How Nest breached the Privacy Act

Nest Guard

Google’s recent announcement that it was updating its Nest Guard so it now uses its virtual-assistant technology, resulted in a huge backlash for Google.

Google recently announced that it was updating its Nest Guard (a product that is the alarm, keypad and motion-sensor component) so it now uses its virtual-assistant technology, Google Assistant. Virtual-assistant technology often requires microphones in order to hear spoken commands. There are many companies who could release this statement and the upgrade would be welcomed. Instead, Google received a huge backlash.

What went wrong?

Google never informed consumers that there was an in-built microphone in its Nest Guard product in the first place. It was never listed in the specifications on its website.

This raises serious privacy concerns for consumers. What else had Google been hiding? What other Nest products had in-built microphones that were never disclosed?

It is possible that either Google or a malicious actor who managed to compromise a Net Guard product could have been using the microphone to listen in on any conversations taking place within audible range. This is potentially a huge breach of privacy. Consumers needed to know that the microphone was in place and could potentially be used in order to opt-out of its use, or to verify the configuration to ensure that it had not been inadvertently enabled.

In order to protect individuals’ privacy, the New Zealand Privacy Act 1993 contains 12 principles that agencies (any organisation) must follow when collecting personal information from individuals.

The following are the main principles of the New Zealand Privacy Act that Google breached regarding the “hidden” microphone and how it is remediating its actions.

Principle One: Purpose of Collection – Personal information must not be collected unless it is for a lawful purpose and it is necessary to collect the information for that purpose.

Google claims the microphone was never turned on and never collected information. Google explained when Google Assistant is implemented and enabled, the microphone will collect sounds to enable sound sensing features like voice-activating the alarm system and for future uses may be able to detect glass breaking in the event of an intruder breaking into a house. It has not yet updated its privacy statement regarding Nest Guard on what information it collects, how it is processed and if it is stored.

Principle Two: Agency must make individuals aware that their personal information is being collected, the purpose of its collection, whether it is voluntary or mandatory to provide it, the consequences of not providing it and their rights to access and correct the information collected and held about themselves.

Before the announcement, Google never informed consumers that there was an in-built microphone in the first place. It was never listed in the specs on its website. This apparently was an “error” on its part. Google has adjusted the website so the microphone is now listed in the Nest Guard specs, disclosed the purpose of collecting sounds in a statement and informed consumers that this is an opt-in feature. However, opting out means certain voice/sound activating features requiring the microphone to be enabled would be unavailable. Google has also provided instructions on how to enable and disable the microphone.

Principle Three: Personal information must not be collected using unlawful or unfair methods and must not intrude unreasonably on the personal affairs of the individual concerned.

Google asserts that the microphone has never been on and is now only activated when users specifically enable it. Google also clarified that the microphone is only enabled once you say one of the two required phrases, “Ok Google” or “Hey Google”.  However, collecting personal information from consumers through conversations is reasonably intrusive and the fact that consumers were not informed makes it unfair and unlawful.

Google could have avoided the negative publicity and the attention of the USA Congress around its Nest Guard and behaved according to its tag line “You can make money without doing evil”  by ensuring that it was fully transparent about the device capability when it was first released.

You can check out the following links for more about Nest Guard.

If you have questions about what you need to do to ensure compliance with the NZ Privacy Act, GDPR or other privacy regulations, please contact Axenic or call 04 4998012.

References

Googles announcement that triggered the discussion.

https://9to5google.com/2019/02/04/nest-secure-google-assistant/

Nest Guard Specs

https://nest.com/support/article/About-Nest-Guard

https://nest.com/alarm-system/tech-specs/

Nest Privacy Statement

https://nest.com/legal/privacy-statement-for-nest-products-and-services/#protect-internationally

Congress letter to Google CEO

https://www.forbes.com/sites/paullamkin/2019/02/28/congress-demands-answers-from-google-over-nest-microphone-blunder/#3a73daaa4c12

Commentary

https://www.businessinsider.com.au/nest-microphone-was-never-supposed-to-be-a-secret-2019-2

https://www.businessinsider.com.au/google-nest-products-with-microphones-2019-2?r=US&IR=T

https://www.theverge.com/circuitbreaker/2019/2/20/18232960/google-nest-secure-microphone-google-assistant-built-in-security-privacy

https://hothardware.com/news/google-put-microphone-nest-secure-didnt-tell-anyone

https://www.independent.co.uk/life-style/gadgets-and-tech/news/google-nest-hidden-microphone-alarm-system-a8788741.html