If you use Nest’s home automation products, you can have them automatically detect when you’re home or away. If you are out, your Nest Thermostat can automatically turn down your heat to save you money while you’re out, your Nest Cam can start monitoring your house for movement when you’re not there, and your Nest Protect smoke detector can test its alarm when nobody’s home to be disturbed by it.
But that means users need to trust the Alphabet company’s cloud platform with what almost anyone would agree is some very sensitive data: There’s a reason a 2010 website that collected public social media check-ins away from home was called Please Rob Me.
That’s part of the reason why, Nest officials say, the company takes security and privacy into account from the instant new features begin to be designed.
“We start by defining the security requirements in that product at the same time that we’re defining the value proposition for the customer in that product,” says Jim Alkove, Nest’s vice president for security and privacy.
At the same time the company’s product teams are considering the use cases for a feature, and what customer problems it will be able to solve with that feature, they’re also considering how to make that feature secure and how to make sure customers know they can trust it, affirms Greg Hu, a group product manager for the Nest Platform and Works With Nest third-party product integration program. Nest surveys and talks with customers to make sure they understand and feel they can rely on the safeguards the company is building.
“When we design the feature, we want to make sure there’s a level of transparency to the customer, so they understand there’s control and their data is secured in the right way,” he says.
For instance, the company recently rolled out a new Family Accounts feature, which lets people who share a home with others allow different control levels of their Nest devices across each of their household’s smartphones. Nest makes sure to notify family members when someone is added to or removed from the group.
And when other companies build products that connect to Nest through the Works with Nest program, they are required to explain why they’re seeking access to certain types of data, Hu says. “They understand how we’re sharing the data,” he says of consumers. “They can make the decision, do I want to authorize that handshake between the two companies?”
Customers nowadays are used to the idea of authorizing apps to access particular data from accounts or devices but expect to have some explanation of why that level of permission is necessary, he says.
The company also sometimes limits the interfaces that can be used to control individual devices: For instance, users of an upcoming Nest-enabled Yale lock will be able to unlock their doors through a smartphone app, but not through a web interface, Hu says. Mobile phones, which are generally tied to one user, seemed like a more natural virtual key than web login credentials, which could be more easily shared, he explains.
Hu also worked on developing Nest’s recent Home/Away Assist feature, which pulls in users’ smartphone location data to get a more accurate sense of when users are home or away than could be gathered just from data from infrared motion sensors on Nest devices.
The platform monitors when each smartphone linked to a Nest home installation enters and leaves the residence, and uses machine learning techniques and knowledge of your past behavior—Hu declined to go into much detail about the algorithms involved—to flip the devices into “away” mode when you leave for work but not, say, when you’re out for a quick walk with your dog.
“Context in this particular case is important, because the time of the day matters,” he says. “If you pass the geofence in the middle of the night, it’s very different than if you have a pattern where you go to work Monday to Friday, and we can understand you’re driving to work and you won’t be home for a few hours.”
That “geofence” is a virtual border created in iOS or Android; the operating system can notify Nest’s apps when users pass in and out of the immediate vicinity of their homes. Using that feature means that the apps and Nest’s cloud servers don’t have to keep a record of their customers’ complete locations–Nest only needs to understand when they enter and leave the geofence.
“All we’re going to do is establish a boundary, and track the events in which somebody crosses the geofence,” Hu says.
That’s the kind of detail the company generally considers early in the design process for a new feature, Hu says. Members of Alkove’s security team work alongside engineers and designers from feature inception through testing.
“We have members of my team that are security experts and members that are privacy experts, and those members of my team are part of the product engineering process starting with concept,” Alkove says. “From that point, there are people from the security and privacy organization that are part of the initial concept of the product, they’re part of the design of the product, they’re part of the implementation and the review of implementation.”
Alkove says the company doesn’t disclose how many employees are focused on security, but he says they’re generally focused on four key areas: building low-level, security-focused tools like identity management functionality; setting security policy; handling security operations like monitoring for intrusion; and keeping up to date with server patches and participating in design and testing.
And while the security personnel all technically report to Alkove, on a day-to-day basis they’re working alongside Nest’s other technical employees, he says.
“Nest is a very cross-functional organization,” he says. “It’s a very short distance from where the person doing security operations sits to where the person operating the system is.”
The company generally uses industry-standard security tools and protocols like SSL—“We don’t believe in rolling your own crypto as part of these devices,” says Alkove—with an emphasis on blocking unauthorized access to user information as it’s in transit between Nest’s devices, apps, and servers, and while it’s in the cloud.
“I think the principle is that we need to design security and privacy into our products from the beginning, and our number one is priority is protecting our customers’ data,” he says. That means data is encrypted as it travels between Nest hardware, that personally identifiable information is kept encrypted in Nest’s cloud systems, and regular security reviews and penetration tests are run against those servers to ensure they’re protected from hackers’ prying eyes.
Nest, which was acquired by Google in 2014 and is now technically a sister company within Alphabet, takes advantage of the larger company’s resources and expertise—for instance, Google has its own dedicated cryptographers on staff, something that just wouldn’t make sense at Nest’s smaller scale. Nest engineering teams request reviews from Google’s security experts through the same corporate channels as Google itself, Alkove says.
And once products are released, the company offers rewards to researchers or other users who report security holes through Google’s bug bounty program. Alkove won’t go into detail about the bounties the company has handed out. (In one case that was made public, Princeton University researchers discovered Nest thermostats were transmitting users’ zip codes without encryption; Alkove claims the company was already in the process of fixing the issue when the report was made).
Of course, home automation still a young field, and there aren’t that many formal industry standards about how data should be secured and what security processes should look like, says Alkove, who previously managed Windows security for Microsoft. But as Nest increasingly works with industry partners in the more-regulated insurance and utility sectors–the company recently said more than 30% of U.S. homes have access to Nest thermostat incentive programs through utility companies–it needs to assure them that customer data will be safe. That’s particularly true when they might share data with Nest for initiatives like Rush Hour Rewards, which offers customers incentives for allowing their thermostats to save power during energy demand peaks. Like consumers themselves, industry partners want to know that the data they share with Nest will be kept safe, and handled in well-defined, secure ways.
“I think the industries are still working hard to figure out what the standards should be, but many of these companies are regulated and they themselves have standards they need to adhere to for customer data,” he says. Part of Alkove’s role, he says, is bringing the “scale and formality” of a big-company security operation to Nest, though he underscores that the company was already security-focused long before his arrival late last year.
In some cases, Nest adjusts its own security models based on shifting user expectations. For example, its devices weren’t traditionally designed to be secure against physical tampering, but the next generation of Nest thermostats will have enhanced secure startup protections, making it significantly harder to load unauthorized code onto the devices even with physical access, he says.
“We are starting down that path of adding more device-side resistance,” Alkove says. This is happening partially in response to customers becoming used to smartphone security measures and Nest’s desire to make sure sensitive data is handled in ways customers know are secure and unsurprising.
Just as on many smartphones, the latest generation of Nest thermostats will only load firmware code that’s been digitally signed by the company, so even with access to the devices it would be difficult to install malware on them.
“Security and privacy’s really important to us, because the home is a really sacred place to our customers, and we’ve always understood that,” says Hu. “That’s always been one of our key principles at Nest.”