Browse all articles

Privacy and Security Evaluation of the Google Home smart speaker

Learn about the Google Home's privacy and security features

Girard Kelly | November 26, 2019

The Common Sense Privacy Program evaluates the privacy policies of popular consumer and education technology applications and services that are currently used by millions of children at home and in the classroom. The Privacy Program evaluated the privacy practices of a popular smart tech device called Google Home, which contains a virtual assistant called Google Assistant. 

We also performed a hands-on basic security test of the device for parents and teachers to learn more about its security practices and how they compare to other popular smart speakers that have virtual assistants. When evaluating whether to use smart tech paired with a mobile app at home or in the classroom, parents and teachers need a comprehensive understanding of both the privacy and security practices of a smart device. Our approach lets us compare what the smart tech company says they do with data with what our limited testing can observe about what they actually do with data. We can observe what data goes to and from the device, but we can't necessarily see what happens with the data when it reaches the external destination. Our findings are intended to help parents and teachers make better informed decisions about whether to buy this device or similar smart devices for use with their children at home or with students at school.

What is smart tech? 

The category of smart devices, or the Internet of Things (IoT), covers all the objects or devices used in your home, office, or school that are connected to the internet. More and more of these smart devices are being used by children as toys at home and with students as learning tools in the classroom every day. Smart tech companies claim their devices provide greater convenience and new learning opportunities for children and students, but they also collect and share more information than ever. Connected devices and household gadgets can collect all kinds of sensitive information -- anything from audio and visual recordings of your home to the names of shows you watch, the number of steps you've taken, your child's precise location, how and when you sleep, and even the foods you eat.

Product Details

Company:

Google

Name: 

Google Home

Link:

https://store.google.com/gb/product/google_home

Price:

$99

Category:

Smart Speakers and Virtual Assistants

Description: 

Google Home is a smart speaker device that integrates Google's virtual assistant, Google Assistant, which provides customized help to users across all their devices, such as their mobile phones, and any connected smart home devices.

Intended Audience

 

Home

School

Consumers (over 18)

Consumers can set up and control their Google Assistant and Chromecast devices, plus thousands of connected home products like lights, cameras, thermostats and more.

None.

Kids (under 13)

Kids can use Google Assistant at home to ask questions, play music, and play games.

Kids can use Google Assistant in the classroom to ask questions, play music, and play games.

Students (K-12)

Students can use Google Assistant at home to help answer homework questions, set timers, play study music, or control connected home products.

Students can use Google Assistant in the classroom to answer questions during a lesson, translate languages, or learn how to program with the Google Assistant SDK.

Bottom Line

Best for Voice Recognition: The product offers great voice recognition and the ability to recognize different voices with personalized content, but parents and teachers should use it with caution because of its potential to collect a large amount of data about children or students for advertising purposes.

 

Pros

Cons

1.

Data Secure: User data is encrypted between the device, mobile app, and the cloud.

Ads & Tracking: Policy states that Google may use information about users’ online activities for advertising or tracking.

2.

Most Accurate: Google Assistant answers the most questions fully and correctly.

No Content Filter: Content is not filtered or monitored for safety of children by default.

3.

Parental Controls: Google Family Link app provides parental controls for a child's Google account with the ability to manage screen time and approve apps.

Expensive: Need to have both Wi-Fi internet access and a mobile device to set up Google Home.

Software

The Google Home is bundled with the following apps:

 Google Assistant (iOS, Google Play)

 Google Home (iOS, Google Play)

 Google Family Link (iOS, Google Play)

Welcome

The Google Home mobile application launches with a welcome screen. The app requests a that user log in with their Google account or sign up to create a new account. After signing into a Google account, the user is promoted to create a new "home" with a nickname and street address.

         

Parental Controls

If a user clicks "sign up" after the welcome screen, the app requests personal information, including the user's first and last name, phone number, and birth date to confirm the user's age. If a user provides a birth date that indicates they are under the age of 13, the app requests that a parent or guardian provide consent for the child or student. A parent must provide consent through an email address or phone number before the child can use the device by signing up for an account themselves. After the parent or guardian has provided consent for their child and started the registration process with Family Link, they must enter personal information, including an email address and a password that meets strong and complex password requirements. 

         

Device Setup

Once a user is logged into their Google account, the user is prompted to look for a Google Home–connected device. Then, once the Google Home device is paired with the Google Home app, the device emits a sound to indicate that it is the correct device and that it is working properly. The Google Home app asks the user to indicate which room the Google Home device is located in and connects the device to the user's preferred Wi-Fi network.

         

Personalize

Once the Google Home device is connected to the internet, the Google Home app prompts the user to personalize their device with Google Assistant, activate the microphone on the mobile app, and teach it to recognize their voice with "Voice Match." In addition, the Google Home app asks if the user would like to receive personalized results from the Google Home device based on their new voice match. 

         

Custom Settings

Users are asked to customize the type of voice Google Assistant uses to speak. The Home app also asks the user for opt-in consent to collect precise location data and to send them first-party marketing information about products and services from Google. In addition, the Home app offers some useful voice commands to try with "Hey Google" in order to use the device and receive personalized results.

