The Google Home Mini fits most of the features of the tech giant’s popular Home smart speakers into a $50, four-inch-wide package, except for the larger, $130 version’s better acoustics. But it is still very, very good at listening.
As many as 4,000 Google Home Minis handed out at Made By Google press and pop-up events could have a flaw making them capture virtually all audio around them before uploading the recordings to Google servers, Android Police reported on Tuesday.
According to Android Police’s Artem Russakovskii, he received a demo unit at an October 4th tech press event and installed the device in his bathroom. Two days later on October 6th, he noticed that the Mini was activating repeatedly while he was trying to watch TV. Upon further investigation of his Google account’s My Activity portal, Russakovskii realized the device had transmitted thousands of audio recordings to the company without his knowledge, all of which were available for playback.
That’s a big problem, since smart speakers should never record audio without a specific prompt from the user (“OK Google,” “Alexa,” etc.). Tech companies sucking up large quantities of data indiscriminately without explicit user consent—especially in the intimate environment of one’s home—is one of the primary fears of privacy advocates skeptical smart speakers won’t be abused.
Russakovskii contacted Google PR, which immediately began investigating the issue. The culprit, it seemed, was the device’s touch panel, designed to allow his Home Mini to activate Google Assistant without a verbal command; due to a fault, the device constantly experienced “phantom” touch events that turned the assistant on and began recording.
As a result, virtually everything happening near the Home Mini was recorded. Google responded by issuing a patch that disabled the touch panel’s functionality. While Google distributed up to 4,000 Home Minis at the pre-release events, it’s not clear whether all of them are impacted, and it told Russakovskii other pre-order units for the general retail market were not affected by the bug.
The 4,000 number is likely high. Ars Technica reported their Home Mini’s touch panel functionality was disabled by the patch, but it had “never went crazy and started recording at random.”
This little incident just about sums up smart speakers’ potential as a 1984-esque surveillance wet dream. In 2016, the FBI declined to tell Paleofuture whether it had ever wiretapped an Amazon Echo, and in March 2017, Amazon handed over Echo recordings potentially relevant to a murder investigation.
Gizmodo has reached out to Google for more information about the bug, and we’ll update if we hear back.