Google Nest Hub Max

Warning: *privacy not included with this product

Holiday Guide 2023 Smart Home Smart Display

Google Nest Hub Max

Google
Wi-Fi Bluetooth

Review date: Nov. 1, 2023

|
Mozilla researched 8 hours
|

Mozilla says

|
People voted: Somewhat creepy

Meet Google's high-end video home hub complete with microphone, Nest Cam camera, and touchscreen display. Use it for video calls, monitoring your video doorbell, watching YouTube and Netflix, sharing photos, controlling your connected thermostat, listening to music, or getting alerts whenever the camera's motion sensor picks up something moving in your home. It's a good thing Google built a physical way to turn off the camera and microphone on this gadget because otherwise it could feel a little creepy.

What could happen if something goes wrong?

“OK, Google.” That’s pretty much exactly how we think Google does when it comes to privacy. They are OK, if you consider the fact that they are a ginormous data collecting advertising company that makes billions of dollars off your personal information. It’s really unfortunate just how low the bar has gotten when it comes to privacy these days.

What sorts of data does Google collect on you? Well, there are those voice recordings when you go, “Hey Google, what are the symptoms of a panic attack?” And while Google promises that your voice recordings won’t be used to send you personalized ads, they do say the transcripts of your voice interactions with your Google smart speaker may. Google also collects things like your location, information about things near your devices like wi-fi access points and bluetooth enabled devices, people you communicate with, purchase activity, voice and audio information, your favorite songs on Spotify, what things you search for, what things you ask Google, when you turn your lights on if you have smart lights, when you use it to run your robot vacuum, and so much more.

Of course, Google uses your personal information to sell those targeted, personalized ads you see all over the place like in your Gmail, in your favorite Solitaire app, on partner websites, and on YouTube. Yup, the ads are everywhere. Google does say they won’t use things like your religious beliefs or health information to show you ads…although we just have to trust them on that. I’m sure we’ve all seen ads based on sensitive things about us that felt pretty creepy. And Google says they won’t use content from your Google Drive, Email, or Photos to personalize ads. We sure hope not.

Google also says they can collect a good bit of information on your child if they use Google services, including services managed by parents through Family Link for children under 13. The data they say they can collect on your child includes location data, voice and audio information, what apps and devices your child uses, and your child's activity within Google's services. And then they say they can use that data to "provide recommendations, personalized content, and customized search results." Yes, Google is going to push content to your kid basd on their online activities. Google does say that they, "... will not serve personalized ads to your child, which means ads will not be based on information from your child’s account or profile. Instead, ads may be based on information like the content of the website or app your child is viewing, the current search query, or general location (such as city or state). When browsing the web or using non-Google apps, your child may encounter ads served by other (non-Google) ad providers, including ads personalized by third parties." Parents, if you plan to let your kids use Google's services, it's good to do some research beforehand.

We've always struggled a bit with Google here at *Privacy Not Included. There is no doubt Google is bad for the world's privacy. They kinda set the standard for collecting huge amounts of data on us and using that to target ads. The end result of Google's years and years of data collection and targeted advertising is a huge billion dollar company with tons and tons of power around the world. And now we're all perhaps way too conditioned to having our data being scooped up to target us with ads based on our location, our interests, and inferences that can be drawn about us from all these thousands of data points. This is all really bad for privacy.

That being said. Google has always managed to avoid our *Privacy Not Included warning label because they do some good things too -- like give everyone the ability to delete their data, they do a pretty good job and keeping all the data the hoover up on us secure, and hey, we know they don't really sell that data because, why would they? They want that data for themselves to make lots of money.

This is the year that we've finally decided Google has gotten bad enough we can justify dinging them with our *Privacy Not Included warning label (yes, we don't disagree we should have done it sooner, but we do have a methodology full of criteria we work from and they always walked the line of being bad but not exactly crossing enough of our lines to ding them). Here's why we decided to ding them this year.