         

Manage Features

Once setup is complete, the user can manage their new "Home" and can increase or decrease the volume within the app, add or remove information in their settings, discover new features, and listen to music with the YouTube Music app.

         

Google Assistant App

In order to extend the functionality of the Google Home device and Google Assistant to mobile devices, users are prompted to download the Google Assistant app on their mobile device. In addition to the Home app, which controls the Google Home device, the Google Assistant app controls the features and settings of the user's Google Assistant and Google account.

         

Third-Party Apps

Lastly, within the Google Assistant app, the user is able to add new third-party apps for use with Google Assistant and the Google Home device. For example, a user can add new music streaming services (Pandora or YouTube Music), video or television app services (Netflix or HBO), or even new third-party devices such as light bulbs and connected wall outlets that may also require users to download device-specific third-party apps.

       

Hardware

The Google Home hardware is packed with new technologies, which also means that the device has data-collection capabilities that raise privacy and security concerns. Learn more about what's inside the Google Home and read our tips on privacy and security below.

Device Collection Details

 

Listening Indicator

Personal Information

Camera Access

Video Access

Microphone Access

Location Access

App:

Yes

Yes

No

No

Yes

Yes

Device:

Yes

Yes

No

No

Yes

Yes

What can all that hardware do?

Google Home has a "brain" with a dual-core ARM Cortex-A7 media processor. That means Google Home can more quickly collect and process information within the device itself. Because Google Home has considerable processing capabilities, it does not necessarily need extra help from a mobile phone or tablet for most tasks. 

Tip: The more information collected and processed, the more privacy and security risk there is for that information.

Google Home can “feel” with capacitive touch sensors to pinpoint the force of your finger on top of the device and mobile device. That means Google Home can collect information about the amount of force that is used to touch it and when and where that force was used to control the device.

Tip: Information collected about a child’s or student's use of a product's features over time is typically called "usage information" or "behavioral information."

Google Home has "ears" with a multidirectional, two-microphone array. That means Google Home can listen to and process multiple conversations at the same time, filter out background noise, and focus on the direction voices and sounds are coming from.

Tip: Audio information about the duration, tone, pitch, and content of voice communications, as well as when and where those communications happened, may contain personal or sensitive information. This is a risk to a greater number of people's privacy when Google Home is used in a public place, office space, or classroom than when it's used in a private home. For example, houseguests should have the right to know smart speakers are in use before entering the home, and students should know smart speakers are in use before entering the classroom.

Google Home has a voice that can be changed and spoken through speakers that make synthesized sounds and respond to commands. That means Google Home knows when it is talking or when it is giving updates, and it also knows the content of those spoken messages and the content of the synthesized conversations it has with users.

Tip: Information about the duration and content of spoken responses Google Home gives to users, and when and where Google Home gives those responses, may contain personal or sensitive information and may be audible to others. This is a risk to a greater number of people's privacy when Google Home is used in a public place, office space, or classroom than when it's used in a private home.

Google Home has a "face" (sort of) with its companion iOS or Google Play “Home” and Google Assistant mobile app. That means Google Home can display images to children and students on a mobile device through the digital screen or through a Google Chromecast-enabled device on a television screen.

Tip: Information visually displayed to users may contain personal or sensitive information and be visible to others. This is a risk to a greater number of people's privacy when Google Home is used in a public place, office space, or classroom than when it's used in a private home.

Google Home has connectivity with 802.11n Wi-Fi. That means Google Home can send and receive information it has collected or processed.

Tip: Wi-Fi connections on a smart device or mobile device can send collected information to the cloud for processing and must be encrypted while in transit and while stored in the cloud to remain secure.

Google Home always has energy with an electrical cord that needs to be plugged into a wall outlet at all times. That means Google Home is always listening for a “wake word” to activate and can collect and process information for an unlimited amount of time.

Tip: The longer a device is operational, the more information it can collect and process.

Google Home connects with other apps through its App Store. That means other third-party companies can collect and use personal information from Google Home for a different purpose.

Tip: Devices that allow installing third-party apps can increase the risk of malicious apps being installed that can steal sensitive personal information. Other apps may not have the same privacy and security protections as Google and may be able to collect personal data including passwords, or they can eavesdrop on users even after they think Google Home is no longer listening. In addition, many third-party apps outside the App Store can be "side-loaded" on Google Home through a service called If This Then That (IFTTT).

Security Lab Testing

The Privacy Program conducts a hands-on basic security assessment of the 10 most critical security concerns about the collection and sharing of information from a smart device, a mobile application, and the internet. Parents and educators should be aware of the following security risks for this smart device:

Data Sharing

Evaluating data sharing takes into consideration best practices of keeping personal data inside the application or smart device to help protect privacy. Connecting social media accounts could allow people to share personal information with other people and with third-party companies. In addition, installing third-party apps with a smart device could allow the collection and use of personal information for a different purpose.

