At Nest, we take your privacy seriously and we protect your data. We don’t transmit unencrypted personal data from your Nest products over the Internet. Articles claiming that Nest leaked unencrypted personal data were based on a report that has since been corrected.
In January 2016, some media outlets and websites misreported that Nest was sending unencrypted user data over the Internet. Media reports incorrectly concluded that this created a security vulnerability because a criminal could intercept this data, possibly match it with a device identification for the Nest product, and then match that to a Nest customer’s home location.
However, these reports were based on a study that drew an incorrect conclusion. In fact, the Google Nest Learning Thermostat does not expose personal data over the Internet. Data sent from Nest products, including personal data, is fully encrypted using the state-of-the-art security tools.
The PrivacyCon researcher discovered that in 2015, unencrypted home ZIP codes were sent to the weather service used to provide weather information for our customers’ homes. The return data from the weather request included local weather data and the location coordinates of the closest weather station. The researcher originally made an assumption that the unencrypted location coordinates sent were for a Nest customer’s home location. In reality, the location coordinates were for the weather station in or closest to the customer’s ZIP code, and not their home.
No information more precise than the home’s ZIP code was sent unencrypted, and in fact even these data have been encrypted since September 2015.
Nest contacted the PrivacyCon researcher and pointed out the error in the study. The report was updated, but that didn’t prevent the media from reporting inaccurate information.
Please read our Privacy Statement
For complete details on how we keep your information private and secure, please see our Privacy Statement which describes how we handle personal data, data sharing and access.