.375 billion settlement (2025) found Google collected voiceprints through Google Assistant on Nest devices without adequate disclosure and deceived users about data collection practices. The privacy commitment creates a false impression of separation when transcripts of what you say to your thermostat can feed the ad machine.
What they claim: The Nest Thermostat includes a 60GHz Project Soli radar sensor for presence detection and gesture control, plus temperature, humidity, ambient light, and proximity sensors. Google markets the Soli radar as enabling convenient features.
What we found: The 60GHz Soli radar can detect human presence, motion, and gestures through the mirror-finish front panel with no visible sensor cutouts. This radar continuously monitors occupancy patterns — when people are home, when they leave, when they return, room-level presence. Combined with phone geofencing via the Google Home app (ACCESS_FINE_LOCATION), Google builds a detailed profile of household occupancy. The Texas AG settlement confirms Google deceived users about how it tracked and monetized location data. The Black Hat 2014 research showed the thermostat's occupancy awareness makes it 'uniquely sensitive' — an attacker (or Google) learns the household schedule.
What they claim: Google's Nest privacy commitments state the company provides automatic security updates for a minimum of 5 years and independent third-party security assessments.
What we found: Two critical vulnerabilities with maximum CVSS scores of 10.0 (CVE-2023-48419, CVE-2023-6339) were found in the Nest ecosystem in December 2023, affecting devices running firmware before 2.58. The Black Hat 2014 research showed Nest thermostats had no hardware security — custom unsigned firmware could be loaded in 15 seconds via USB. Despite the 5-year security commitment, Google discontinued support for 1st and 2nd generation Nest Learning Thermostats in October 2025 while those devices continue to send data to Google servers. Security updates stop, but data collection doesn't.
What they claim: Google states that environmental sensor data (motion, temperature, humidity, occupancy) supports features like automatic thermostat adjustment and Home/Away Assist. Sensor data is collected to make the thermostat 'helpful.'
What we found: Security researcher Cody Kociemba (2025) found that early Nest Learning Thermostats continue uploading sensor data to Google even after Google discontinued all remote features, software updates, and app connectivity. Google cannot use this data to help customers since support is fully ended — yet occupancy patterns, temperature readings, and home/away schedules still flow to Google servers. This creates a one-way data pipeline that benefits Google's data collection but provides zero value to the homeowner.
What they claim: Google's Nest privacy page states: 'Data sharing occurs only with explicit permission from users or home members for third-party apps and services.' Google emphasizes user control over data sharing.
What we found: Google shut down the 'Works with Nest' API in August 2019, replacing it with the restrictive 'Works with Google Assistant' system. The original API let users and third parties access their own thermostat data (temperature, humidity, occupancy). The replacement is one-way: data goes in but cannot come out. Users lost the ability to export their own data or allow independent privacy auditing. Google claims user control while simultaneously eliminating the tools that enabled that control.
What they claim: Google states: 'Cameras send footage only when explicitly enabled by users.' and 'Visual indicators show active transmission.' Google emphasizes user awareness and control of recording.
What we found: The Google Assistant Privacy Class Action (class certified, covering 2016-2022 purchasers) alleges Google Nest/Home devices activate and record without intentional wake word triggers. Google admitted a software update caused speakers to record at all times. The Texas settlement confirmed Google collected voiceprints via Assistant without consent. For the Nest Thermostat specifically, the Soli radar provides continuous presence monitoring with no visible indicator on the mirror-finish display — there is no 'green light' or visual signal showing when occupancy data is being collected and transmitted.