Google says their WiFi router doesn't track which websites you visit. But the router is set up to send every website lookup to Google's own DNS servers by default. So while the router itself might not keep a list, Google's servers still see every website every device in your home tries to reach. It's like saying "I don't read your mail" while routing all your mail through your own post office. Google promises your WiFi data won't be used for advertising. But the app you must use to manage the router includes Google's advertising analytics tracker and requests access to your camera, microphone, contacts, phone calls, and precise location — none of which have anything to do with managing a WiFi router. Google's own privacy policy says they combine data across all their services, which directly contradicts the promise to keep WiFi data separate from ads.
What they claim: Google Nest WiFi privacy commitments state that WiFi network data is kept "separate from advertising and is not used for ad personalization." Google further claims WiFi data will only be shared with third parties with explicit permission.
What we found: The Google Home app (com.google.android.apps.chromecast.app) includes Google Firebase Analytics tracker, which feeds into Google's advertising analytics infrastructure. The app requests CAMERA, RECORD_AUDIO, READ_CONTACTS, CALL_PHONE, GET_ACCOUNTS, and ACCESS_FINE_LOCATION — permissions that go far beyond WiFi router management. GET_ACCOUNTS accesses all Google accounts on the device, linking WiFi network data to the user's broader Google identity. Google's own privacy policy states it combines data across services — making the claim of keeping WiFi data "separate from advertising" contradicted by its own data combination practices.
What they claim: CVE-2023-6339 (CVSS 10.0): Root code execution and user data compromise on Google Nest WiFi Pro due to missing encryption of sensitive data (CWE-311). An attacker can gain root-level control of the router and access all network traffic.
What we found: Google Nest privacy commitments claim devices have "built-in security" and state network data is protected. However, CVE-2023-6339 revealed the router stored sensitive data without encryption, allowing root code execution with maximum CVSS severity (10.0). For a device that IS the network — through which ALL household internet traffic flows — this means an attacker could intercept every packet for every device in the home. Google's $391.5 million location tracking settlement (2022) demonstrates a pattern of security/privacy claims not matching actual implementation. The router received automatic OTA patches, but users had no way to verify the vulnerability was present or that the patch was applied.
What they claim: The Google Home app requests CAMERA, RECORD_AUDIO, READ_CONTACTS, CALL_PHONE, GET_ACCOUNTS, and WRITE_EXTERNAL_STORAGE permissions — permissions typically associated with cameras, phones, and social apps.
What we found: The Nest WiFi Pro is a WiFi router with no camera, no microphone, and no phone functionality. Its hardware consists of a Qualcomm IPQ5018 SoC, WiFi radios (2.4/5/6 GHz), BLE, and Thread. There is no hardware basis for CAMERA, RECORD_AUDIO, READ_CONTACTS, or CALL_PHONE permissions. The Google Home app bundles permissions for the entire Nest ecosystem (speakers, cameras, doorbells) into a single app, meaning WiFi router users are forced to grant surveillance-capable permissions even though their router cannot use them. This over-permissioning creates unnecessary attack surface — if the app is compromised, attackers gain access to camera, microphone, and contacts despite the user only owning a router.
What they claim: CVE-2023-48419 (CVSS 10.0): WiFi proximity eavesdropping vulnerability allowing attackers within WiFi range to spy on Google Home/Nest devices, resulting in elevation of privilege.
What we found: The Nest WiFi Pro shares the Google Home ecosystem and unified app with affected devices (Nest Audio, Nest Mini, Home Mini). In a household with multiple Google Nest devices — which Google actively encourages — a compromised Nest speaker on the same network provides a lateral attack vector to the router. The router handles ALL internet traffic, so compromise of any device in the ecosystem could cascade to network-wide surveillance. Google's security bulletins document ongoing vulnerabilities published quarterly (March, June, September, December 2024, March 2026), indicating continuous security issues in the Nest ecosystem. The shared Google Home app and account create a single point of failure for the entire smart home.
