“Don’t Be Evil” was the mantra of Google from years before even Gmail was created. While certainly less vague than their replacement slogan “Do the Right Thing”, there has been a lot of criticism directed at Google over the past decade and a half for repeatedly being at odds with one of their key values. It seems as though they took this criticism to heart (or found it easier to make money without the slogan), and subsequently dropped it in 2018. Nothing at Google changed, though, as the company has continued with several practices which at best could be considered shady.
The latest was the inclusion of an undisclosed microphone in parts of their smart home system, the Nest Guard. This is a member of the Nest family of products — it is not the thermostat itself, but a base station for a set of home security hardware you can install yourself. The real issue is that this base station was never billed as being voice activated. If you’re someone who has actively avoided installing “always-listening” style devices in your home, it’s infuriating to learn there is hardware out that have microphones in them but no mention of that in the marketing of the product.
Surveillance: The Monitoring Of Behavior, Activities, Or Other Changing Information
While it might be best if we stopped being surprised when Google does something objectively creepy in order to gather yet more data, the sad state of affairs is that these types of practices aren’t limited to Google alone, but seem to be “industry standard” now. While the latest outrage is directed at Google (technically their parent company Alphabet), we could easily focus the microscope on any other company and wonder exactly what hardware is hidden behind the scenes, and what the software is doing that powers it.
One of the most ubiquitous examples of hardware getting away from our control is the cameras included on almost all laptops. By the end of the ’00s security experts were recommending that the user-facing cameras be covered when not in use so that if any nefarious users gained access to that laptop they at least wouldn’t be able to see anything from the webcam. Some modern laptops even include a slider that serves this purpose. There’s also a Black Mirror episode that uses this attack as a plot point in a much more unsettling story.
But we already know cameras are included in laptops — they are listed in the product specs and visible to the user. In the case of the Nest Guard’s microphone, this was not the case. An undisclosed listening device is new territory.
An Unadvertised Feature vs. a Hidden Microphone
It’s worth diving a little bit more into this particular case as it serves as a lens that we can use to view other oversights and transgressions on our privacy in the hardware we are currently bringing into our daily routines.
Early last month, an announcement was made that users of the Nest Guard base station would soon be able to use the device as a Google Home — a voice activated interface for the Internet-connected Google Assistant. Since Google Home devices need microphones to listen for audio commands from the user, this meant that the Nest Guard has a microphone as well. The microphone was not listed on the spec sheet for the device, though, which is the main point of contention here: A piece of hardware capable of listening to its users, from a company that is infamous for data collection, was not made public. At best this is an extreme example of a company being tone deaf to the issues their users have with them.
Of course, Google claims that the microphones were never supposed to be a secret, and that they were disabled by default. Google does have a slightly unsettling track record of including hardware in their devices but disabling it until future software upgrades, like they did recently with Bluetooth in the Chromecast. But, even if we could trust Google fully (we can’t, and shouldn’t, put blind trust of our privacy and our data in any company), people buying this hardware never had the opportunity to choose whether or not to put this internet-connected microphone in their homes. Users must be made aware of every hardware specification in the products they are purchasing and installing.
Needless to say, this is why many of us in this community do hardware teardowns. We can’t trust what we can’t see, and we need to know for ourselves what we are getting into.
Airlines Claim They’re Not Watching You, Despite the Cameras
There are plenty of examples of other companies that have been equally as awkward about privacy and security concerns regarding hardware, even within the most recent news cycle. Singapore Airlines was recently found to have cameras in each one of the seats on its airplanes pointing at the passengers for indeterminate reasons. They played the same card Google played where they made claims about the hardware being disabled. Granted, generic tablets have cameras in them and it’s likely that airlines are repurposing posing these designs for their infotainment hardware. But having a camera pointed at you is creepy, even if you’re assured it will not be activated. Again, even if we could trust a company to have the best interests of its customers at heart, we can’t trust everyone else in the world to politely refrain from using that hardware for their own attacks.
The inclusion of various bits of hardware can raise other concerns beyond data security and privacy. Even networking commonly-used hardware together can cause concerns for one’s own personal safety, as a pair of white hats showed when they were able to disable or control various features on a Jeep. Presumably the intent Chrysler had for including cellular network access on its Jeeps was to protect the safety of its passengers, or even provide them with a convenience, but the security in the system was laughable and could have caused real chaos in the hands of someone who had darker motives.
A Bounty of Apathy; A Lack of Clear Solutions
It’s genuinely surprising that the Nest Guard microphone wasn’t discovered long ago as part of a teardown. While there are people who do teardowns of hardware, many of which can be found in this community, there’s more hardware out there than can possibly be investigated. It would also be hard to obtain some of it, like a seat from a Singapore Airlines airplane.
The solution to these problems seems to be elusive as well. Even if we would like to trust corporations with our security, privacy, or even safety, most of them have demonstrated that this is not a key concern of theirs. This also doesn’t solve the separate problem that the vectors for attack by bad actors are magnified with the addition of more and more hardware, especially as devices with network access balloon in numbers with the growth of the Internet of Things. There aren’t even enough Stallman-approved laptops (update: it has Trisquel installed now) to go around for us to have even a modicum of peace-of-mind when using a personal computer.
Compounding the issue, the vast majority of users are complicit in the problem. Most people don’t seem to be that concerned until something really devastating actually happens, and then frustratingly they forget about it moments later. Consider that the recent rash of humongous data breaches at Target, Equifax, Mariott, and the like haven’t stopped people from patronizing those businesses. Few owners of Nest equipment will toss it based on the news that it includes a previously undisclosed microphone. Perhaps the only news here is that nothing is likely to change regardless of how much shock we feign at Google, Facebook, or any other company every time they put profit ahead of users’ best interest.