First, we already know Google collects a TON of personal information on us, through our Google Assistant voice requests, location tracking, searches, cookies and app tracking technologies, and more. And while Google says they don't sell that information, they do provide access to that information to many, many third parties for advertising purposes. Google goes even farther these days and says that they allow "specific partners to collect information from your browser or device for advertising and measurement purposes using their own cookies or similar technologies." That means you're not just being tracked by Google when you use devices but also by these mysterious "specific partners" in ways that you might not be aware of or been given the opportunity to consent to. This is bad.

We're in the age of AI now, so there is even more bad. We are very concerned that Google's privacy policy now says they can "use publicly available information to help train Google’s AI models." This is a concern to us and others because we don't know what Google counts as "publicly available information," and we don't know if people are ever given any idea, warning, or opportunity to consent to have this data used to train Google's AI, including their Bard chatbot. And Google is bringing Bard into their Google Assistant, apps, and services. That could mean even more personal information shared, collected, processed, and inferred about you by Google.

The second big concern we have about Google is their track record at being honest and respecting all this personal information they collect on us. Google has racked up quite a long list of fines for privacy violations. In 2023, they settled a lawsuit with the state of California for $93 million for continuing to collect and store location data even after users turned off location tracking, according to the lawsuit. In 2022, they settled a similar lawsuit for continuing to track users locations after they opted with 40 states for $392 million. Also in 2023, a $5 billion lawsuit was allowed to continue against Google for secretly tracking users internet use when the judge ruled "she could not find that users consented to letting Google collect information about what they viewed online because the Alphabet (GOOGL.O) unit never explicitly told them it would." And in December of 2022, the French data protection authority fined Google $57 million for "failing to acknowledge how its users' data is processed." Those are just the fines and lawsuits that have happend since we last reviewed Google in 2022. Over the past few years, there have been even more. South Korea fined Google (and Meta) millions of dollars recently for privacy violations. So did France and Spain. And in the US, Google has faced a host of lawsuits and settlements from Texas, California, DC, Illinois, Arizona, the Federal Trade Commission, and more. All this makes it pretty hard to trust what a company says they do with that massive amount of personal information they collect on you.

One thing about Google we do like: They have a decent way to communicate with users about how they collect and use data in their Safety Center. Google does collect a ton of data on you and your children, especially if you don't take the time to adjust your privacy settings to lock down just how much info they can gather. You should absolutely take the time to adjust these privacy settings. Just beware, you will get notifications that some things might not work right if you change settings. That’s annoying, and probably worth it for a little more privacy.

What’s the worst that could happen? Well, it's possible Google can get to know you really well, maybe too well. Maybe they recognize you from all the times you ordered plain cheese pizza. They know you are single because who orders plain cheese pizza? Just kidding, they know you're single because of all those pedicure appointments you've booked for one. Maybe it's OK Google knows you so well? Maybe it's creepy. (OK, we think it’s pretty creepy). What’s even creepier these days is the possibility that your Google searches and location information and more could potentially be used to harass, arrest, and even prosecute people in the United States seeking reproductive health care. That’s not just creepy, that’s downright harmful. Oh, and we don't even know how creepy it could get as Google gobbles up more and more of our data to train their AIs. This isn't just a problem with Google though, this is a concern we have will AI's like ChatGPT and OpenAI as well.

