Google is still collecting data from obsolete thermostats
What's the story
Google is collecting data from downgraded Nest Learning Thermostats, despite disabling their remote control feature last month. The revelation was made by security researcher Cody Kociemba during a bounty program organized by FULU, an advocacy group for right-to-repair. Kociemba discovered that first- and second-generation Nest Learning Thermostats continue to send Google information about manual temperature changes, occupancy status in the room, and sunlight exposure on the device among other things.
Bounty challenge
Kociemba's discovery during FULU's bounty program
The discovery was made while Kociemba participated in a bounty challenge set by FULU, co-founded by Louis Rossmann. The challenge encouraged developers to find a way to restore smart functionality to Nest devices that Google no longer supported. Kociemba responded with his open-source project called No Longer Evil, which cloned Google's API and created custom software for the task.
Data logs
Google's continued data collection from downgraded devices
While developing this custom software, Kociemba received a large amount of logs from customer devices. He said that even though Google disabled remote control access on these devices, it still left the capability for them to upload logs. "And the logs are pretty extensive," he told The Verge. This means that despite losing remote control capabilities and access to device status via Nest or Google Home apps, these downgraded devices still send a lot of information back to Google.
Data usage
Google's stance on unsupported devices
Google has said that unsupported devices "will continue to report logs for issue diagnostics." However, Kociemba noted that the data being collected is no longer useful. He explained that while these logs may contain technical information like HVAC error states, Google can't use it to help customers still using those thermostats as support has been completely cut off even in case of device failures.
Collection
Data collection a one-way street
Google continues to receive all the information collected by Nest Learning Thermostats, including data from their sensors like temperature, humidity, light exposure, and motion detection. Kociemba was surprised that the Google connection wasn't severed with the remote functionality. He said it was a one-way street where data flows to Google but not back to users.