What they claim: The Google Home app includes QUERY_ALL_PACKAGES permission, which allows the app to see every other app installed on the user's phone.
What we found: QUERY_ALL_PACKAGES lets the Google Home app enumerate all installed applications on the Android device. For a WiFi router companion app, there is no legitimate need to know what other apps the user has installed. Combined with Google's cross-service data combination and the 2022 $391.5 million location tracking settlement showing Google's willingness to collect data beyond stated purposes, this permission enables Google to build a complete software profile of the user's device on top of the hardware profile already collected by the router's device identification feature.
What they claim: The Nest WiFi Pro's cloud services collect a complete inventory of every device connected to the network, including device brand, type, manufacturer, and per-device bandwidth usage data.
What we found: The Google Home app (with GET_ACCOUNTS and ACCESS_FINE_LOCATION permissions) links this complete household device inventory to the user's Google identity. Combined with Google's cross-service data combination policy, Google can correlate: which devices you own (from the router), your search history (from Google Search), your viewing habits (from YouTube), your location history (from Maps), your communications (from Gmail), and your app usage (from Android). The router's device identification creates a detailed hardware profile of the household that enhances Google's existing data profile in ways not disclosed in Nest WiFi-specific privacy pages.
What they claim: Google Nest WiFi privacy page states: "Google Wifi and Nest Wifi devices don't track the websites you visit or collect the content of any traffic on your network." Google safety page reiterates: "do not track the websites you visit, nor do they monitor the content of traffic on your Wi-Fi network."
What we found: The Nest WiFi Pro defaults DNS to Google Public DNS (8.8.8.8/8.8.4.4), routing every domain name lookup for every device in the household through Google's servers. While the router itself may not "track" websites, Google as a company receives a complete log of every domain every device resolves. Google Public DNS handles the DNS queries — meaning Google knows every website visited by every device on the network. The claim of not tracking websites is technically narrow: the router hardware doesn't log URLs, but Google's DNS infrastructure receives the same information by default.
What they claim: Google's Nest privacy commitments state: "We'll only share WiFi network performance data from Google Wifi devices with third-party apps and services if you or a manager of your Wi-Fi network gives permission."
What we found: Google's own Privacy Policy (applicable to all Nest products) states it combines data across all Google services. In 2022, 40 US state attorneys general secured a $391.5 million settlement after proving Google continued tracking users' locations even after they disabled Location History. The Google Home app requires ACCESS_FINE_LOCATION and ACCESS_COARSE_LOCATION permissions. A home WiFi router inherently reveals home location. Google's track record of privacy claim violations (2012 FTC fine for Safari privacy misrepresentation, 2019 YouTube COPPA violation, 2022 location tracking settlement) demonstrates a pattern where stated privacy commitments are not followed in practice.
What they claim: The Nest WiFi Pro acts as a Thread border router, meaning all Thread/Matter smart home devices in the household route their commands through this device.
What we found: Google's privacy commitments focus on what the WiFi router itself collects from network traffic. But as a Thread border router, the Nest WiFi Pro also mediates commands between Thread smart home devices (smart locks, sensors, lights from any manufacturer) and the internet. This means Google can observe smart home commands sent to non-Google devices — when you lock your door, adjust your non-Google thermostat, or trigger your non-Google security system. None of Google's Nest WiFi privacy disclosures mention Thread border router data collection or what happens to smart home command data that passes through the device.
What they claim: Google's privacy page states users can manage data collection via "Cloud services" and "WiFi point stats" settings in the Google Home app.
What we found: The Nest WiFi Pro receives mandatory automatic firmware updates with no user opt-out. Users cannot review, reject, or defer updates — Google can remotely modify router behavior at any time. There is no local-only administration option; the Google Home app (cloud-dependent) is required for all management. While Google presents privacy controls in the app, the fundamental architecture means Google retains the ability to change what data is collected at any time through firmware updates. The user's privacy "choices" exist only at Google's discretion and can be modified without user consent or knowledge through OTA updates.