Google recently published a pretty clear declaration of how committed it is to privacy in the home. “Your home is a special place. It’s where you get to decide who you invite in,” the Google document states, adding that people want to trust the things they bring into their homes before insisting, “we’re committed to earning that trust.” Unfortunately, that trust was eroded a little this week when it emerged that owners of the popular Google Nest Cam Indoor home security camera could be spied upon in their own home.
The Nest spycam problem came to light when the gadget site Wirecutter published a report on how someone sold his Nest Cam Indoor and then discovered that he was “still able to access images from his old camera.” This despite having done the recommended thing and reset the device before selling it. As it turns out, while resetting the camera meant the new owner couldn’t spy on the old one it didn’t work when the roles were reversed.
Wirecutter staff put this to the test using a decommissioned Google Nest Cam Indoor device and found they could, indeed, view a “series of still images snapped every several seconds” on that cam. The cam in question had been signed up to a Nest Aware account and linked to a Wink smart-home hub. Even though the Nest instructions for factory resetting the device were followed and there was no access to the live stream using either the desktop or mobile app, nor indeed the Wink app as the camera was no longer online, things got creepy when the Wirecutter reporter created a new Nest account on a new Android device. “Going back to our Wink app,” the report states, “we were also able to view a stream of still images from the Nest cam, despite it being associated with a new Nest account.”
It’s an odd and, as I’ve already said, very creepy privacy problem this one. From what I can tell it would appear to be tied up with the Google Nest Cam Indoor not having a hardware factory reset button, the “poke in the hole with a paper clip” type of option we are all used to, and instead relies upon that somewhat convoluted device removal from the Nest account process. A process that, as the Wirecutter report revealed, didn’t reach as far as the Wink smart-home hub account.
I have always advised the seller of any such smart devices to factory reset them before sale or disposal so as to protect their own data privacy, be that an Alexa smart speaker or a home security camera. I give the same advice to purchasers of secondhand kit as the factory reset gives you a clean base from which to start and can often prevent any technical hiccups that might otherwise cause problems during setup and usage. There’s some great general advice regarding smart devices in the home from the National Cyber Security Center here. However, I have never really considered that such a device could allow a previous owner to access streamed images from a new installation. That’s as scary as it is incredible.
Google has, in fairness, fixed the issue with the Nest Cam Indoor it would appear. In a statement a Google representative said:
We were recently made aware of an issue affecting some Nest cameras connected to third-party partner services via Works with Nest. We’ve since rolled out a fix for this issue that will update automatically, so if you own a Nest camera, there’s no need to take any action.
Google has also stated, in that privacy document I referenced earlier, that it wants you, your family and your guests to, “feel comfortable using these devices and services, since their purpose is to help and to provide peace of mind.” The trouble is that whenever you bring a “smart” device into your home, one with a microphone or camera for sure, then the opportunity is always there for your peace of mind to be far from peaceful when it comes to privacy issues as this case demonstrates.
The trust issue becomes a harder sell as far as I am concerned when previous incidents such as the Nest Guard security alarm having a hidden microphone come to light. It might also be a hard sell for loyal Nest customers in the light of Google parent company Alphabet merging Nest with the Google hardware team rather than it being a standalone company as it was following the 2014 acquisition. As Ars Technica reports, ” New Nest users will be required to use a Google account. Migrating to a Google Account means turning all your Nest data over to Google-data that previously had been kept separate.”
Which is why that Google Nest privacy document has been published in an attempt to calm privacy fears about what Google will be doing with all that camera and microphone data. I was reassured by that document, by the way it was pretty straightforward in what it said and how Google seemed to be taking ownership of the privacy issue. Not that I am a Nest user, I hasten to add, but if I were then the fact Google acted so quickly in shutting down this Nest Cam Indoor spying bug is also reassuring. Less so that it existed in the first place and had not been discovered despite Alphabet having ownership of Nest since 2014.
I get the distinct impression that Google is in reputational firefighting mode here, and that’s no bad thing. A better thing would be a statement informing me, and all users of these products, that Google is engaging in a full security investigation of these “smart” devices and will make the findings and any consequent resolutions public. Do that, Google, and you will have gone further down the path towards gaining my trust…