Tips to protect yourself

  • Visit privacy controls to adjust the amount of data collected
  • Customize your ads experience.
  • Delete your historical data from time to time. You can do this by saying, “Hey Google, delete this week’s activity.” or "Hey Google, that wasn't for you" to delete the last thing you said
  • Turn off personalized advertisement
  • Delete your historical data from time to time
  • Review Nest privacy tips: https://support.google.com/googlenest/answer/9247517
  • When starting a sign-up, do not agree to tracking of your data.
  • Do not sign up with third-party accounts. Better just log in with email and strong password.
  • Chose a strong password! You may use a password control tool like 1Password, KeePass etc
  • Use your device privacy controls to limit access to your personal information via app (do not give access to your camera, microphone, images, location unless necessary)
  • Keep your app regularly updated
  • Limit ad tracking via your device (eg on iPhone go to Privacy -> Advertising -> Limit ad tracking) and biggest ad networks (for Google, go to Google account and turn off ad personalization)
  • Request your data be deleted once you stop using the app. Simply deleting an app from your device usually does not erase your personal data.
  • mobile

Can it snoop on me? information

Camera

Device: Yes

App: Yes

Microphone

Device: Yes

App: Yes

Tracks location

Device: Yes

App: Yes

What can be used to sign up?

A Google Account is required.

What data does the company collect?

How does the company use this data?

We ding this product for collecting extensive information on users, combining it with data from third-party data sources, and targeting ads based on that data, as well as letting its customers target ads based on that data. In addition, we ding this product for allowing "specific partners to collect information from your browser or device for advertising and measurement purposes using their own cookies or similar technologies." We are also concerned about the fact that Google says they can "use publicly available information to help train Google’s AI models," as that could potentially entail a lot of information people don't consent to have used to train their AIs.

Google's Privacy Policy

"Business purposes for which information may be used or disclosed
Advertising: Google processes information to provide advertising, including online identifiers, browsing and search activity, and information about your location and interactions with advertisements."

Research and development: Google uses information to improve our services and to develop new products, features and technologies that benefit our users and the public. For example, we use publicly available information to help train Google’s AI models and build products and features like Google Translate, Bard, and Cloud AI capabilities.

Legal reasons: Google also uses information to satisfy applicable laws or regulations, and discloses information in response to legal process or enforceable government requests, including to law enforcement. We provide information about the number and type of requests we receive from governments in our Transparency Report."

"Google does not sell your personal information. Google also does not “share” your personal information as that term is defined in the California Consumer Privacy Act (CCPA)."

"We use the information we collect to customize our services for you, including providing recommendations, personalized content, and customized search results. For example, Security Checkup provides security tips adapted to how you use Google products. And Google Play uses information like apps you’ve already installed and videos you’ve watched on YouTube to suggest new apps you might like.

Depending on your settings, we may also show you personalized ads based on your interests. <...>
We don’t show you personalized ads based on sensitive categories, such as race, religion, sexual orientation, or health.
We don’t show you personalized ads based on your content from Drive, Gmail, or Photos.
We don’t share information that personally identifies you with advertisers, such as your name or email, unless you ask us to. For example, if you see an ad for a nearby flower shop and select the “tap to call” button, we’ll connect your call and may share your phone number with the flower shop."

"Personal information. This is information that you provide to us which personally identifies you, such as your name, email address, or billing information, or other data that can be reasonably linked to such information by Google, such as information we associate with your Google Account."

"In some circumstances, Google also collects information about you from publicly accessible sources."

"We use various technologies to collect and store information, including cookies, pixel tags, local storage, such as browser web storage or application data caches, databases, and server logs."

"We’ll share personal information outside of Google when we have your consent. "

"We provide personal information to our affiliates and other trusted businesses or persons to process it for us, based on our instructions and in compliance with our Privacy Policy and any other appropriate confidentiality and security measures. "

"We may share non-personally identifiable information publicly and with our partners — like publishers, advertisers, developers, or rights holders. For example, we share information publicly to show trends about the general use of our services. We also allow specific partners to collect information from your browser or device for advertising and measurement purposes using their own cookies or similar technologies."

How does Google use location information?
"Your location information can help Google show you more relevant ads. When you search for something like “shoe stores near me,” location information can be used to show you ads from shoe stores near you. Or, let’s say you’re searching for pet insurance, advertisers might show different benefits in different areas."

