EPIC demand: It's time for Google to fly the Nest after 'forgetting' to mention home alarm hub has built-in mic

Ad giant must divorce IoT subsidiary, privacy warriors tell sleepy watchdog

Following Google's acknowledgement that it made a mistake by failing to mention that its Nest Guard alarm hub includes a microphone, the Electronic Privacy Information Center (EPIC) has asked the US Federal Trade Commission (FTC) to force the ad biz to sell its Nest division and surrender data snarfed from Nest customers.

The advocacy group, in a statement, observes, "It is a federal crime to intercept private communications or to plant a listening device in a private residence."

In a letter addressed to FTC chairman Joe Simons and the other commissioners, EPIC president Marc Rotenberg and EPIC consumer protection counsel Christine Bannan recall that their advocacy group in 2014 chided the federal watchdog agency for failing to address privacy concerns arising from Google's Nest acquisition.

The two privacy advocates argue the FTC should have conducted a more rigorous review before allowing Google to acquire Nest and suggest the proper course is to break the two apart.

"The FTC should now commence an enforcement action against Google with the aim of divesting the company of Nest and requiring also that Google disgorge the data it wrongfully obtained from Nest customers," the letter says.

Recalling Google's most infamous privacy misstep – failing to notice and nix an engineer's plan to run Wi-Fi data harvesting code in its Street View cars between May 2007 and May 2010 – Rotenberg and Bannan muse that it's unclear whether Google, hackers, or others may have activated the undisclosed mics to listen in on consumers.

No one has made such a claim, and it wouldn't be easy to active the mic since there's no public API for it. The same possibility exists for all the known mics in consumer environments, on phones and network-connected speakers, but perhaps a Nest Guard eavesdropping scenario is worth worrying about.


Secret mic in Nest gear wasn't supposed to be a secret, says Google, we just forgot to tell anyone


The Register asked Google whether it knew if any Nest microphones had been activated prior to the company's announcement of their existence and whether the company could confirm that no audio data was collected during that dormant period.

Google claims that the mics were never used prior to disclosure, which would preclude the possibility of covert data collection.

"The on-device microphone was never intended to be a secret and should have been listed in the tech specs," a company spokesperson said in an email. "That was an error on our part. The microphone has never been on and is only activated when users specifically enable the option."

Google's spokesperson added, "Security systems often use microphones to provide features that rely on sound sensing. We included the mic on the device so that we can potentially offer additional features to our users in the future, such as the ability to detect broken glass."

The FTC has a long history of inconsequential privacy punishments for tech companies. Scott Cleland, a consultant with telecom clients who has lobbied against Google for years, makes that claim in a public comment filed with the agency last year.

Pointing to 17 questionable Google business practices over the past 15 years, he observes, "the FTC has not deterred Google from serial unfair and deceptive practices via multiple services, involving multiple technologies, in multiple ways, repeatedly, over a fifteen-year period."

What's more, it's surprising EPIC would pin its hopes on the agency after Rotenberg last year lamented that the FTC appeared to be unwilling to bring legal action against either Facebook or Google to enforce privacy settlements.

Nonetheless, the FTC, perhaps emboldened by the persistent regulatory friction felt by Facebook and Google in the US and EU throughout 2018, in November called attention to its "unwavering commitment to protecting consumers’ privacy while promoting competition and innovation" and urged Congress to clarify its authority. With a longer leash, perhaps the FTC could herd errant tech firms more effectively.

The problem the agency faces with regard to that mission statement is that among the internet's ad giants, innovation has come to mean novel ways to bypass privacy. ®

Broader topics

Other stories you might like

  • Robotics and 5G to spur growth of SoC industry – report
    Big OEMs hogging production and COVID causing supply issues

    The system-on-chip (SoC) side of the semiconductor industry is poised for growth between now and 2026, when it's predicted to be worth $6.85 billion, according to an analyst's report. 

    Chances are good that there's an SoC-powered device within arm's reach of you: the tiny integrated circuits contain everything needed for a basic computer, leading to their proliferation in mobile, IoT and smart devices. 

    The report predicting the growth comes from advisory biz Technavio, which looked at a long list of companies in the SoC market. Vendors it analyzed include Apple, Broadcom, Intel, Nvidia, TSMC, Toshiba, and more. The company predicts that much of the growth between now and 2026 will stem primarily from robotics and 5G. 

    Continue reading
  • Deepfake attacks can easily trick live facial recognition systems online
    Plus: Next PyTorch release will support Apple GPUs so devs can train neural networks on their own laptops

    In brief Miscreants can easily steal someone else's identity by tricking live facial recognition software using deepfakes, according to a new report.

    Sensity AI, a startup focused on tackling identity fraud, carried out a series of pretend attacks. Engineers scanned the image of someone from an ID card, and mapped their likeness onto another person's face. Sensity then tested whether they could breach live facial recognition systems by tricking them into believing the pretend attacker is a real user.

    So-called "liveness tests" try to authenticate identities in real-time, relying on images or video streams from cameras like face recognition used to unlock mobile phones, for example. Nine out of ten vendors failed Sensity's live deepfake attacks.

    Continue reading
  • Lonestar plans to put datacenters in the Moon's lava tubes
    How? Founder tells The Register 'Robots… lots of robots'

    Imagine a future where racks of computer servers hum quietly in darkness below the surface of the Moon.

    Here is where some of the most important data is stored, to be left untouched for as long as can be. The idea sounds like something from science-fiction, but one startup that recently emerged from stealth is trying to turn it into a reality. Lonestar Data Holdings has a unique mission unlike any other cloud provider: to build datacenters on the Moon backing up the world's data.

    "It's inconceivable to me that we are keeping our most precious assets, our knowledge and our data, on Earth, where we're setting off bombs and burning things," Christopher Stott, founder and CEO of Lonestar, told The Register. "We need to put our assets in place off our planet, where we can keep it safe."

    Continue reading

Biting the hand that feeds IT © 1998–2022