Even though Google officially killed remote control functionality for early Nest Learning Thermostats last month, the company is still quietly harvesting streams of personal data from these abandoned devices. Security researcher Cody Kociemba discovered that first and second-generation thermostats continue beaming temperature changes, occupancy detection, ambient light readings, and motion data straight to Google's servers - despite users losing all smart features.
Google just got caught with its hand in the smart home cookie jar. The tech giant officially pulled the plug on remote control features for early Nest Learning Thermostats last month, but it apparently forgot to mention one crucial detail - the data vacuum is still running at full blast.
Security researcher Cody Kociemba stumbled onto this digital privacy nightmare while participating in an unusual bounty program. FULU, a right-to-repair advocacy group cofounded by electronics repair guru Louis Rossmann, challenged developers to breathe life back into Google's abandoned smart thermostats. The $14,772 prize seemed straightforward enough - restore functionality to devices Google had essentially bricked.
But when Kociemba started building his open-source "No Longer Evil" project by cloning Google's API, something unexpected happened. Customer device logs started flooding in. Lots of them. "On these devices, while they [Google] turned off access to remotely control them, they did leave in the ability for the devices to upload logs. And the logs are pretty extensive," Kociemba told The Verge.
The scope of data collection is staggering for devices users can no longer actually control. These supposedly "downgraded" thermostats are still transmitting manual temperature adjustments, whether someone's physically present in the room, if sunlight is hitting the device, plus comprehensive sensor readings covering temperature, humidity, ambient light levels, and motion detection. It's a one-way data highway flowing straight to Mountain View.
What makes this particularly galling is that Google can't even use this information to help customers anymore. The company cut off all support channels when it discontinued the devices. "Although these logs can contain technical details such as HVAC error states, Google can no longer use that information to assist the customers who still depend on these thermostats, since support has been fully discontinued, even in cases of device failure," Kociemba explained.
Google's official support documentation acknowledges that unsupported devices "will continue to report logs for issue diagnostics," but the company frames this as somehow beneficial. The reality is messier - Google is collecting intimate details about people's daily routines from devices it no longer supports, updates, or secures.
The discontinuation affected first and second-generation Nest Learning Thermostats from 2011-2012, plus the European version from 2014. When Google flipped the kill switch, users lost the ability to check device status through the Nest or Google Home apps, receive security patches, or control their thermostats remotely. But the data pipeline? That stayed wide open.
"I was under the impression that the Google connection would be severed along with the remote functionality, however that connection is not severed, and instead is a one-way street," Kociemba said. The researcher responsibly shut down the log collection once he realized what was happening, but the discovery raises serious questions about Google's data practices with legacy hardware.
This isn't just about old thermostats - it's a preview of what happens when tech companies abandon the smart home devices they convinced millions of people to install. As the Internet of Things matures, we're seeing the first wave of planned obsolescence hitting connected home devices. Google's approach suggests companies view discontinued hardware as passive data collection points rather than customer property.
The timing couldn't be worse for Google's smart home ambitions. The company is pushing hard into AI-powered home automation while simultaneously demonstrating how it handles devices it no longer wants to support. The Verge reached out to Google for comment but received no response.
FULU ended up awarding the full bounty to Kociemba and another developer called Team Dinosaur for successfully restoring smart functionality to the abandoned thermostats. But their victory is bittersweet - it shouldn't take a bounty program and reverse engineering to give consumers control over devices they own.
Google's continued data collection from discontinued Nest thermostats reveals how tech giants treat abandoned smart home devices as ongoing surveillance assets rather than customer property. This case sets a troubling precedent as the first generation of connected home devices reaches end-of-life - companies may cut support and security updates while maintaining data pipelines. For consumers, it's a stark reminder that "smart" devices often serve their manufacturers' interests long after they stop serving yours.