"Google may also use your past browsing or app activity (such as your searches, website visits, or videos you watched on YouTube) and general areas saved as part of the Web & App Activity setting to show you more useful ads. For example, if you search for where to buy milk nearby on Google, you may see ads for grocery stores in the general area where you frequently browse Google Search while waiting for your bus or train.
Advertisers can only target ads to general areas, such as countries, cities, or regions around their business."

Google's Advertising Technologies Page
"Advertising keeps Google and many of the websites and services you use free of charge. We work hard to make sure that ads are safe, unobtrusive, and as relevant as possible. "

"Other technologies used in advertising...
We may use the IP address, for example, to identify your general location. We may also select advertising based on information about your computer or device, such as your device model, browser type, or sensors in your device like the accelerometer.

Location
Google’s ad products may receive or infer information about your location from a variety of sources. For example, we may use the IP address to identify your general location; we may receive precise location from your mobile device; we may infer your location from your search queries; and websites or apps that you use may send information about your location to us. Google uses location information in our ads products to infer demographic information, to improve the relevance of the ads you see, to measure ad performance and to report aggregate statistics to advertisers....

Advertising identifiers for mobile apps
To serve ads in services where cookie technology may not be available (for example, in mobile applications), we may use technologies that perform similar functions to cookies. Sometimes Google links the identifier used for advertising on mobile applications to an advertising cookie on the same device in order to coordinate ads across your mobile apps and mobile browser....

Connected TVs are another area where cookie technology is not available, and, instead, Google will rely on device identifiers designed for use in advertising to serve ads. Many connected TV devices support an identifier for advertising that is similar in function to mobile device identifiers. These identifiers are built to give users the option to reset them or to opt out of personalized advertising entirely."

"What determines the ads by Google that I see?
Many decisions are made to determine which ad you see. Sometimes the ad you see is based on your current or past location. Your IP address is usually a good indication of your approximate location. So you might see an ad on the homepage of YouTube.com that promotes a forthcoming movie in your country, or a search for ‘pizza’ might return results for pizza places in your town. Sometimes the ad you see is based on the context of a page. If you’re looking at a page of gardening tips, you might see ads for gardening equipment. Sometimes you might also see an ad on the web that’s based on your app activity or activity on Google services; an in-app ad that’s based on your web activity; or an ad based on your activity on another device. Sometimes the ad you see on a page is served by Google but selected by another company. For example, you might have registered with a newspaper website. From information you’ve given the newspaper, it can make decisions about which ads to show you, and it can use Google’s ad serving products to deliver those ads. You may also see ads on Google products and services, including Search, Gmail, and YouTube, based on information, such as your email address, that you provided to advertisers and the advertisers then shared with Google."

"We do have restrictions on this type of ad. For example, we prohibit advertisers from selecting an audience based on sensitive information, such as health information or religious beliefs."

How can you control your data?

Google's Privacy Policy

"You can export a copy of content in your Google Account if you want to back it up or use it with a service outside of Google."
"To delete your information, you can:
Delete your content from specific Google services
Search for and then delete specific items from your account using My Activity
Delete specific Google products, including your information associated with those products
Delete your entire Google Account"

"In some cases, rather than provide a way to delete data, we store it for a predetermined period of time. For each type of data, we set retention timeframes based on the reason for its collection. For example, to ensure that our services display properly on many different types of devices, we may retain browser width and height for up to 9 months. We also take steps to anonymize or pseudonymize certain data within set time periods. For example, we anonymize advertising data in server logs by removing part of the IP address after 9 months and cookie information after 18 months. We may also retain pseudonymized data, such as queries that have been disconnected from users’ Google Accounts, for a set period of time."

What is the company’s known track record of protecting users’ data?

Needs Improvement

In September 2023, the US Department of Justice launched a trial against Google arguing "that Google abused its power as a monopoly to dominate the search engine business." Full disclosure, Mozilla testified in this trial.

In September 2023, Google was set to pay $93M in settlement over deceptive location tracking.