 

Social Media Accounts

Third-Party App Store

App:

Yes

Yes

Device Yes Yes
Method: IFTTT Google Actions, IFTTT

Device Safety

Evaluating device safety takes into consideration best practices of using privacy protections by default and limiting potential interactions with others. It’s better to start with the maximum privacy that the app or device can provide, and then give users the choice to change the settings. In addition, users talking to other people through the app or device might permit sharing personal information with strangers.

 

Privacy-Protecting Default Controls

Social Interactions

App:

Yes

Yes

Device:

Yes

Yes

Method: Opt-in Phone calls

Account Protection

Evaluating account protection takes into consideration best practices of using strong passwords and providing accounts for children with parental controls. Strong passwords can help prevent unwanted access to personal information. Children under age 13 may not understand when they are sharing personal information, so they should be required to create special accounts with more protection under the law. Lastly, parents can help children under the age of 13 use a device or app with digital well-being protections in mind by using parental controls.

 

Strong Passwords

Child Age Gate

Parental Controls 

App:

Yes

Yes

Yes

Method: 

Google account

Google account creation

Family Link App

Device Security

Evaluating device security takes into consideration best practices of securing personal information against unwanted use that is shared between the mobile device, smart tech, and the internet. Keeping personal information encrypted, or masked, protects information while it is on the move. In addition, advertising and tracking requests from the device or app could contain personal information about the user, including what they’re doing with the device or app.

 

Wi-Fi Secure

Bluetooth Secure

Ads

Tracking

App:

Yes

N/A

Yes

Yes

Device:

Yes

N/A

Yes

Yes

Method:

Encryption

N/A

Targeted

Third-party

Software Updates

Evaluating software updates takes into consideration best practices of keeping a smart device secure with up-to-date software patches and settings. When a company improves its app or device, better privacy and security should be part of the package and should be automatically updated or easy to update.

 

Software updates automatic

Software updates secure

App:

Yes

Yes

Device:

Yes

Yes

Method: Google Play Store Encryption

Privacy Evaluation

In addition to performing a hands-on basic security test, the Privacy Program also evaluates the privacy policies of each smart tech device. We can only evaluate a limited number of privacy and security features with our hands-on testing, so we also need to look at what each company's privacy policy promises it will do. Looking at the policies for a product enables us to see what the company says it will do with the personal information it collects. This allows us to create a truly comprehensive evaluation process with a full, in-depth, 150-point inspection of the privacy policies of a product as well as a basic hands-on security test of its practices. 

Google Assistant

Summary:

Google Home is a smart speaker device that integrates Google's virtual assistant, which provides customized help to users across all their devices, such as Google Home, their mobile phone, and more. With the Google Home app, users can set up, manage, and control their Google Home and Chromecast devices, plus thousands of connected home products like lights, cameras, thermostats, and more.

The Google Assistant app provides another way to launch Google Assistant if it's not already available on a mobile device. Google Assistant can be accessed through its website and is available for download at the iOS App Store, and the Google Play Store. Google Home can be accessed through its website and is available for download at the iOS App Store, and the Google Play Store. The Privacy Policy and Terms of Service used for this evaluation can be found on Google’s website, the iOS App Store, and the Google Play Store.

Google Family Link for parents is an app that lets parents or guardians create a Google account for their child that's like a parent's account, with access to most Google services like Google Assistant. Family Link can be accessed through its website and is available for download at the iOS App Store and the Google Play Store. The Privacy Notice for Google Accounts Managed with Family Link for Children under 13 and the Family Link Disclosure for Children under 13 provide more information about the application's features. The Privacy Notice and the Google Privacy Policy both explain Google's privacy practices for a child’s Google account. To the extent there are terms that conflict, such as with respect to limitations on personalized advertising for children, the Privacy Notice takes precedence for those users. This evaluation only considers policies that have been made publicly available prior to an individual using the application or service.

Privacy Key Findings

Parents and educators should be aware of the following privacy risks for Google Home. The following privacy ratings and evaluation scores are from our privacy evaluations of the policies of Google Home. This product is available on mobile devices and integrated into smart speakers used at home, in businesses, and inside classrooms.

Rating Criteria

The following table illustrates better, worse, and unclear practices with our privacy rating questions. These worse practices can put consumers’ privacy at risk with the use of personal information for third-party marketing, advertising, tracking, or ad-profiling purposes. The color blue means the product's policies disclose better practices, red means they disclose worse practices, and orange means they are unclear as to whether or not the vendor engages in the practice. 

Overall Score (100)

Sell Data

Third-Party Marketing

Behavioral Ads

Third-Party Tracking

Track Users

Ad Profile

75 No Yes Yes Yes Yes Yes

Concern Scores

In addition to each product's overall score, the more detailed concern category scores in the chart below can help explain a product's rating and can also be helpful in making an informed decision about whether and how to use the product at home, at your company, or in the classroom based on your privacy concerns of the following categories.

Overall Score (100)

Data Collection

Data Sharing

Data Security

Data Rights

Data Sold

Data Safety

Ads & Tracking

Parental Consent

School Purpose

75

65

90

95

95

50

60

60

80

0

If you would like to see how the Google Home compares to other popular smart speakers, read our article comparing the Privacy Practices of the Most Popular Smart Speakers with Virtual Assistants.