Connected Device Privacy

So Google bought Nest. This seems like a big deal, and maybe it is. It's too early to tell.

I was listening to John Siracusa in a recent ATP episode talking about how the privacy concern with Google adding the Nest data to the collection of data they collect on all their users isn't that Google is going to do something evil with this information. John's take is that Google really does have the best intentions for this data, and that the real danger is that with all this information in one place, it becomes a valuable target.

I was thinking something similar recently regarding the nest. The data from your thermostat, be it Nest or any other connected thermostat, is probably the best signal to a criminal that your home is a good target for robbery.

I live in Canada, and in a cold climate, one of the biggest uses for the Nest would be to turn the temperature down when nobody is at home, or at night when people are sleeping. The Nest uses motion sensing and learning algorithms to figure out when it's a good time to turn down the temperature, and the user can also feed this data in to the system using various APIs. In a nutshell, the Nest knows when you're not at home.

Your phone may also know when you're not at home, but what your phone doesn't know is if your house is empty. There may be other people sharing your house; you may have a house-sitter if you're away. There are plenty of scenarios where all the GPS-enabled phones in the house may be out of the home, but the house is still occupied.

But if the temperature is lowered, and stays lowered, you have a much stronger signal that nobody is home. And if the temperature is at 15 degrees celsius and the thermostat is set to keep that temperature for a few days, you have a very strong signal that nobody's going to be home for a few days. The perfect target for a robbery.

Not only that, but you know the home has a Nest, which means they spend money on expensive toys.

The risk of this data becoming available for criminals is probably actually lessened by Google buying Nest. Google has a very strong track record regarding leaks of user data. I can't think of a time when a security hole has led to Google leaking user data, and they have a lot of it to leak, and a lot of API through which this sort of hole could be found. They're doing a good job keeping your information secure.

But I think the risk of someone inside Google "going rogue" and acting as a gateway for this information, either selling it, or acting as a mole for some organization, is much higher. There are a lot of people who would want the data that Google has.

Realistically, though, what can we do about this?

There’s a lot of benefit to these devices operating in a connected manner, and interoperating with the other devices we own.  I don’t think it’s practical to suggest that the data stays in the home; the logistics just make that unworkable for most people.

I don’t trust that Sony’s “Smart TV” data will remain secure.  As far as I can tell the firmware in my Sony TV, which connects to the Internet and does who knows what online, has never received a security update.  A connected device is a computer on the network, and needs the same level of security awareness as any other.  While I’m not sure about Nest, I know that I don’t trust Sony to do this job well (or most of the other TV manufacturers - I’m not just picking on Sony).  But I do trust Google to keep my Nest secure.

I would understand, however, if one decided that the benefits of having this information leave the home weren’t worth the risk.