In August 2023, a US District Court judge allowed a $5 Billion lawsuit to continue against Google for alleged privacy violations of users for secretly tracking them without their consent.

In January 2023, Google confirmed data breach in its cell network provider Google Fi. The breach is linked to the recent T-Mobile hack. Google announced the breach immediately. Google says the hackers accessed limited customer information, including phone numbers, account status, SIM card serial numbers and information related to details about customers’ mobile service plans, such as whether they have selected unlimited SMS or international roaming.

In December 2022, Google was fined by EU watchdog over GDPR violations.

In September 2022, Google lost anti-trust ruling of EU which put a fine of over $4.34B on Google because of its Android monopoly.

Google received plenty of fines from European, American, and Korean authorities in the last few years. The biggest was the $170M fine from New York Attorney General for mishandling the children consent. The other cases include the fine of $100M for violating the Biometric Information Privacy Act in Illinois, $71.8M fine for mishandling consent in South Korea, $57M fine for violating GDPR in France, as well as other fines from local Data Protection Authorities in Ireland, Italy, Spain.

In 2022 Google agreed to a nearly $392 million dollar legal settlement with 40 US states "for charges that it misled users into thinking they had turned off location tracking in their account settings even as the company continued collecting that information".

In August 2019, the company admitted that partners who work to analyze voice snippets from the Assistant leaked the voice snippets of some Dutch users. More than 1,000 private conversations were sent to a Belgian news outlet, some of the messages reportedly revealed sensitive information such as medical conditions and customer addresses.

In December 2018, a bug exposed exposed the data of 52.5 million Google+ users.

Nest Security Bulletin contains details of security vulnerabilities that previously affected Google Nest's devices.

Child Privacy Information

Google provides a Privacy Link guide with information about privacy of kids aged 6-8, 9-12, and 13-17.

Privacy Notice for Google Accounts and Profiles Managed with Family Link, for Children under 13 (or applicable age in your country)
"For your child to have their own Google Account or profile, we may need your permission to collect, use or disclose your child’s information as described in this Privacy Notice and the Google Privacy Policy. When you allow your child to use our services, you and your child are trusting us with your information. We understand this is a big responsibility and work hard to protect your information and put you in control. You can choose whether your child can manage their activity controls for things like Web & App Activity and YouTube History.

This Privacy Notice for Google Accounts and Profiles Managed with Family Link, for Children under 13 (or applicable age in your country) and the Google Privacy Policy explain Google’s privacy practices. To the extent there are privacy practices specific to your child’s account or profile, such as with respect to limitations on personalized advertising, those differences are outlined in this Privacy Notice.

This Privacy Notice does not apply to the practices of any third party (non-Google) apps, actions or websites that your child may use. You should review the applicable terms and policies for third party apps, actions, and sites to determine their appropriateness for your child, including their data collection and use practices."

Once you grant permission for your child to have a Google Account or profile, their account or profile will generally be treated like your own with respect to the information that we collect. For example, we collect:
Information you and your child create or provide to us...
Information we get from your child’s use of our services....(including)....
Your child’s apps, browsers & devices...
Your child’s location information...
Your child’s voice & audio information..."

"We may use your child’s information to provide recommendations, personalized content, and customized search results. For example, depending on your child’s settings, Google Play may use information like apps your child has installed to suggest new apps they might like.
In addition, we may combine the information we collect among our services and across your child’s devices for the purposes described above. Depending on your child’s account or profile settings, their activity on other sites and apps may be associated with their personal information in order to improve Google’s services.
Google will not serve personalized ads to your child, which means ads will not be based on information from your child’s account or profile. Instead, ads may be based on information like the content of the website or app your child is viewing, the current search query, or general location (such as city or state). When browsing the web or using non-Google apps, your child may encounter ads served by other (non-Google) ad providers, including ads personalized by third parties."

