Security researcher Cody Kociemba has uncovered that Google continues to collect detailed data from first- and second-generation Nest Learning Thermostats, even after officially ending support for these devices and disabling remote control capabilities. While Google turned off access to remotely control the thermostats, Kociemba found that the devices are still uploading logs containing information about temperature changes, motion detection, and ambient light levels.
Kociemba’s discovery was made while working on a project to restore smart functionality to unsupported Nest devices through an open-source initiative developed under a right-to-repair bounty program led by FULU, a nonprofit organization co-founded by electronics repair expert Louis Rossmann. The project, known as the “No Longer Evil” initiative, aimed to give users greater control over their devices by creating custom software to bypass manufacturer restrictions. However, during his work, Kociemba inadvertently uncovered that the old Nest thermostats were still transmitting a wealth of data to Google’s servers, including details about user behavior and environmental conditions.
“On these devices, while they [Google] turned off access to remotely control them, they did leave in the ability for the devices to upload logs. And the logs are pretty extensive,” Kociemba told The Verge. “I was under the impression that the Google connection would be severed along with the remote functionality, however that connection is not severed, and instead is a one-way street,” he added. This means that even after users no longer have control over their Nest thermostats, the devices continue to gather and send data back to Google’s servers, potentially raising privacy concerns for consumers.
The controversy highlights the ongoing debate over data privacy in the smart home industry. While Google maintains that all data collected is used to improve user experience and system performance, critics argue that the continued collection of data without user consent, especially when devices are no longer supported, represents a significant privacy risk. The incident also underscores the importance of transparency and user control in the design of connected devices, as well as the role of right-to-repair initiatives in empowering consumers to manage their own data and device usage.