Even though Google officially killed remote control functionality for early Nest Learning Thermostats last month, the company is still quietly harvesting streams of personal data from these abandoned devices. Security researcher Cody Kociemba discovered that first and second-generation thermostats continue beaming temperature changes, occupancy detection, ambient light readings, and motion data straight to Google's servers - despite users losing all smart features.
Google just got caught with its hand in the smart home cookie jar. The tech giant officially pulled the plug on remote control features for early Nest Learning Thermostats last month, but it apparently forgot to mention one crucial detail - the data vacuum is still running at full blast.
Security researcher Cody Kociemba stumbled onto this digital privacy nightmare while participating in an unusual bounty program. FULU, a right-to-repair advocacy group cofounded by electronics repair guru Louis Rossmann, challenged developers to breathe life back into Google's abandoned smart thermostats. The $14,772 prize seemed straightforward enough - restore functionality to devices Google had essentially bricked.
But when Kociemba started building his open-source "No Longer Evil" project by cloning Google's API, something unexpected happened. Customer device logs started flooding in. Lots of them. "On these devices, while they [Google] turned off access to remotely control them, they did leave in the ability for the devices to upload logs. And the logs are pretty extensive," Kociemba told The Verge.
The scope of data collection is staggering for devices users can no longer actually control. These supposedly "downgraded" thermostats are still transmitting manual temperature adjustments, whether someone's physically present in the room, if sunlight is hitting the device, plus comprehensive sensor readings covering temperature, humidity, ambient light levels, and motion detection. It's a one-way data highway flowing straight to Mountain View.
What makes this particularly galling is that Google can't even use this information to help customers anymore. The company cut off all support channels when it discontinued the devices. "Although these logs can contain technical details such as HVAC error states, Google can no longer use that information to assist the customers who still depend on these thermostats, since support has been fully discontinued, even in cases of device failure," Kociemba explained.
Google's official support documentation acknowledges that unsupported devices "will continue to report logs for issue diagnostics," but the company frames this as somehow beneficial. The reality is messier - Google is collecting intimate details about people's daily routines from devices it no longer supports, updates, or secures.