"We may also share non-personally identifiable information (such as trends about the general use of our services) publicly and with our partners — like publishers, advertisers, developers, or rights holders. For example, we share information publicly to show trends about the general use of our services. We also allow specific partners to collect information from browsers or devices for advertising and measurement purposes using their own cookies or similar technologies."

Can this product be used offline?

No

User-friendly privacy information?

No

We'll give Google this, they don't lack for privacy documentation. There is a LOT of it. And we've plowed through worse privacy policies. All that being said, there are so many documents and privacy notices and on and on that it is a lot to take in and digest. So is it user-friendly? Well, kind of. Is it easy to read and understand? Not exactly. Is it OK to expect people to spend 5 hours of their day trying to sort though all of this documentation on a regular basis? Absolutely not.

Links to privacy information

Does this product meet our Minimum Security Standards? information

Yes

Encryption

Yes

Uses encryption in transit and at rest.

Strong password

Yes

Security updates

Yes

Manages vulnerabilities

Yes

Google has a Security Rewards program. Link: https://www.google.com/about/appsecurity/programs-home/

Privacy policy

Yes

Does the product use AI? information

Yes

Google is planning to add generative AI product Bard to its Home products. Google also uses natural language processing to understand you and to generate answers to your requests.

Is this AI untrustworthy?

Can’t Determine

What kind of decisions does the AI make about you or for you?

Is the company transparent about how the AI works?

Yes

Google published the Generative AI additional Terms of Service. https://policies.google.com/terms/generative-ai

Does the user have control over the AI features?

Yes

On Nest Cameras, you can select which notifications you receive—for example, turn off person detection. Familiar Face detection, which identifies people who visit your home often, such as family members, is an opt-in feature that requires a Nest Aware subscription.
*privacy not included

Dive Deeper

  • Scoop: Google Assistant to get an AI makeover
    Axios
  • Google loses appeal against record $4 billion EU fine
    CNN Business
  • Google Assistant is about to get supercharged by generative AI, says new report
    ZDNET
  • Google Fi says hackers accessed customers’ information
    TechCrunch
  • Google fails to end $5 billion consumer privacy lawsuit
    Reuters
  • 7 Google Assistant settings you should disable or adjust
    Digital Trends
  • Google Finally Lets You Turn off Targeted Ads Without Breaking Its Apps
    Gizmodo
  • All the Ways Google Is Coming Under Fire Over Privacy: QuickTake
    Bloomberg
  • Google settles lawsuit with Illinois residents for $100M after photo app privacy concerns
    USA Today
  • Google, Meta fined $71.8M for violating privacy law in South Korea
    TechCrunch
  • France fines Google $57 million for European privacy rule breach
    Reuters
  • Google Is Fined $170 Million for Violating Children’s Privacy on YouTube
    The New York Times
  • Google and YouTube Will Pay Record $170 Million for Alleged Violations of Children’s Privacy Law
    Federal Trade Commission
  • Data privacy alert: Spanish DPA fines Google €10 million
    SC Media
  • Texas Sues Google for Collecting Biometric Data Without Consent
    The New York Times
  • Google Agrees to $392 Million Privacy Settlement With 40 States
    The New York Times
  • Google Data Breaches: Full Timeline Through 2022
    Firewall Times
  • Alexa records you more often than you think
    Vox
  • Lawsuit claims Google knew its ‘Incognito mode’ doesn't protect users’ privacy
    The Washington Post
  • How to Use Google Privacy Settings
    Consumer Reports
  • Google is sending a complicated privacy email to everyone — here’s what it means
    The Verge
  • Is your Google Home or Nest secure? How to find and delete your private data
    CNET
  • Thousands of Mobile Apps Leak Data from Firebase Databases
    Ionut Arghire
  • With a Laser, Researchers Say They Can Hack Alexa, Google Home or Siri
    NY Times
  • How to keep the smart speaker you got for the holidays and still keep some of your privacy, too
    Vox

Comments

Got a comment? Let us hear it.