For years, home automation tech has been a nightmare for security and privacy. Security pros love doing smart home hack demos — often flicking lights on and off from miles away — and the patchwork nature of the devices means a setup is only as strong as its weakest link. The data collected by those devices is often some of the most sensitive data you have, leaving the entire sector under the looming threat of a data breach. But with so many different companies moving in so many different directions, solving the security and privacy problems can seem like an impossible task.
Now, Nest and Google are trying to rein in that system. Nest’s first stab at interoperability — a bundle of connections and services dubbed “Works With Nest” — was unofficially canceled in May, and together with the Pixel hardware event, we got a peek at what’s lined up to replace it. Nest is moving to a more tightly controlled system, restricting access to audited partners and tightly limited “routines.” It’s part of a broader push to rein in the risks of home automation and prevent the kind of third-party-driven data breach that has hit so many competitors. But along the way, it means tightening Google’s control over the world of home automation in a way that competitors may not like.
In a blog post on Tuesday, Google laid out three new ways to get non-Nest code into Nest devices. First, there’s a limited set of “home routines” that can perform basic tasks like turning off lights or setting temperatures, which are designed as simple triggers that can be activated without sharing data. There will also be a new developer program that lets individuals reprogram their own Nest devices, although executives don’t expect that kind of personalized programming to be widespread.
Most of the information flowing to other devices will come through the third option, which Nest calls the “Device Access” program. If you want your security system or your smart home hub to control the Nest, this is how you’ll do it — and it will mean sharing Nest’s data with the other company.
Everything happens with explicit user permission, but it’s still a fraught moment — a chance for a single bad actor to collect and exploit some of the most sensitive data you have. After Cambridge Analytica, it’s not enough to leave users to make the decision, so Nest is putting tight restrictions on the companies that are allowed to participate in the program. In the post, Google describes those companies as “qualified partners,” but that qualification process is rigorous. Nest executives told The Verge that it would require annual privacy audits from a third-party auditing firm, an expensive and involved process for something that could be as simple as an API call.
“Some people will complain, but our view is, if you’re not willing to guarantee how you’re treating consumer data, then maybe you shouldn’t be doing this,” Nest GM Rishi Chandra told The Verge.
In part, it’s an acknowledgment of how sensitive home data really is. These devices can tell when you leave your house, when you fall asleep, and what you cook for dinner. In a fully connected home, it’s hard to do anything without leaving some kind of digital trace. And in most cases, that data is spread across multiple companies, leaving lots of opportunities for it to leak out. If that happened in a Nest-connected home, Nest would be on the hook for the privacy fallout — even if users had given permission to share the data.
“This is the new reality right now,” says Chandra. “We can’t put the onus on the user to deal with their own privacy and all their information.”
There are reasons to be nervous about this tightening of permissions. The companies making these devices aren’t scrappy startups anymore. They’re some of the largest companies in the world, and the competition over who controls what data will be a major struggle in the years to come. Ideally, Google wouldn’t be setting the terms for how you can link your own devices. Even Chandra concedes that some kind of independent standard akin to ISO certifications would be preferable. But we don’t have that standard yet, and without it, cleaning up the mess of home automation means making it harder to play the game.
Dieter Bohn contributed reporting.