Google Home Mini Complaint

Background

Google Home Mini

Google Home Mini is a "smart speaker" that listens to you and responds to your every command. The device is supposed to be activated when you say the wake words "OK Google" or press the touchpad on top of the device. But a defect in the touchpad caused many of the Home Minis to be permanently set to "on," recording everything its users said, 24/7.

Google first introduced its Home Mini to reporters at an event in San Francisco two weeks before it planned to make the product available on the market. Tech blogger Artem Russakovskii of Android Police discovered a defect in the Home Mini that caused it to turn on automatically and record everything he said. After checking his Google Activity Portal, Russakovskii further discovered that Google was storing all of his conversations on its servers. Google blamed the defect on a faulty touchpad that activated the device without being touched. Google issued a software patch for Home Mini that permanently disabled the touchpad. A Google spokesperson said, "We learned of an issue impacting a small number of Google Home Mini devices that could cause the touch mechanism to behave incorrectly," adding, "we have made the decision to permanently remove all top touch functionality."

This is not the first time that Google has been caught engaging in electronic eavesdropping. It was widely reported that Google was scanning the contents of Gmail users' emails. In 2016, EPIC filed an amicus brief in the Massachusetts Supreme Court contending that this practice violated Federal Wiretap laws. Google finally announced that it would end this practice on June 23, 2017. Google was also scanning student emails on its Apps for Education system up until 2014, and EPIC sued the Department of Education in 2011 over its regulation that weakened student privacy protections. EPIC first warned the public about Google's e-mail scanning practices back in 2005, and filed a complaint with the FTC in 2009 over the privacy risks of Google's insecure cloud computing services, including Gmail.

In 2015, reports revealed that the Google Chrome browser contained code that enabled it to capture its users' conversations through their computer's microphone. The browser was designed to support a voice-to-text search function that would be activated when the user said the words "OK Google." But according to Rick Falkvinge, the founder of Sweden's Pirate party, the code automatically turned the microphone on and was "actively listening to your room." The OK Google search function was also installed on Android phones.

Google has also raised serious privacy concerns with its wearable computer, Google Glass. This device can surreptitiously record and identify anyone on the street. If someone is identified using Google Glass's facial recognition technology, the user can instantly see that person's social media profiles, pictures, and Google search results. The information Google Glass records is then sent to Google's servers and stored in the cloud, raising further privacy and security risks.

"Always On" Devices

Google Home Mini is just the latest "always on" device that raises serious privacy concerns. In 2015, EPIC asked the Federal Trade Commission and the Department of Justice to investigate "always on" devices that record and store users' private conversations, possibly in violation of federal wiretap laws. EPIC specifically warned the FTC and DOJ about devices similar to Google Home Mini, such as Amazon Echo, Siri, and Alexa. The Electronic Communications Privacy Act, also known as the "Wiretap Act" broadly prohibits electronic eavesdropping by private individuals or companies, but it has been rarely applied to home devices that record private conversations. EPIC also recommended that the FTC and DOJ conduct workshops to educate consumers about the risks of this new form of technology.

EPIC filed a complaint with the FTC in 2015 regarding Samsung's SmartTV that recorded consumers' private conversations and transmitted them to a third party. The TV was equipped with "always on" voice-recognition technology to enable voice commands. But as EPIC's complaint alleged, Samsung misrepresented to consumers that it encrypted voice recordings before sending them to a third party.

EPIC has devoted significant efforts to addressing the broad privacy and security risks posed by the "Internet of Things." In a 2014 Pew Research Report on the "IoT," EPIC President Marc Rotenberg explained that the underlying problem with the IoT is that "users are just another category of things," and, "[b]y 2025, the more interesting question will be how the Internet is interacting with people, not how people are interacting with the Internet." Frank Pasquale, law professor and EPIC advisory board member, warned that the expansion of the IoT will result in a world that is more "prison-like" with a "small class of 'watchers' and a much larger class of the experimented upon, the watched."

EPIC's Letter To The CPSC

On October 13, 2017, EPIC and a coalition of consumer privacy groups sent a letter to Chairwoman Ann Marie Buerkle of the Consumer Product Safety Commission, asking her to recall Google Home Mini. As the groups explained, "Google Home Mini … allowed Google to intercept and record private conversations in homes without the knowledge or consent of the consumer." The groups emphasized the need for the CPSC to act, stating, "[t]his is a classic manufacturing defect that places consumers at risk."

The groups stated in their letter that this product defect is well within the purview of the CPSC. They pointed out that CPSC is well aware of the risks from wireless devices because it had just recalled a wireless tank transmitter the previous week.

The groups also urged the CPSC to enforce its "Duty to Report" requirement against manufacturers of "IoT" devices. The CPSC has authority to require manufacturers to immediately report any "defective product that could create a substantial risk of injury to consumers." As the CPSC has itself stated, "Failure to fully and immediately report this information may lead to substantial civil or criminal penalties. CPSC staff's advice is 'when in doubt, report.'"

The coalition letter underscored the need for the CPSC to fill in the regulatory gaps, stating, "the Federal Trade Commission has simply failed to protect consumers against the risks of Internet-connected devices, routinely ignoring complaints brought by consumer organizations." In 2016, EPIC and a coalition of consumer groups submitted a complaint to the FTC urging it to investigate My Friend Cayla, a toy that spied on children. Although the toy was recalled in Europe, the FTC failed to act on the complaint. The FTC also declined to take action on EPIC's 2015 complaint regarding Samsung’s "SmartTV" that surreptitiously recorded its users.

The groups also called attention to the broader risks to consumers as home devices become increasingly connected to the internet. Cybersecurity experts have warned of an "Internet of Broken Things" that is vulnerable to cyber-attacks. "Poor insulation on the power cord of a toaster may lead to a fire in a particular home. But the exploitation of a vulnerability in a network of thermostats or door locks could be staggering." The groups' letter emphasized that "manufacturers-not consumers-must bear the responsibility to ensure the products that they offer for sale are safe for use by consumers." As EPIC Senior Counsel Alan Butler has written, "the proliferation of IoT devices could be the catalyst for a new field of 'connected devices' products liability law."

News Reports

Share this page:

Support EPIC

EPIC relies on support from individual donors to pursue our work.

Defend Privacy. Support EPIC.