Upon 2020

Nest responds to my privacy questions

I had asked Nest/Google support some privacy-related questions about their thermostat. Here is their response (minus the customer service “Your question is important to us” fluff which I deleted). Hotlinks and slightly strange grammar in the original. I’ll analyze it below:

Here’s an excellent read on your Privacy Statement. This will tell you all of the information that’s shared.

There are learning features on the Nest Learning Thermostat that are used in order for the Nest Thermostat to collect data. This takes your preferences and schedule and programs itself so you don’t have to adjust the Nest manually.
Although, you can always turn off these features to use the the Nest manually.

At this time updates will be pushed through when you’re connected to Wi-Fi. Typically customers will not be notified since most updates are small patches to fix bugs. In case there is a heavy update like the 4.3 you’ll be notified.
The only option to opt out as of now is to be disconnected from Wi-Fi.

Question #1. I asked “which information does it send to Google or anybody else, under which circumstances”, and they say the privacy statement tells me. Here is what it says.

(Note that generally, Privacy Policies are not enforceable. In other words, they can say one thing and do the opposite, but nobody can sue them over it. So take the policy for what it is worth.)

  • They are very unclear which information they collect stays on the thermostat itself, and which ends up on Google servers. For example, the privacy policy phrases it as “The Nest Learning Thermostat collects” which to me would imply that the information stays on the device, but then, this information is also available through nest.com, and they say below that they share in aggregate with third parties, which implies that it was sent off to Google servers. So it seems we need to interpret “The Nest Learning Thermostat” as “the device itself plus our cloud”.
  • This distinction is important because as soon as personal information is on Google’s servers, it is subject to a lot less legal privacy protections than if it resided in my home.
  • It is unclear whether the “Nest Learning Thermostat algorithms” run entirely on the device, or on Google’s cloud.
  • They are clear that they “record” certain information whenever they decide is the right time to do so, including “every time your system turns on and off”, as well as all data from all sensors.
  • They seem to have fairly strong rules access to the data by third parties, which is good.
  • They use the information “to provide, develop and improve Nest Products and services, including information and recommendations about your products or energy use.” This seems to be largely a catch-all for “we can use it for anything internally”, including advertising as long as it is somehow related to products they know I have. It’s unclear whether that is Nest products or Google products.
  • They share aggregated information with all sorts of third parties, with the assumption that that makes it anonymous. It’s not very specific what they mean with that, and so we have to assume it can be de-anonymized.
  • They take information outside of the country.
  • They hand over your information to whatever government agency asks as long as they believe the laws of the land of the country in question requires them to do so.
  • The previous two items together seem to make it possible for one government to get its hands on data collected in another country (depending on the particular countries and their laws in question).
  • They store personal information indefinitely and never delete it as long as you are a customer. The privacy statement isn’t entirely clear whether they immediately delete it afterwards, or how they decide you’re not a customer any more.
  • Apparently you can delete the information they have about you by resetting the device, and through their website.

Question #2: I asked “how to disable such sharing”. While the second link in the response talks about how to turn off the “learning” part, it does not talk about disabling sharing at all. This part of their response seems (intentionally? unintentionally?) unrelated to my questions. Apparently the only option is to turn off WiFi. Either way, the answer seems to be: As long as you use WiFi, you cannot turn off data collection by Nest/Google.

Question #3: I asked how to be notified when anything substantial in the code or the terms changed. Apparently they notify customers of big code changes. They did not address terms of service changes or privacy policy changes.

In summary: They collect every piece of data the thermostat can get its hands on, store it indefinitely (unless I stop being a Nest/Google(?) customer), use it for whatever (internal) purpose they want, share it in aggregate with third parties, hand it over to governments, and I cannot limit such sharing.

Sort of what I thought.

P.S. If you think I misinterpreted any of the above, I welcome corrections in the comments.

Johannes Ernst

, ,
,

10 responses to “Nest responds to my privacy questions”

  1. You mention “Privacy Policies are not enforceable” and this really surprises me. What is the point of a Privacy policy then? I would agree that not many people read them as figures usually hover between 2 and 5%, depending on the country and sector type but still, my stance is that is you push something out publicly, you should make damn sure you indeed abide by this.
    A typical example is Yelp who got fined for not complying with COPPA: http://www.ftc.gov/news-events/press-releases/2014/09/yelp-tinyco-settle-ftc-charges-their-apps-improperly-collected
    Of course, there’s just so much the likes of the FTC or EU data protection agencies like the ICO, French CNIL or even Spanish AEPD go after but stating that PP are not enforceable comes as a surprise. Could you tell me what was your thinking behind this is, please?

    Also, you talk about government access to data.
    This is what I understand so far of US National Security legislation: the 4th amendment protects mainly US citizens from giving access to data without some form of judiciary approval. This might comes in the form of a subpoena, warrant, D Order, Pen/Trap Order or Wiretap Order.
    The problem is that this applies to mainly US citizens (and “aliens” who might have some kind of ties with the US: very vague and evolving legal jargon) but for the majority of the world population, we are considered “aliens” and are not protected by at least the 4th Amendment. Add to that the fact that about 80% of Internet traffic flows through the US, and I can imagine Nest data is on US soil, and indeed, data could be shared by Google with the US government without any form of legal protection.
    More about this and ECPA here: http://digitaldueprocess.org/index.cfm?objectid=37940370-2551-11DF-8E02000C296BA163

    Having said that, and for as much as I have a love and hate relationship with Google, they are probably being more careful with what data they are sharing than for example back in 2003, at least I hope so as they have started reporting on it: http://www.google.com/transparencyreport/userdatarequests/?metric=targets.

    • A “privacy policy” is just that: a policy that the company has adopted. Like the policy of giving tours 10-12 on Saturday mornings. If you show up on a Saturday morning, and there is no tour, you can fume at the company, but you cannot sue them. Complying with COPPA or any other legislation is something entirely different.
      I agree that collected data about non-“US Persons” seems to be entirely open for sharing with the US government. And, of course, the entire architecture of putting private data on somebody else’s servers (I call it the Overlord Architecture) lets any government get access on all that data about their own citizens without trouble if they pass appropriate legislation, which I would guess many (non-Western) countries in the world have.