Account Security Lockdown

Don't let another minute pass unsecured

Google-Nest merger reawakens privacy worries

Four years ago, Google paid $3.2 billion for Nest, a fancy smart-home thermostat and smoke alarm maker.

Privacy advocates found this a daunting marriage, but Google wound up running the business at arm’s length, over in its Alphabet division.

Nest co-founder and former CEO Tony Fadell told the BBC at the time of the acquisition that consumers could relax. Nest data wouldn’t be mixed with all the other information Google gathers:

When you work with Nest and use Nest products, that data does not go into the greater Google or any of [its] other business units. We have a certain set of terms and policies and things that are governed. So, just when you say we may be owned by Google, it doesn’t mean that the data is open to everyone inside the company or even any other business group – and vice versa. We have to be very clear on that.

Whew! What a relief, eh?

After all, on the one hand, we had Google, with its already vast knowledge of us. On the other hand, there was Nest, maker of Internet of Things (IoT) thermostats that learn, tracking customers’ daily usage to automatically set heating and cooling temperatures, and of smoke alarms that communicate via Wi-Fi with the company’s other devices or with your smartphone or tablet to send smoke or carbon monoxide alarms.

Put them together, and what do you get? Google’s hardware entrance into the IoT. Such a merger could have meant that Big Google Brother would be able to know even more intimate things about us than it already did at the time, such as whether we were home or not. Then, it easily could have connected that information with our mobile phone data to form ever-more-deep portraits of us for ever-more-targeted advertising or other profit-rich ventures.

Well, it turns out that Fadell’s “let’s be clear on that” promises on data privacy have gotten a bit muddy.

After two years of the thermostat company doing lukewarm on profits, Google trying to sell it in 2016, and Alphabet’s reporting “meh!” fourth-quarter earnings earlier this month, Nest and Alphabet last week announced that the Nest and Google Hardware teams would be smushed back together.

The goal is to “supercharge Nest’s mission,” Nest CEO Marwan Fawaz said. That mission is to “create a more thoughtful home, one that takes care of the people inside it and the world around it.”

By working together, we’ll continue to combine hardware, software and services to create a home that’s safer, friendlier to the environment, smarter and even helps you save money – built with Google’s artificial intelligence and the Assistant at the core.

Yes, Google wants your home to be thoughtful, as in, your home will be thinking about you, and it will have artificial intelligence (AI) to power all that thinky-think data crunching.

Why is that worrisome from a privacy perspective?

The BBC talked to Silkie Carlo, director of the Big Brother Watch campaign group, who said that the merger will expand “Google’s monopoly on personal data.”

Google already harvests an incredible amount of detailed information about millions of internet users around the globe. Now, Google is becoming embedded in the home, through ‘smart’ soft surveillance products.

Adding data from Nest’s home sensors and security cameras will significantly expand Google’s monopoly on personal data. Many customers will be justifiably anxious about Google’s growing, centralized trove, especially given that its business model relies on data exploitation.

At the time of the acquisition, privacy advocates worried about what would happen to Nest’s user data afterwards. Pre-acquisition, it was handled by Amazon Web Services – would Google move the data onto its Compute Engine public cloud to do heaven knows what with?

And since then, Nest has added yet more products, which means the sources for its data have increased. It’s moved beyond its initial products – smart thermostats and smoke detectors that use motion detection to know when owners are at home – and added security webcams for inside and outside the home, as well as a camera-equipped doorbell. On top of all that, Nest’s app can be set to gather data from other IoT products, including lights, appliances, fitness trackers, cars, and even sensor-equipped beds, to help “save energy, get comfortable and stay safe”.

Are you comfortable with Google knowing how you sleep? How many steps you take? When the BBC asked Google if it intended to honor Fadell’s stated commitment to keeping Nest data out of Google’s maw, the company provided this statement:

Nest users’ data will continue to be used for the limited purposes described in our privacy statement like providing, developing, and improving Nest services and products. As we develop future plans and future product integrations, we will be transparent with users about the benefits of those integrations, any changes to the handling of data, and the choices available to consumers in connection with those changes.

Nest’s current privacy statement asserts that it will provide notice of any changes on its website or by contacting customers directly.

On earnings calls, Google lists Nest as one of its few “Other Bets” division: one that generates considerable revenue, alongside healthcare company Verily and internet service Fiber.

But now, it’s no longer an “Other Bet.” It’s just another piece of Google.

Unfortunately, it’s a part of Google that has a history of security vulnerability. Last March, security researcher Jason Doyle found a vulnerability in Google’s Nest Cam, Dropcam and Dropcam Pro that could be exploited by a burglar within Bluetooth range of your house.

Let’s hope that Google’s merger with Nest means less security holes in IoT products. Can we get there without customer data privacy being lost?

It would be nice to think so, but c’mon – we’re talking about Google, the data gobbler. What do you think will happen?

The BBC quoted Ben Wood from the CCS Insight consultancy:

It would be naive to expect that as Nest is folded into the bigger Google entity, that there aren’t efforts to bring its platforms and all of the intelligence together. It will be positioned as enhancing the products, but for some customers that may be something that they feel uncomfortable about.

Follow @LisaVaas

Follow @NakedSecurity

Original Source: nakedsecurity.sophos.com

Account Security Lockdown Course
Updated: February 12, 2018 — 1:13 pm

Leave a Reply

Your email address will not be published. Required fields are marked *

EmailSecurityOptions.com © 2017